Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

express-fileupload vulnerability CVE-2022-27140 found in security scan #53

Closed
juhiekbote opened this issue Jun 10, 2024 · 1 comment
Closed

Comments

@juhiekbote
Copy link

Hi,

In the security scan, a critical vulnerability CVE-2022-27140 for express-fileupload was reported which is one of the internal dependency of @cap-js-community/odata-v2-adapter with below description:

An arbitrary file upload vulnerability in the file upload module of express-fileupload 1.3.1 allows attackers to execute arbitrary code via a crafted PHP file. NOTE: the vendor's position is that the observed behavior can only occur with "intentional misusing of the API": the express-fileupload middleware is not responsible for an application's business logic (e.g., determining whether or how a file should be renamed).

NOTE: We are using the latest version(1.5.0) of this dependency.
Can you please help to remediate this vulnerability in this dependency ?

Many Thanks.

Regards,
Juhi Jadav

@oklemenz2
Copy link
Contributor

The vulnerability is disputed (see here: https://nvd.nist.gov/vuln/detail/CVE-2022-27140).

NOTE: the vendor's position is that the observed behavior can only occur with "intentional misusing of the API"

Personally, I also think that the vulnerability is not valid, and other experts do as well:

The referenced YouTube video, does not show a real vulnerability, but an intentional misuse.

CDS OData V2 Adapter always uses the latest version of express-fileupload. If the maintainers of express-fileupload provided some security fixes, users of CDS OData V2 Adapter automatically will benefit from it, when updating the package lock. From CDS OData V2 Adapter perspective I see no need for action here. So I would recommend to ignore this vulnerability, as it is disputed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants