Security vulnerability [moderate] in `hosted-git-info`
See original GitHub issueExpected Behaviour
No security vulnerability related to Elastic APM.
Current Behaviour
I’m seeing a moderate security vulnerability being flagged from hosted-git-info
which is a dependency of read-pkg-up
.
Additional info:
moderate │ Regular Expression Denial of Service
Package │ hosted-git-info
Patched in │ >=2.8.9 <3.0.0 || >=3.0.8
Path | elastic-apm-node > read-pkg-up > read-pkg > normalize-package-data > hosted-git-info
Possible Solution
Patch hosted-git-info
dependency or a dependency further upstream.
Steps to Reproduce
npm audit
or yarn audit
.
Context
Your Environment
Executable | Version |
---|---|
elastic-apm-node --version |
3.12.1 |
npm --version |
6.14.11 |
yarn --version |
1.22.10 |
node --version |
12.x |
| OS | Version | | MacOS | Catalina |
Issue Analytics
- State:
- Created 2 years ago
- Comments:9 (4 by maintainers)
Top Results From Across the Web
hosted-git-info - Snyk Vulnerability Database
version published direct vulnerabilities
6.1.1 27 Oct, 2022 0. C. 0. H. 0. M. 0. L
5.2.1 27 Oct, 2022 0. C. 0. H. 0....
Read more >CVE-2021-23362 Detail - NVD
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch ...
Read more >CVE-2021-23362 nodejs-hosted-git-info - Red Hat Bugzilla
A regular expression denial of service vulnerability was found in hosted-git-info. If an application allows user input into the affected regular expression ...
Read more >Vulnerabilities in hosted-git-info 3.0.8 - CyberSecurity Help
Popular commercial chat provider compromised to spread malware in supply chain attack · Cyber security week in review: September, 30 · Covert hacker...
Read more >Vulnerability Details : CVE-2021-23362
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
All good, this is definitely coming from an earlier version in our lock file. Closing this, cheers!
(Note this is the same as https://github.com/elastic/apm-agent-nodejs/pull/2098 that was recently opened – and closed by me.)