-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathyarn-audit-known-issues
1 lines (1 loc) · 2.25 KB
/
yarn-audit-known-issues
1
{"actions":[],"advisories":{"1097548":{"findings":[{"version":"1.10.6","paths":["applicationinsights>@azure/monitor-opentelemetry>@opentelemetry/sdk-node>@opentelemetry/exporter-trace-otlp-grpc>@grpc/grpc-js","applicationinsights>@azure/monitor-opentelemetry>@opentelemetry/sdk-node>@opentelemetry/exporter-trace-otlp-grpc>@opentelemetry/otlp-grpc-exporter-base>@grpc/grpc-js"]}],"metadata":null,"vulnerable_versions":">=1.10.0 <1.10.9","module_name":"@grpc/grpc-js","severity":"moderate","github_advisory_id":"GHSA-7v5v-9h63-cj86","cves":["CVE-2024-37168"],"access":"public","patched_versions":">=1.10.9","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-06-11T21:44:12.000Z","recommendation":"Upgrade to version 1.10.9 or later","cwe":["CWE-789"],"found_by":null,"deleted":null,"id":1097548,"references":"- https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86\n- https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650\n- https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3\n- https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb\n- https://nvd.nist.gov/vuln/detail/CVE-2024-37168\n- https://github.com/advisories/GHSA-7v5v-9h63-cj86","created":"2024-06-10T21:38:05.000Z","reported_by":null,"title":"@grpc/grpc-js can allocate memory for incoming messages well above configured limits","npm_advisory_id":null,"overview":"### Impact\nThere are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option:\n\n 1. If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded.\n 2. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded.\n\n### Patches\n\nThis has been patched in versions 1.10.9, 1.9.15, and 1.8.22\n","url":"https://github.com/advisories/GHSA-7v5v-9h63-cj86"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":2,"high":0,"critical":0},"dependencies":482,"devDependencies":0,"optionalDependencies":0,"totalDependencies":482}}