[
https://issues.apache.org/jira/browse/NETBEANS-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Brad Walker updated NETBEANS-4280:
----------------------------------
Description:
There are a few known security breaches in the sample source..
Specifically the following alerts:
+CVE-2019-5484+
Bower before 1.8.8 has a path traversal vulnerability permitting file write in
arbitrary locations via install command, which allows attackers to write
arbitrary files when a malicious package is extracted.
+CVE-2019-5413+
An attacker can use the format parameter to inject arbitrary commands in the
npm package morgan < 1.9.1.
+CVE-2017-16137+
The debug module is vulnerable to regular expression denial of service when
untrusted user input is passed into the o formatter. It takes around 50k
characters to block for 2 seconds making this a low severity issue.
I'm not saying these are critical. But, it's better we fix them to prevent any
possibility of using Netbeans IDE to allow someone to exploit this. As well as
set the proper example.
was:
There are a few known security breaches in the sample source..
Specifically the following alerts:
+CVE-2019-5484+
Bower before 1.8.8 has a path traversal vulnerability permitting file write in
arbitrary locations via install command, which allows attackers to write
arbitrary files when a malicious package is extracted.
+CVE-2019-5413+
An attacker can use the format parameter to inject arbitrary commands in the
npm package morgan < 1.9.1.
+CVE-2017-16137+
The debug module is vulnerable to regular expression denial of service when
untrusted user input is passed into the o formatter. It takes around 50k
characters to block for 2 seconds making this a low severity issue.
I'm not saying these are critical. But, it's better we fix them to prevent any
possibility of using Netbeans IDE to allow someone to exploit this.
> cleanup potential security breaches
> -----------------------------------
>
> Key: NETBEANS-4280
> URL: https://issues.apache.org/jira/browse/NETBEANS-4280
> Project: NetBeans
> Issue Type: Bug
> Reporter: Brad Walker
> Assignee: Brad Walker
> Priority: Major
> Fix For: Next
>
>
> There are a few known security breaches in the sample source..
> Specifically the following alerts:
> +CVE-2019-5484+
> Bower before 1.8.8 has a path traversal vulnerability permitting file write
> in arbitrary locations via install command, which allows attackers to write
> arbitrary files when a malicious package is extracted.
> +CVE-2019-5413+
> An attacker can use the format parameter to inject arbitrary commands in the
> npm package morgan < 1.9.1.
> +CVE-2017-16137+
> The debug module is vulnerable to regular expression denial of service when
> untrusted user input is passed into the o formatter. It takes around 50k
> characters to block for 2 seconds making this a low severity issue.
> I'm not saying these are critical. But, it's better we fix them to prevent
> any possibility of using Netbeans IDE to allow someone to exploit this. As
> well as set the proper example.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org
For additional commands, e-mail: commits-h...@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
