You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the security scan, a critical vulnerability CVE-2022-27140 for express-fileupload was reported which is one of the internal dependency of @cap-js-community/odata-v2-adapter with below description:
An arbitrary file upload vulnerability in the file upload module of express-fileupload 1.3.1 allows attackers to execute arbitrary code via a crafted PHP file. NOTE: the vendor's position is that the observed behavior can only occur with "intentional misusing of the API": the express-fileupload middleware is not responsible for an application's business logic (e.g., determining whether or how a file should be renamed).
NOTE: We are using the latest version(1.5.0) of this dependency.
Can you please help to remediate this vulnerability in this dependency ?
Many Thanks.
Regards,
Juhi Jadav
The text was updated successfully, but these errors were encountered:
The referenced YouTube video, does not show a real vulnerability, but an intentional misuse.
CDS OData V2 Adapter always uses the latest version of express-fileupload. If the maintainers of express-fileupload provided some security fixes, users of CDS OData V2 Adapter automatically will benefit from it, when updating the package lock. From CDS OData V2 Adapter perspective I see no need for action here. So I would recommend to ignore this vulnerability, as it is disputed.
Hi,
In the security scan, a critical vulnerability CVE-2022-27140 for express-fileupload was reported which is one of the internal dependency of @cap-js-community/odata-v2-adapter with below description:
An arbitrary file upload vulnerability in the file upload module of express-fileupload 1.3.1 allows attackers to execute arbitrary code via a crafted PHP file. NOTE: the vendor's position is that the observed behavior can only occur with "intentional misusing of the API": the express-fileupload middleware is not responsible for an application's business logic (e.g., determining whether or how a file should be renamed).
NOTE: We are using the latest version(1.5.0) of this dependency.
Can you please help to remediate this vulnerability in this dependency ?
Many Thanks.
Regards,
Juhi Jadav
The text was updated successfully, but these errors were encountered: