CVE-2022-33987 (Medium) detected in multiple libraries

[mend-for-g.yxqyang.asia]

CVE-2022-33987 - Medium Severity Vulnerability

Vulnerable Libraries - got-11.8.3.tgz, got-11.8.2.tgz, got-3.3.1.tgz

got-11.8.3.tgz

Human-friendly and powerful HTTP request library for Node.js

Library home page: https://registry.npmjs.org/got/-/got-11.8.3.tgz

Dependency Hierarchy:

• ms-chromium-edge-driver-0.4.3.tgz (Root Library)
  • ❌ got-11.8.3.tgz (Vulnerable Library)

got-11.8.2.tgz

Human-friendly and powerful HTTP request library for Node.js

Library home page: https://registry.npmjs.org/got/-/got-11.8.2.tgz

Dependency Hierarchy:

• geckodriver-3.0.1.tgz (Root Library)
  • ❌ got-11.8.2.tgz (Vulnerable Library)

got-3.3.1.tgz

Simplified HTTP/HTTPS requests

Library home page: https://registry.npmjs.org/got/-/got-3.3.1.tgz

Dependency Hierarchy:

• makelogs-6.1.0.tgz (Root Library)
  • update-notifier-0.5.0.tgz
    • latest-version-1.0.1.tgz
      • package-json-1.2.0.tgz
        • ❌ got-3.3.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

[joshuarrrr]

$ yarn why got
yarn why v1.22.18
[1/4] Why do we have the module "got"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "got@11.8.2"
info Reasons this module exists
   - "_project_#geckodriver" depends on it
   - Hoisted from "_project_#geckodriver#got"
info Disk size without dependencies: "1.37MB"
info Disk size with unique dependencies: "1.78MB"
info Disk size with transitive dependencies: "2.16MB"
info Number of shared dependencies: 22
=> Found "ms-chromium-edge-driver#got@11.8.3"
info This module exists because "_project_#ms-chromium-edge-driver" depends on it.
info Disk size without dependencies: "444KB"
info Disk size with unique dependencies: "864KB"
info Disk size with transitive dependencies: "1.23MB"
info Number of shared dependencies: 22
=> Found "package-json#got@3.3.1"
info This module exists because "_project_#@elastic#makelogs#update-notifier#latest-version#package-json" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "212KB"
info Disk size with transitive dependencies: "760KB"
info Number of shared dependencies: 23
=> Found "tsd#got@9.6.0"
info Reasons this module exists
   - "_project_#@elastic#safer-lodash-set#tsd#update-notifier#latest-version#package-json" depends on it
   - Hoisted from "_project_#@elastic#safer-lodash-set#tsd#update-notifier#latest-version#package-json#got"
info Disk size without dependencies: "140KB"
info Disk size with unique dependencies: "492KB"
info Disk size with transitive dependencies: "840KB"
info Number of shared dependencies: 23
Done in 1.24s.

[joshuarrrr]

npm ls got
opensearch-dashboards@3.0.0 /home/ubuntu/OpenSearch-Dashboards
├─┬ @elastic/makelogs@6.1.0
│ └─┬ update-notifier@0.5.0
│   └─┬ latest-version@1.0.1
│     └─┬ package-json@1.2.0
│       └── got@3.3.1 
├─┬ geckodriver@3.0.1
│ └── got@11.8.2 
└─┬ ms-chromium-edge-driver@0.4.3
  └── got@11.8.3 

[joshuarrrr]

1. geckodriver - only used in running functional tests. got bumped to 11.8.5 on 2022-06-02. Will need to wait for new release.
2. ms-chromium-edge-driver- only used in running functional tests. got updates are merged to the main project branch, but not yet in a release (latest 0.5.1 still has "got": "^11.8.2",).
3. @elastic/makelogs - only used in functional/visual regression tests. Would need a PR.
4. @elastic/safer-lodash-set - internal package, built into bundles. Depends on "tsd": "^0.16.0"
   1. tsd - depends on update-notifier, but that dependency was dropped in "tsd": "^0.17.0".
   2. update-notifier - "update-notifier": "^4.1.0" depends on "latest-version": "^5.0.0",
   3. latest-version - "latest-version": "^5.0.0" depends on "package-json": "^6.3.0". Latest depends on "package-json": "^7.0.0", would need a PR to bump to "package-json": "^8.0.0",
   4. package-json - got dependency bumped to "got": "^12.1.0", in "package-json": "^8.0.0",

I'll start by tackling 4., which is the only dependency that's included in the bundle. Bumping the tsd version is probably the best place to start.

[CCongWang]

npm ls got
opensearch-dashboards@3.0.0 /home/ubuntu/github/OpenSearch-Dashboards
├─┬ @elastic/makelogs@6.1.0
│ └─┬ update-notifier@0.5.0
│   └─┬ latest-version@1.0.1
│     └─┬ package-json@1.2.0
│       └── got@3.3.1 
├─┬ geckodriver@3.0.1
│ └── got@11.8.2 
└─┬ ms-chromium-edge-driver@0.4.3
  └── got@11.8.3 

[CCongWang]

Now we can upgrade geckodriver to 3.0.2 which uses got@11.8.5