CVE-2021-32796 due to dependency on deprecated adal-node package which in turn uses xmldom@0.6.0

Question

CVE-2021-32796 due to dependency on deprecated adal-node package which in turn uses xmldom@0.6.0

prueker opened this issue 3 years ago · comments

Tedious needs to upgrade to @azure/msal-node to mitigate CVE-2021-32796 which is caused by xmldom as a dependency on deprecated adal-node package as per https://github.com/AzureAD/azure-activedirectory-library-for-nodejs.

https://nvd.nist.gov/vuln/detail/CVE-2021-32796

└─┬ tedious@11.4.0
    └─┬ adal-node@0.2.2
      └── xmldom@0.6.0

Jamie Peabody · Answer 1 · Fri Aug 20 2021 15:03:56 GMT+0800 (China Standard Time)

Note, due to inability take ownership of xmldom, it is now published as @xmldom/xmldom@0.7.0 by the new maintainers (ref).

rossgp · Answer 2 · Sat Aug 21 2021 00:32:39 GMT+0800 (China Standard Time)

Also worth noting there's a dependency via @azure/ms-rest-nodeauth as well

└─┬ tedious@11.4.0
  ├─┬ @azure/ms-rest-nodeauth@3.0.10
  │ └── adal-node@0.2.2  deduped
  └── adal-node@0.2.2

And that's not going to be addressed according to #Azure/ms-rest-nodeauth#128
and are recommending moving to @azure/identity instead

Michael Sun · Answer 3 · Tue Aug 24 2021 00:52:42 GMT+0800 (China Standard Time)

Thank you guys for the suggestions. We are currently looking into migrating to using @azure/identity. Like I replied in issue #1238, we will give you guys an update.

Jason Nutter · Answer 4 · Sat Sep 11 2021 00:25:14 GMT+0800 (China Standard Time)

adal-node@0.2.3 has been published with @xmldom/xmldom.

Jamie Peabody · Answer 5 · Wed Sep 15 2021 19:09:58 GMT+0800 (China Standard Time)

if anyone else is wondering, the reply from @jasonnutter effectively says that this issue is resolved and this issue can be closed.