Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Could you help remove the vulnerabilities introduced in azure-storage ?

See original GitHub issue

Hi, @XiaoningLiu @jiacfan,

Issue Description

I noticed that four vulnerabilities are introduced in azure-storage@2.10.4: Four ulnerabilities affect package validator (versions:<13.6.0): SNYK-JS-VALIDATOR-1090600, SNYK-JS-VALIDATOR-1090599, SNYK-JS-VALIDATOR-1090602 and SNYK-JS-VALIDATOR-1090601 The above vulnerable package is referenced by azure-storage@2.10.4 via: azure-storage@2.10.4 ➔ validator@9.4.1

Since azure-storage@2.10.4 (61,618 downloads per week) is referenced by 1,320 downstream projects (e.g., @microsoft/sp-build-core-tasks 1.12.1 (latest version), @microsoft/sp-build-web 1.12.1 (latest version), @cinerino/domain 10.16.0 (latest version), @microsoft/generator-sharepoint 1.12.1 (latest version)), the vulnerabilities can be propagated into these downstream projects and expose security threats to them via the following package dependency paths: (1)@0cfg/rpc-common@0.0.9 ➔ @0cfg/stubs-common@0.0.6 ➔ azure-storage@2.10.4 ➔ validator@9.4.1 (2)@onboardmobility/whatsapp@6.0.0 ➔ @onboardmobility/azure@6.0.0 ➔ azure-storage@2.10.4 ➔ validator@9.4.1 (3)@pagopa/io-functions-commons@20.6.6 ➔ azure-storage@2.10.4 ➔ validator@9.4.1 …

If azure-storage removes the vulnerable package from the above version, then its fixed version can help downstream users decrease their pain.

Given the large number of downstream users, could you help update your package to remove the vulnerability from azure-storage@2.10.* ?

Fixing suggestions

In azure-storage@2.10.5, you can kindly perform the following upgrade : validator ~9.4.1 ➔ ~13.6.0;

Note: validator@13.6.0(>=13.6.0) has fixed the vulnerabilities (SNYK-JS-VALIDATOR-1090600, SNYK-JS-VALIDATOR-1090599, SNYK-JS-VALIDATOR-1090602 and SNYK-JS-VALIDATOR-1090601) Of course, you are welcome to share other ways to deal with the issue.

Thank you for your attention to this issue.^_^

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:9 (1 by maintainers)

Top GitHub Comments

2reactions

EmmaZhucommented, Dec 21, 2021

We have released a new version 2.10.6 to upgrade validator to 13.7.0 to address this issue.

Thanks Emma

1reaction

EmmaZhucommented, Aug 13, 2021

Hi @vincentsum777 ,

Thanks for reminding us about the issue.

We’ll look into it and make plan for the fixing.

Thanks Emma

Top Results From Across the Web

Security recommendations for Blob storage - Azure

Implementing these recommendations will help you fulfill your security obligations as described in our shared responsibility model.

Azure Storage Security: Attacking & Auditing - Payatu

This will be a multipart blog series where I will be demonstrating how to check for different misconfigurations & vulnerabilities that might be ......

Information Exposure in azure.storage.blobs | CVE-2022-30187

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick...

Hunting Azure Blobs Exposes Millions of Sensitive Files

It's important to note that this research did not uncover a vulnerability within Microsoft Azure, but rather focuses on end-user ...

Vulnerability "Inefficient Regular Expression Complexity in ...

Vulnerability is found in validator dependency Which version of ... Could you help remove the vulnerabilities introduced in azure-storage ?