Search

Order by

Refresh results

Type: Task
Resolution: Fixed
Priority: Normal
Component/s: LB
Labels:
None

GitHub Alert ID:
3,157,608,042

CVE-2022-38900 affects package decode-uri-component <= 0.2.0 which metabrainz/listenbrainz-server depends on.

Please self-assign this ticket and check metabrainz/listenbrainz-server alerts, then:

Dismiss the corresponding alert in GitHub if there is a valid reason (patch in progress, no bandwidth, tolerable risk, inaccurate alert, or unused code) for.
Create a new ticket in the affected JIRA project, link it to this ticket (do not move this ticket to another project), and address that new ticket.

In both case, GitHub Bot will close this ticket for you, except if you backport a patch on a vulnerable dependency.

This ticket has been created by SEC automation.

yvanzo added a comment - 2023-03-28 17:08

It has been automatically marked as resolved in GitHub, but this has not been propagated to this SEC ticket for some reason.

References:

I also checked that the listenbrainz-server repository does not currently depends on any vulnerable version of decode-uri-component node module.

P.S. By checking indirect dependencies, I found out that listenbrainz-server currently depends on the deprecated source-map-resolve node module.

yvanzo added a comment - 2023-03-28 17:08 It has been automatically marked as resolved in GitHub, but this has not been propagated to this SEC ticket for some reason. References: https://github.com/metabrainz/listenbrainz-server/security/dependabot/42 https://github.com/metabrainz/listenbrainz-server/pull/2273 I also checked that the listenbrainz-server repository does not currently depends on any vulnerable version of decode-uri-component node module. P.S. By checking indirect dependencies, I found out that listenbrainz-server currently depends on the deprecated source-map-resolve node module.

Assignee:: yvanzo

Reporter:: GitHub Bot

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2022-11-30 01:13

Updated:: 2023-03-28 17:08

Resolved:: 2023-03-28 17:08

Version	Package

Filters

Favorite Filters

Export - CSV (All fields)

Export - CSV (Current fields)

Search

[listenbrainz-server] CVE-2022-38900: decode-uri-component <= 0.2.0

Filters

Favorite Filters

Details

Description

Attachments

Activity

Collapse comment: yvanzo added a comment - 2023-03-28 17:08

Expand comment: yvanzo added a comment - 2023-03-28 17:08

People

Dates

Packages