Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-cm5g-3pgc-8rg4] A vulnerability has been identified in the Express... #5024

Open
wants to merge 1 commit into
base: axi92/advisory-improvement-5024
Choose a base branch
from
Open

[GHSA-cm5g-3pgc-8rg4] A vulnerability has been identified in the Express... #5024

wants to merge 1 commit into from
+21 −2

Conversation

axi92
Copy link

@axi92 axi92 commented Nov 20, 2024

Updates

  • Affected products
  • Summary

Comments
Add info from herodevs.com about version and package

@github-actions github-actions bot changed the base branch from main to axi92/advisory-improvement-5024 November 20, 2024 14:55
@darakian
Copy link
Contributor

Thanks for the PR @axi92. You don't happen to know if this has been fixed or not do you?

@axi92
Copy link
Author

axi92 commented Nov 21, 2024

I don't know how to validate it myself and there are mixed informations.
I caught it with auditjs that uses the sonatype ossindex.

[21/65] - pkg:npm/[email protected] - 1 vulnerability found!

  Vulnerability Title:  [CVE-2024-10491] CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  ID:  CVE-2024-10491
  Description:  A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.
  
  The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources.
  
  This vulnerability is especially relevant for dynamic parameters.
  
  Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-10491 for details
  CVSS Score:  5.3
  CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  CVE:  CVE-2024-10491
  Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2024-10491?component-type=npm&component-name=express&utm_source=auditjs&utm_medium=integration&utm_content=4.0.46

But according to snyk it should be fixed in 4.x https://security.snyk.io/vuln/SNYK-JS-EXPRESS-8310337

I opened an issue asking in the express repo, they should know for sure.
https://github.com/expressjs/express/issues/6183

@darakian
Copy link
Contributor

I opened an issue asking in the express repo, they should know for sure.
https://github.com/expressjs/express/issues/6183

Hmmmm. That issue seems to have been deleted

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@axi92 @darakian