Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: upgrade kratos typescript client to axios v1.x [security] #303

Closed
wants to merge 1 commit into from
Closed

fix: upgrade kratos typescript client to axios v1.x [security] #303

wants to merge 1 commit into from

Conversation

LucianBuzzo
Copy link

This fixes https://nvd.nist.gov/vuln/detail/CVE-2023-45857 which is an issue discovered in Axios 0.8.1 through 1.5.1 that inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

@LucianBuzzo
fix: upgrade kratos typescript client to axios v1.x [security]
25136a9 
This fixes https://nvd.nist.gov/vuln/detail/CVE-2023-45857 which is an issue discovered in Axios 0.8.1 through 1.5.1 that inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Signed-off-by: Lucian Buzzo <lucian.buzzo@gmail.com>
@CLAassistant
Copy link

CLAassistant commented Nov 13, 2023
edited

CLA assistant check
All committers have signed the CLA.

@beanow-at-crabnebula
Copy link

beanow-at-crabnebula commented Nov 15, 2023
edited

Fixes #289

@aeneasr
Copy link
Member

aeneasr commented Nov 15, 2023

Hi - thank you for the PR. Unfortunately, this code is auto-generated and we'll need to upgrade the typescript generator. Will do that over the next couple of days!

@levpachmanov
Copy link

Hey @LucianBuzzo,
We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an axios 0.27.2-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at info@seal.security if you have any requests/questions.

@LucianBuzzo
Copy link
Author

@aeneasr Ok cool, Where is the source for the typescript generator?

@beanow-at-crabnebula
Copy link

Axios is also getting PRs for a 0.x fix such as axios/axios#6091

@aeneasr
Copy link
Member

aeneasr commented Jan 4, 2024

Closing as per #303 (comment)

@aeneasr aeneasr closed this Jan 4, 2024
@aeneasr aeneasr mentioned this pull request Jan 4, 2024
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@LucianBuzzo @CLAassistant @beanow-at-crabnebula @aeneasr @levpachmanov