Skip to content

bump axios to v0.21.1 to fix vuln (CVE-2020-28168)#722

Merged
stevengill merged 2 commits intoslackapi:mainfrom
brendan-miller-snyk:fix-issue-721
Jan 4, 2021
Merged

bump axios to v0.21.1 to fix vuln (CVE-2020-28168)#722
stevengill merged 2 commits intoslackapi:mainfrom
brendan-miller-snyk:fix-issue-721

Conversation

@brendan-miller-snyk
Copy link
Copy Markdown
Contributor

@brendan-miller-snyk brendan-miller-snyk commented Jan 4, 2021
edited
Loading

Summary

Issue: #721

Axios NPM package <=0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Exploit Maturity
medium severity 402/1000
Why? Proof of Concept exploit, CVSS 5.9 - https://app.snyk.io/test/npm/@slack/bolt/2.5.0		 Server-Side Request Forgery (SSRF)
SNYK-JS-AXIOS-1038255		 Proof of Concept

Requirements (place an x in each [ ])

@gitwave gitwave Bot added the untriaged label Jan 4, 2021
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Jan 4, 2021
edited
Loading

CLA assistant check
All committers have signed the CLA.

@brendan-miller-snyk brendan-miller-snyk changed the title Issue 721: bump axios to v0.21.1 to fix vuln (CVE-2020-28168) bump axios to v0.21.1 to fix vuln (CVE-2020-28168) Jan 4, 2021
@codecov
Copy link
Copy Markdown

codecov Bot commented Jan 4, 2021
edited
Loading

Codecov Report

Merging #722 (df2b579) into main (305ae9a) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #722   +/-   ##
=======================================
  Coverage   82.32%   82.32%           
=======================================
  Files           8        8           
  Lines         758      758           
  Branches      250      250           
=======================================
  Hits          624      624           
  Misses         78       78           
  Partials       56       56

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 305ae9a...df2b579. Read the comment docs.

@seratch seratch added security and removed untriaged labels Jan 4, 2021
@seratch
Copy link
Copy Markdown
Contributor

seratch commented Jan 4, 2021
edited
Loading

Thanks for taking time to report this issue and send this fix! LGTM 👍 This will be merged on Monday, Pacific Time.

@brendan-miller-snyk
Copy link
Copy Markdown
Contributor Author

brendan-miller-snyk commented Jan 4, 2021

No worries! Appreciate the quick turnaround 👍

@stevengill stevengill merged commit 8c7434a into slackapi:main Jan 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevengill stevengill stevengill approved these changes

@aoberoi aoberoi Awaiting requested review from aoberoi

@misscoded misscoded Awaiting requested review from misscoded

@mwbrooks mwbrooks Awaiting requested review from mwbrooks

+1 more reviewer

@seratch seratch seratch approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@brendan-miller-snyk @CLAassistant @seratch @stevengill