Security Alert - Package: postcss; Severity: MEDIUM; Vuln ID: GHSA-hwj9-h5mp-3pm3

Question

Security Alert - Package: postcss; Severity: MEDIUM; Vuln ID: GHSA-hwj9-h5mp-3pm3

Closed this issue 3 years ago · 1 comments

due: 2022-03-26

    A new vulnerability has been reported by Dependabot. The criticality of this vulnerability is MEDIUM.

    MEDIUM vulnerabilities have an SLA of 60 days according to our policy.

    Affected package: postcss
    Ecosystem: NPM
    Affected version range: >= 7.0.0, < 7.0.36

    Summary: Regular Expression Denial of Service in postcss
    Description: The npm package `postcss` from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
    identifiers: [{'type': 'GHSA', 'value': 'GHSA-hwj9-h5mp-3pm3'}, {'type': 'CVE', 'value': 'CVE-2021-23368'}]

    Fixed Version: 7.0.36
    Created Date = January 25, 2022

    ***Additional Context***
    https://github.com/Recidiviz/covid19-dashboard/security/dependabot?q=is%3Aopen+sort%3Anewest

Answer 1 · 2022-01-26T23:12:41.000Z

The Recidiviz security team has been exploring some automation in this ticket: https://github.com/Recidiviz/security-operations-automation/issues/5

The goal is to automatically generate Github issues when a Dependabot alert is made. On January 24, 2022, the script we are using was modified. This led
to several dozen duplicate issues being created and reported as vulnerabilities. This issue is one of those duplicate issues.

Given that the issue is a duplicate, we have closed this issue out and removed the following labels:

Severity Label
Subject: Security
Subject: Vulnerability