Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency gatsby to v5.9.1 [SECURITY] #270

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency gatsby to v5.9.1 [SECURITY] #270

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 9, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
gatsby (source, changelog) 5.9.0 -> 5.9.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-34238

Impact

The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the __file-code-frame and __original-stack-frame paths, exposed when running the Gatsby develop server (gatsby develop).

The following steps can be used to reproduce the vulnerability:


# Create a new Gatsby project
$ npm init gatsby
$ cd my-gatsby-site

# Start the Gatsby develop server
$ gatsby develop

# Execute the Local File Inclusion vulnerability in __file-code-frame
$ curl "http://127.0.0.1:8000/__file-code-frame?filePath=/etc/passwd&lineNumber=1"

# Execute the Local File Inclusion vulnerability in __original-stack-frame
$ curl "http://127.0.0.1:8000/__original-stack-frame?moduleId=/etc/hosts&lineNumber=1&skipSourceMap=1"

It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable.

Patches

A patch has been introduced in [email protected] and [email protected] which mitigates the issue.

Workarounds

As stated above, by default gatsby develop is only exposed to the localhost 127.0.0.1. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability.

We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.

Credits

We would like to thank Maxwell Garrett of Assetnote for bringing the __file-code-frame issue to our attention.

For more information

Email us at [email protected].

Release Notes

gatsbyjs/gatsby (gatsby)

v5.9.1

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 81d5d00 to 5c38a95 Compare June 13, 2023 14:37
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 5c38a95 to 09ec13d Compare June 18, 2023 08:06
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 09ec13d to 8bfdb15 Compare June 29, 2023 12:15
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 8bfdb15 to 6b0ebe4 Compare July 1, 2023 16:26
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 6b0ebe4 to 5700e15 Compare July 6, 2023 13:09
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 5700e15 to c6c71d8 Compare July 9, 2023 09:44
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from c6c71d8 to 9db1085 Compare July 16, 2023 13:51
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 9db1085 to 6c135f1 Compare July 19, 2023 09:46
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 6c135f1 to d482220 Compare July 27, 2023 16:28
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from d482220 to 688dff1 Compare August 1, 2023 16:56
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 688dff1 to ac36f95 Compare August 9, 2023 15:29
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from ac36f95 to 18ae21b Compare August 13, 2023 07:37
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 18ae21b to 079fe42 Compare August 22, 2023 20:41
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 079fe42 to b7f8a40 Compare August 27, 2023 08:20
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from b7f8a40 to aabd828 Compare September 15, 2023 18:36
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 1ce5ade to b60db6d Compare February 25, 2024 10:54
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from b60db6d to a1c505d Compare March 12, 2024 09:44
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from a1c505d to c7103ac Compare March 20, 2024 16:33
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from c7103ac to abf599c Compare March 24, 2024 14:59
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from abf599c to 98caf54 Compare April 14, 2024 09:35
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 98caf54 to 4226402 Compare April 21, 2024 10:57
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 4226402 to b544843 Compare April 25, 2024 10:26
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from b544843 to 9d55ae7 Compare June 4, 2024 10:10
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 9d55ae7 to f2aee6e Compare June 24, 2024 17:02
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from f2aee6e to 78ed8b8 Compare July 21, 2024 14:30
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 78ed8b8 to d1b782a Compare August 6, 2024 09:46
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from d1b782a to f978c71 Compare August 28, 2024 09:43
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from f978c71 to d940b02 Compare October 9, 2024 11:53
@renovate renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from d940b02 to 6944d7e Compare December 2, 2024 10:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants