Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-37599 (High) detected in loader-utils-2.0.2.tgz #2560

Closed
mend-for-github-com bot opened this issue Oct 12, 2022 · 3 comments · Fixed by #3031
Closed

CVE-2022-37599 (High) detected in loader-utils-2.0.2.tgz #2560

mend-for-github-com bot opened this issue Oct 12, 2022 · 3 comments · Fixed by #3031
Assignees
@ananzh @ZilongX
Labels
cve Security vulnerabilities detected by Dependabot or Mend Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link

mend-for-github-com bot commented Oct 12, 2022
edited

CVE-2022-37599 - High Severity Vulnerability

Vulnerable Library - loader-utils-2.0.2.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz

Dependency Hierarchy:

  • @osd/pm-1.0.0.tgz (Root Library)
    • babel-loader-8.2.4.tgz
      • loader-utils-2.0.2.tgz (Vulnerable Library)

Found in HEAD commit: cba076465f44b6a819e3cff7986ff4cd21a66371

Found in base branch: main

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

Publish Date: 2022-10-11

URL: CVE-2022-37599

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Oct 12, 2022
@ananzh ananzh self-assigned this Oct 18, 2022
@ananzh ananzh added the cve Security vulnerabilities detected by Dependabot or Mend label Oct 18, 2022
@mend-for-github-com mend-for-github-com bot changed the title CVE-2022-37599 (Medium) detected in loader-utils-1.4.0.tgz, loader-utils-2.0.2.tgz CVE-2022-37599 (High) detected in loader-utils-2.0.2.tgz Oct 19, 2022
@ananzh
Copy link
Member

ananzh commented Oct 24, 2022 

yarn why v1.22.19
[1/4] Why do we have the module "loader-utils"...?
[2/4] Initialising dependency graph...
warning @osd/ui-framework > node-sass > request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "loader-utils@2.0.2"
info Has been hoisted to "loader-utils"
info Reasons this module exists
   - "workspace-aggregator-d947fd37-8c47-409d-924d-a97ac8a92719" depends on it
   - Hoisted from "_project_#@osd#interpreter#babel-loader#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#copy-webpack-plugin#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#css-loader#loader-utils"
   - Hoisted from "_project_#@osd#ui-shared-deps#mini-css-extract-plugin#loader-utils"
   - Hoisted from "_project_#@osd#optimizer#postcss-loader#loader-utils"
   - Hoisted from "_project_#@osd#ace#raw-loader#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#sass-loader#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#style-loader#loader-utils"
info Disk size without dependencies: "392KB"
info Disk size with unique dependencies: "656KB"
info Disk size with transitive dependencies: "760KB"
info Number of shared dependencies: 4
=> Found "@osd/ui-shared-deps#loader-utils@1.4.0"
info This module exists because "_project_#@osd#ui-shared-deps" depends on it.
info Disk size without dependencies: "84KB"
info Disk size with unique dependencies: "348KB"
info Disk size with transitive dependencies: "452KB"
info Number of shared dependencies: 4
=> Found "@osd/optimizer#loader-utils@1.4.0"
info This module exists because "_project_#@osd#optimizer" depends on it.
info Disk size without dependencies: "84KB"
info Disk size with unique dependencies: "348KB"
info Disk size with transitive dependencies: "452KB"
info Number of shared dependencies: 4
=> Found "val-loader#loader-utils@1.4.0"
info This module exists because "_project_#@osd#ui-shared-deps#val-loader" depends on it.
info Disk size without dependencies: "84KB"
info Disk size with unique dependencies: "348KB"
info Disk size with transitive dependencies: "452KB"
info Number of shared dependencies: 4
=> Found "file-loader#loader-utils@1.4.0"
info This module exists because "_project_#@osd#optimizer#file-loader" depends on it.
info Disk size without dependencies: "84KB"
info Disk size with unique dependencies: "348KB"
info Disk size with transitive dependencies: "452KB"
info Number of shared dependencies: 4
=> Found "string-replace-loader#loader-utils@1.4.0"
info This module exists because "_project_#@osd#pm#string-replace-loader" depends on it.
info Disk size without dependencies: "84KB"
info Disk size with unique dependencies: "348KB"
info Disk size with transitive dependencies: "452KB"
info Number of shared dependencies: 4
=> Found "url-loader#loader-utils@1.4.0"
info This module exists because "_project_#@osd#interpreter#url-loader" depends on it.
info Disk size without dependencies: "84KB"
info Disk size with unique dependencies: "348KB"
info Disk size with transitive dependencies: "452KB"
info Number of shared dependencies: 4
=> Found "webpack#loader-utils@1.4.0"
info This module exists because "_project_#@osd#ace#webpack" depends on it.
info Disk size without dependencies: "84KB"
info Disk size with unique dependencies: "348KB"
info Disk size with transitive dependencies: "452KB"
info Number of shared dependencies: 4

opensearch-dashboards@2.4.0 /home/ubuntu/work/OpenSearch-Dashboards
├─┬ @osd/eslint-import-resolver-opensearch-dashboards@2.0.0 -> /home/ubuntu/work/OpenSearch-Dashboards/packages/osd-eslint-import-resolver-opensearch-dashboards
│ └─┬ webpack@4.46.0
│   └── loader-utils@1.4.0 
├─┬ @osd/optimizer@1.0.0 -> /home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer
│ ├─┬ babel-loader@8.2.4
│ │ └── loader-utils@2.0.2 
│ ├─┬ css-loader@5.2.7
│ │ └── loader-utils@2.0.2  deduped
│ ├─┬ file-loader@4.3.0
│ │ └── loader-utils@1.4.0 
│ ├── loader-utils@1.4.0 
│ ├─┬ postcss-loader@4.3.0
│ │ └── loader-utils@2.0.2  deduped
│ ├─┬ raw-loader@4.0.2
│ │ └── loader-utils@2.0.2  deduped
│ ├─┬ sass-loader@10.2.1
│ │ └── loader-utils@2.0.2  deduped
│ ├─┬ style-loader@1.3.0
│ │ └── loader-utils@2.0.2  deduped
│ ├─┬ url-loader@2.3.0
│ │ └── loader-utils@1.4.0 
│ └─┬ val-loader@1.1.1
│   └── loader-utils@1.4.0 
└─┬ @osd/ui-shared-deps@1.0.0 -> /home/ubuntu/work/OpenSearch-Dashboards/packages/osd-ui-shared-deps
  ├── loader-utils@1.4.0  extraneous
  └─┬ mini-css-extract-plugin@1.6.2
    └── loader-utils@2.0.2  deduped

@ananzh
Copy link
Member

ananzh commented Oct 24, 2022
edited

There are a lot of packages using loader-utils. I will update a summary here later

@ananzh
Copy link
Member

ananzh commented Oct 24, 2022
edited

  • This cve is about a Regular expression denial of service (ReDoS) flaw was found in Function interpolateName (code). I checked our repo, I don’t see any interpolateName func used in our code. Meanwhile, according to the usage and also search in loader-utils repo, I don’t see any indirect calling on this method.
  • loader-utils v2 are not deprecated. upgrade it to v3 requires webpack been bumped to v5 (reference). This is a breaking change.
  • Since we don’t use interpolateName directly or indirectly, I think we are not impacted. Need to double check and a bit more research.

@ZilongX ZilongX assigned ZilongX and unassigned ananzh Nov 1, 2022
This was referenced Nov 1, 2022
Merged
Merged
@ananzh ananzh assigned ananzh and ZilongX and unassigned ZilongX Nov 1, 2022
@ananzh ananzh closed this as completed Nov 1, 2022
This was referenced Dec 1, 2022
Merged
Merged
@ananzh ananzh mentioned this issue Jan 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ananzh ananzh

@ZilongX ZilongX

Labels
cve Security vulnerabilities detected by Dependabot or Mend Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
2 participants
@ananzh @ZilongX