Vulnerabilities located in the Vlocity Package.
eugenepugach opened this issue · 2 comments
Hello. We use "Vlocity" product and use "Vlocity" package in our product "Snapshot-Vlocity". Unfortunately, we always have problems at development and deploy product to server with vulnerability verification, as there are a large number of critical and high priority vulnerabilities.
We have analyzed and tested how most of them can be fixed.
Please check it and update product, because most servers do not allow installation of products with such vulnerabilities.
Critical, high and low vulnerabilities located in the Vlocity Package.
-
Vulnerabilities will be fixed after upgrade salesforce-alm package (to 54.8.5) in the Vlocity:
CVE-2020-8203 lodash@4.17.15 Package
CWE-22 adm-zip@0.4.13, adm-zip@0.4.16 Package
CVE-2022-29078 ejs@2.5.9 Package
CVE-2021-3807 ansi-regex@2.1.1 Package
CVE-2022-31129 moment@2.24.0 Package
CWE-1321 lodash@4.17.15 Package
CVE-2020-7777 jsen@0.6.6 Package
CVE-2021-23337 lodash@4.17.15 Package
CVE-2021-23337 lodash.template@4.5.0 Package
CVE-2020-7598 minimist@0.0.8 Package
CVE-2020-7608 yargs-parser@11.1.1 Package
CVE-2022-24785 moment@2.24.0 Package
CVE-2022-25881 http-cache-semantics@3.8.1 Package
CVE-2020-28500 lodash@4.17.15 Package
CVE-2022-23541 jsonwebtoken@8.5.1, jsonwebtoken@8.5.0 Package
CVE-2022-23540 jsonwebtoken@8.5.1, jsonwebtoken@8.5.0 Package
CWE-94 ejs@3.1.6 Package
CVE-2021-44906 minimist@0.0.8, minimist@0.0.10 Package
CVE-2022-33987 got@8.3.2 Package
CVE-2022-3517 minimatch@3.0.4 Package -
Vulnerabilities will be fixed after upgrade sml2js and jsforce packages in the Vlocity :
CVE-2022-39353 xmldom@0.1.31 Package -
Vulnerabilities will be fixed after upgrade puppeteer-core package in the Vlocity :
CVE-2022-0235 node-fetch@2.6.5 Package -
Vulnerabilities will be fixed after upgrade simple-git package (to 3.5.0) in the Vlocity :
CVE-2022-24433 simple-git@1.107.0 Package
CVE-2022-24066 simple-git@1.107.0 Package
CVE-2022-25912 simple-git@1.107.0 Package
CVE-2022-25860 simple-git@1.107.0 Package -
Vulnerabilities will be fixed after upgrade async package (to 3.2.2) in the Vlocity :
CVE-2021-43138 async@3.2.0 Package -
Vulnerabilities will be fixed after upgrade semver package (to 6.2.0) in the Vlocity :
CVE-2022-25883 semver@6.2.0 Package -
Vulnerabilities will be fixed after upgrade global-modules-path package (to 3.0.0) in the Vlocity :
CVE-2022-21191 global-modules-path@2.3.1 Package -
Other Vlocity vulnerabilities :
CVE-2022-39353 xmldom@0.1.31 Package
CVE-2023-28155 request@2.88.2 Package
CVE-2023-26136 tough-cookie@4.1.3 Package
CVE-2022-37616 xmldom@0.1.31 Package
CVE-2021-32796 xmldom@0.1.31 Package
CVE-2021-21366 xmldom@0.1.31 Package
The vulnerabilities are serious and should be treated that way by Vlocity.
About year ago I raised a regular case to Salesforce/Vlocity about such vulnerabilities. And guess what? The case was closed with some evasive answer.
I hope Vlocity will fix it before serious security breach at their clients.
Hi All,
We already have internal ticket to review and update VBT dependencies. Salesforce-alm listed above is already deprecated an year back and is not supported any further. Updating VBT would require whole tool to be modified. So we are under discussion and review for vulnerabilities. Secured pipelines should not have any issues or allow anyone to manipulate dependencies while tool is being ran inside pipeline.