Vulnerabilities introduced by package node-forge and @firebase/util #1392
Comments
|
I found a few problems with this issue:
|
|
Thanks for bug report @paimon0715. We don't usually release patches for previous major versions, and our release processes are not even set up for that type of maintenance work (e.g. we don't have a v8 branch to perform further development on). I'll chat with the team and see if we can make an exception in this one instance. |
|
@hiranya911 Thank you very much for your help.
|
|
Hi @paimon0715. I discussed this with the rest of our team, and the consensus was that the risk of breaking something with a new point release is not worth the potential benefits. Therefore we are not going to do another v8 point release at this stage. As for the security issues, I don't think either of the mentioned vulnerabilities actually affect the Admin SDK. We do not call the vulnerable functions mentioned in the CVEs ( I would also recommend reporting an issue (or even submit a PR) at https://github.com/jloosli/node-firestore-import-export to see if we can get them to upgrade, since this seems to be what's pulling the old Admin SDK version into developer's projects in most cases. |
Hi ,@hiranya911, @lahirumaramba , there are two vulnerabilities introduced in your package:
Issue Description
Vulnerabilities CVE-2020-7720 detected in package node-forge<0.10.0 and CVE-2020-7765 detected in package @firebase/util<0.3.4 are referenced by [email protected]. We noticed that the vulnerabilities has been removed since [email protected].
However, firebase-admin's popular previous version [email protected] (78,863 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 498 downstream projects, e.g., @paperbits/firebase 0.1.429, dblibrary 1.338.0, @endran/firebridge 2.0.0, firestore-to-bigquery-export 1.7.2, @meditect/geofirestore-clustering-js 1.0.8, [email protected], [email protected], etc.).
As such, issue CVE-2020-7720 and CVE-2020-7765 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade firebase-admin from version 8.13.0 to (>=9.2.0) For instance, [email protected] is introduced into the above projects via the following package dependency paths:
(1)
[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected](2)
[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected](3)
[email protected] ➔ [email protected] ➔ [email protected] ➔ @firebase/[email protected] ➔ @firebase/[email protected] ➔ @firebase/[email protected]......
The projects such as node-firestore-import-export, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade firebase-admin nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package [email protected]?
Suggested Solution
Since these unactive projects set a version constaint 8.13.0 for firebase-admin on the above vulnerable dependency paths, if firebase-admin removes the vulnerability from 8.13.0 and releases a new patched version [email protected], such a vulnerability patch can be automatically propagated into the 498 affected downstream projects.
In [email protected], you can kindly try to perform the following upgrade:
(1)
node-forge ^0.7.6 ➔ ^0.10.0;(2)
@firebase/database ^0.6.0 ➔ ^0.7.1;Note:
[email protected](>=0.10.0) has fixed the vulnerability (CVE-2020-7720);
@firebase/[email protected](>=0.7.1) transitively depends on @firebase/[email protected](a vulnerability CVE-2020-7765 patched version)
Thanks again for your contributions.
Best regards,
Paimon
The text was updated successfully, but these errors were encountered: