CVE-2024-28863 in Mend Bolt report

Question

CVE-2024-28863 in Mend Bolt report

ravindraP20 opened this issue 7 months ago · 6 comments

Hi,

We are using karma-ui5@3.0.4 as one of the devDependencies. Mend Bolt is showing CVE-2024-28863 in our CI/CD piepline.
tar@6.2.0 is vulnerable and upgrade to tar@6.2.1 is recommended.

npm list tar

└─┬ karma-ui5@3.0.4
└─┬ @ui5/project@3.9.0
├─┬ make-fetch-happen@13.0.0
│ └─┬ cacache@18.0.2
│ └── tar@6.2.0 deduped
└─┬ pacote@17.0.6
├─┬ @npmcli/run-script@7.0.4
│ └─┬ node-gyp@10.0.1
│ └── tar@6.2.0 deduped
└── tar@6.2.0

Could you please upgrade the necessary dependencies.

Best Regards
Ravindra

Answer 1 · 2024-05-06T11:41:10.000Z

The patched version 6.2.1 can be consumed by updating the package-lock.json in your project. There's nothing this project can or needs to do about this.

Answer 2 · 2024-05-08T06:57:32.000Z

We can anyways update package-lock.json in our project just to not to report the vulnerability in Mend bolt but that does not resolve the vulnerability in karma-ui5@3.0.4

Answer 3 · 2024-05-10T11:53:17.000Z

We can anyways update package-lock.json in our project just to not to report the vulnerability in Mend bolt but that does not resolve the vulnerability in karma-ui5@3.0.4

Could you please elaborate what you mean?

The linked CVE affects the tar package. As Matthias already stated, upgrading the tar dependency in your project fully resolves this vulnerability. There is no vulnerability in karma-ui5 itself.

Answer 4 · 2024-05-10T17:05:08.000Z

tar@6.2.0 is a transitive dependency and not a direct dependency in our project. It is coming from karma-ui5@3.0.4

Answer 5 · 2024-05-10T21:17:49.000Z

What @matz3 and @RandomByte tried to explain: the version ranges defined by karma@3.0.4 allow an update of @ui5/project to version 3.9.1 which transitively depends on tar@6.2.1 (as requested by you).

There is no change to karma-ui5 needed. you just have to update the dependencies in your project.

After an update (and still using karma@3.0.4), I get the following tree:

└─┬ karma-ui5@3.0.4
  └─┬ @ui5/project@3.9.1
    ├─┬ make-fetch-happen@13.0.1
    │ └─┬ cacache@18.0.3
    │   └── tar@6.2.1 deduped
    └─┬ pacote@17.0.7
      ├─┬ @npmcli/run-script@7.0.4
      │ └─┬ node-gyp@10.1.0
      │   └── tar@6.2.1 deduped
      └── tar@6.2.1

So there is no vulnerability in karma@3.0.4 per se. The dependency resolution that npm did for your project before @ui5/project@3.9.1 was released then, at a later point in time, resulted in the vulnerability report. But simply re-doing the npm dependency resolution fixes it. This is business as usual in npm based projects.

You might think that karma-ui5 should update its dependency versions. That's indeed possible, but to show any effect, it would require the same process on your side: update the npm dependencies of your project.

Last, but not least: any fresh install of your project already now does no longer get the dependency to the vulnerable tar@6.2.0.

Answer 6 · 2024-05-16T03:44:20.000Z

Thanks for the detailed answer.