GitLab merge requestshttps://staging.gitlab.com/gitlab-org/gitlab/-/merge_requests2021-08-06T03:24:48Zhttps://staging.gitlab.com/gitlab-org/gitlab/-/merge_requests/3126Resolve vulnerability: Cross-site Scripting in mermaid2021-08-06T03:24:48ZGitLab Security BotResolve vulnerability: Cross-site Scripting in mermaid### Description:
Mermaid allows XSS when the antiscript feature is used.
* Severity: medium
* Confidence: unknown
* Location: [yarn.lock](yarn.lock)
### Solution:
Upgrade to version 8.11.0 or above.
### Identifiers:
* [Gemnasium-53...### Description:
Mermaid allows XSS when the antiscript feature is used.
* Severity: medium
* Confidence: unknown
* Location: [yarn.lock](yarn.lock)
### Solution:
Upgrade to version 8.11.0 or above.
### Identifiers:
* [Gemnasium-53c99488-c5d6-4392-89c7-7e470e347b92](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/npm/mermaid/CVE-2021-35513.yml)
* [CVE-2021-35513](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35513)
### Links:
* https://nvd.nist.gov/vuln/detail/CVE-2021-35513https://staging.gitlab.com/gitlab-org/gitlab/-/merge_requests/3127Resolve vulnerability: Improper Input Validation in minimist2021-08-06T03:25:03ZGitLab Security BotResolve vulnerability: Improper Input Validation in minimist### Description:
minimist could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.
* Severity: medium
* Confidence: unknown
* Location: [yarn.lock](yarn.lock)
### Solutio...### Description:
minimist could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.
* Severity: medium
* Confidence: unknown
* Location: [yarn.lock](yarn.lock)
### Solution:
Upgrade to version 1.2.2 or above.
### Identifiers:
* [Gemnasium-53e8766c-27eb-4278-8c4f-3dcef53a68bf](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/npm/minimist/CVE-2020-7598.yml)
* [CVE-2020-7598](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598)
### Links:
* https://nvd.nist.gov/vuln/detail/CVE-2020-7598https://staging.gitlab.com/gitlab-org/gitlab/-/merge_requests/3128Resolve vulnerability: Uncontrolled Search Path Element in execa2021-08-06T03:25:16ZGitLab Security BotResolve vulnerability: Uncontrolled Search Path Element in execa### Description:
Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting `preferLocal=true` which makes execa search for locally installed binaries and executes them. This vulnerability is ...### Description:
Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting `preferLocal=true` which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.
* Severity: critical
* Confidence: unknown
* Location: [storybook/yarn.lock](storybook/yarn.lock)
### Solution:
Upgrade to version 2.0.0 or above.
### Identifiers:
* [Gemnasium-05cfa2e8-2d0c-42c1-8894-638e2f12ff3d](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/npm/execa/GMS-2020-2.yml)
### Links:
* https://github.com/sindresorhus/execa/releases/tag/v2.0.0https://staging.gitlab.com/gitlab-org/gitlab/-/merge_requests/3129Resolve vulnerability: Prototype Pollution in aws-sdk2021-08-06T03:25:31ZGitLab Security BotResolve vulnerability: Prototype Pollution in aws-sdk### Description:
If an attacker submits a malicious INI file to an application that parses it with `loadSharedConfigFiles`, they will pollute the prototype on the application. This can be exploited further depending on the context.
* S...### Description:
If an attacker submits a malicious INI file to an application that parses it with `loadSharedConfigFiles`, they will pollute the prototype on the application. This can be exploited further depending on the context.
* Severity: critical
* Confidence: unknown
* Location: [yarn.lock](yarn.lock)
### Solution:
Upgrade to version 2.814.0 or above.
### Identifiers:
* [Gemnasium-3d4bca0d-97ee-47a5-9251-a7924d950785](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/npm/aws-sdk/CVE-2020-28472.yml)
* [CVE-2020-28472](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28472)
### Links:
* https://nvd.nist.gov/vuln/detail/CVE-2020-28472https://staging.gitlab.com/gitlab-org/gitlab/-/merge_requests/3130Resolve vulnerability: Improper Certificate Validation in xmlhttprequest-ssl2021-08-06T03:25:45ZGitLab Security BotResolve vulnerability: Improper Certificate Validation in xmlhttprequest-ssl### Description:
The xmlhttprequest-ssl package for Node.js disables SSL certificate validation by default, because `rejectUnauthorized` (when the property exists but is undefined) is considered to be false within the `https.request` fu...### Description:
The xmlhttprequest-ssl package for Node.js disables SSL certificate validation by default, because `rejectUnauthorized` (when the property exists but is undefined) is considered to be false within the `https.request` function of Node.js. In other words, no certificate is ever rejected.
* Severity: critical
* Confidence: unknown
* Location: [yarn.lock](yarn.lock)
### Solution:
Upgrade to version 1.6.1 or above.
### Identifiers:
* [Gemnasium-204c0a15-a193-4adf-a4dd-61d5d54f8097](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/npm/xmlhttprequest-ssl/CVE-2021-31597.yml)
* [CVE-2021-31597](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597)
### Links:
* https://nvd.nist.gov/vuln/detail/CVE-2021-31597