Uploaded image for project: 'Node.js Driver'
  1. Node.js Driver
  2. NODE-4298

Investigate NODE-4297 - upgrade kerberos dependency to use only ansi-regex ^6.0.1 due to Security Vulnerability

    XMLWordPrintableJSON

Details

    • Task
    • Status: Closed
    • Unknown
    • Resolution: Done
    • None
    • None
    • None
    • 1
    • Not Needed

    Description

      NODE-4297 Description

      Summary

      Security Vulnerabilities in kerberos 2.0.0

      This vulnerability comes from ansi-regex@2.1.1, which is a transitive dependency.
      the solution is to upgrade depndency 

      Motivation

      How does this affect the end user?

      Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the sub-patterns{{ [\\]()#;?}} and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_])*.

      Is this issue urgent?

      yes, possible ReDoS

       

       

      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807

      Attachments

        Issue Links

          is depended on by

          Task - A task that needs to be done. NODE-4297 upgrade kerberos dependency to use only ansi-regex ^6.0.1 due to Security Vulnerability

          • Unknown - Priority not determined yet.
          • Closed

          Activity

            People

              daria.pardue@mongodb.com Daria Pardue
              dbeng-pm-bot PM Bot
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: