Описание
Improper Certificate Validation in node-sass affects eZ Platform
Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path. This affects eZ Platform v2.5 only. The maintainers resolved it by replacing node-sass 4.11 with sass 1.32.13. This issue also affects ezsystems/ezplatform and ezsystems/ezplatform-page-builder.
Ссылки
- https://github.com/ezsystems/ezplatform-admin-ui/security/advisories/GHSA-6v6p-g8cg-2hgg
- https://nvd.nist.gov/vuln/detail/CVE-2020-24025
- https://developers.ibexa.co/security-advisories/ibexa-sa-2022-002-vulnerability-in-node-sass
- https://github.com/advisories/GHSA-r8f7-9pfq-mjmv
- https://github.com/ezsystems/ezplatform-admin-ui/releases/tag/v1.5.27
Пакеты
Наименование
ezsystems/ezplatform-admin-ui
composer
Затронутые версииВерсия исправления
>= 1.5.0, < 1.5.27
1.5.27
5.3 Medium
CVSS3
Дефекты
CWE-295
5.3 Medium
CVSS3
Дефекты
CWE-295