CVE-2022-0122 - Update xml-encryption (fixed in 3.x, pending for 4.x)
alexross1988 opened this issue · comments
In the latest 3.2.0, xml-encryption
is currently using a version of node-forge
with a CVE.
Bumping to 2.0.0 here https://github.com/node-saml/passport-saml/blob/v3.2.0/package.json#L57 would solve this following the work they've done under auth0/node-xml-encryption#94
CVE-2022-0122 (severity: High)
forge is vulnerable to URL Redirection to Untrusted Site
There it is #667 (this is for branch 3.x, I'll do the same on master later if no one else does it before)
@forty Patching the master branch as well would be great, thanks.
Thanks for the quick response - is there an ETA for when the updated 3.2.X version will be published to NPM?
I started working on this today, but ran into some speed bumps and am out of time for the moment. As logged in #668, I ran into an test failure. But that's not a blocker now that I've confirmed I get the same test failure before the change was made on 3.2.0.
Also, although I'm not sure if there are publicly visible, there are 4 or 5 other "dependabot alerts" for other dependencies that could use an update. So as long as we are doing a security-focused release, I'll check that we are up-to-date with other deps as well. Perhaps later tonight or tomorrow.
3.2.1 has been released.
@cjbarth I presume the commits here need to be ported to the 4.x branch.
This has been patched on master
via #685