Multiple CVEs in angular package

Question

Multiple CVEs in angular package

Closed this issue 4 months ago · 12 comments

The used angular package semms to be very old (1.8.3) and contains multiple vulnerabilites: CVE-2022-25844, CVE-2022-25869, CVE-2023-26116, CVE-2023-26117, CVE-2023-26118

See attached output of security scanner "trivy".

Is there a chance, that you update angular to fix these vulnerabilites?

Answer 1 · 2023-08-22T07:38:01.000Z

those vulnerabilities do not apply to redis-ui-material. as we are not using those vulnerabilities, only the angular.copy, which i have replaced with lodash cloneDeep.

Answer 2 · 2023-08-22T07:38:36.000Z

ref: https://xlts.dev/

Answer 3 · 2023-08-22T08:05:45.000Z

GHSA-prc3-vjfx-vhm9: we do not support Internet Explorer (i think it does not even work with that), should it would give a problem, i will reject by the user agent

GHSA-2vrf-hf26-jrp5: in the next version we will not use angular.copy

GHSA-2qqx-w9hr-q5gx: we do not use the $resource function

GHSA-qwqh-hm9m-p5hr: we do not use the input[url]

Answer 4 · 2023-08-22T08:25:49.000Z

you can check out: https://p3x.redis.patrikx3.com/ if you can crash it :)

Answer 5 · 2023-08-23T07:41:11.000Z

contacted xlts.dev, they said:
Hi Patrik,

Thanks for reaching out!

From my understanding our support would fix these vulnerabilities that you listed. I've sent this off to our technical team to confirm and provide context.

I'll be in touch shortly with an answer for you.

Best,

Answer 6 · 2023-08-24T08:21:14.000Z

@p3x-robot Thank you very much for your commitment.

I also stumbled upon the following CVEs:
CVE-2021-4231 --> I guess this is not relevant because it affects @angular/core, right?
CVE-2022-25844 --> This seems to be fixed in AngularJS 1.8.8 (https://xlts.dev/blog/2022-04-11-xlts-for-angularjs-1-8-8), but as far as I know you are still using 1.8.3, right?

Answer 7 · 2023-08-24T08:31:59.000Z

@p3x-robot Thank you very much for your commitment.

I also stumbled upon the following CVEs: CVE-2021-4231 --> I guess this is not relevant because it affects @angular/core, right? CVE-2022-25844 --> This seems to be fixed in AngularJS 1.8.8 (https://xlts.dev/blog/2022-04-11-xlts-for-angularjs-1-8-8), but as far as I know you are still using 1.8.3, right?

GHSA-c75v-2vq8-878f - it is after Angular 2, so it is not relevant

for GHSA-m2h2-264f-f486, I talked to the xlts.dev team and even though it is an open source app, they look like will help

Answer 8 · 2023-08-24T09:04:47.000Z

@p3x-robot Looking forward to get a solution from the xlts team. Your support is awsome. I really appreciate, how you take security that seriously. 👍

Answer 9 · 2023-09-03T11:11:40.000Z

by the end, they can only help if you have money for it, but i think it is not using those function that give a DOS error

Answer 10 · 2024-01-08T08:02:56.000Z

@p3x-robot Thank you very much for your commitment.

I also stumbled upon the following CVEs: CVE-2021-4231 --> I guess this is not relevant because it affects @angular/core, right? CVE-2022-25844 --> This seems to be fixed in AngularJS 1.8.8 (https://xlts.dev/blog/2022-04-11-xlts-for-angularjs-1-8-8), but as far as I know you are still using 1.8.3, right?

Sorry if I'm blind but, isn't the lastest version of AngularJS 1.8.2? I couldn't find any newer version (for instance the 1.8.8 you mentioned). I'm trying to clear the vulnerability for an application as well, a brief clarification would help, thanks.

Answer 11 · 2024-01-08T08:43:39.000Z

they did not provide the latest Angular version, because it is not free anymore.

Answer 12 · 2024-03-09T12:00:01.000Z

Reference:
https://github.com/patrikx3/redis-ui?tab=readme-ov-file#angularjs-vulnerabilities