High severity vulnerability on 8.5.1

[mmeknowis]

Hello,

current 8.5.1 has a High vulnerable dependency as per our scans. Its a sub-dependency of axios:

CVE-2022-0155: follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Helpful links:
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-0155
https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
follow-redirects/follow-redirects@8b347cb

Additionally we found 2 medium vulnerabilities:

CVE-2022-0122: https://nvd.nist.gov/vuln/detail/CVE-2022-0122
WS-2022-0008: https://vuln.whitesourcesoftware.com/vulnerability-database/WS-2022-0008

Could you check if I am right?

Thanks a lot.

[kareem-elsayed]

@Flydiverny That is important same as the migration from KES to ESO
Can someone give some time to fix it, KES is still under limited maintenance as already mentioned in the last release note
Thanks a lot.

[Flydiverny]

CVE-2022-0155 was fixed in 8.5.2
CVE-2022-0122 and WS-2022-0008 looks incorrect as it applies for node-forge <1, while we are on 1.2.1, code paths are potentially hit if you use akeyless.

• #864

KES does not have any dedicated or active maintainer

I'll make sure to remove the limited maintenance part 😉

[Flydiverny]

Forgot to mention that I made a new release 8.5.5 as well. 😄
There were 2 new reports for the same node-forge dependency