Vulnerabilities introduced by package node-forge and @firebase/util #1392
Description
Hi ,@hiranya911, @lahirumaramba , there are two vulnerabilities introduced in your package:
Issue Description
Vulnerabilities CVE-2020-7720 detected in package node-forge<0.10.0 and CVE-2020-7765 detected in package @firebase/util<0.3.4 are referenced by firebase-admin@8.13.0. We noticed that the vulnerabilities has been removed since firebase-admin@9.2.0.
However, firebase-admin's popular previous version firebase-admin@8.13.0 (78,863 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 498 downstream projects, e.g., @paperbits/firebase 0.1.429, dblibrary 1.338.0, @endran/firebridge 2.0.0, firestore-to-bigquery-export 1.7.2, @meditect/geofirestore-clustering-js 1.0.8, multi-db-orm@1.0.8, node-paytmpg@2.0.4, etc.).
As such, issue CVE-2020-7720 and CVE-2020-7765 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade firebase-admin from version 8.13.0 to (>=9.2.0) For instance, firebase-admin@8.13.0 is introduced into the above projects via the following package dependency paths:
(1)multi-db-orm@1.0.8 ➔ node-firestore-import-export@1.1.0 ➔ firebase-admin@8.13.0 ➔ node-forge@0.7.6
(2) node-paytmpg@2.0.4 ➔ multi-db-orm@1.0.8 ➔ node-firestore-import-export@1.1.0 ➔ firebase-admin@8.13.0 ➔ node-forge@0.7.6
(3) multi-db-orm@1.0.8 ➔ node-firestore-import-export@1.1.0 ➔ firebase-admin@8.13.0 ➔ @firebase/database@0.6.13 ➔ @firebase/component@0.1.19 ➔ @firebase/util@0.3.2
......
The projects such as node-firestore-import-export, which introduced firebase-admin@8.13.0, are not maintained anymore. These unmaintained packages can neither upgrade firebase-admin nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package firebase-admin@8.13.0?
Suggested Solution
Since these unactive projects set a version constaint 8.13.0 for firebase-admin on the above vulnerable dependency paths, if firebase-admin removes the vulnerability from 8.13.0 and releases a new patched version firebase-admin@8.13.1, such a vulnerability patch can be automatically propagated into the 498 affected downstream projects.
In firebase-admin@8.13.1, you can kindly try to perform the following upgrade:
(1)node-forge ^0.7.6 ➔ ^0.10.0;
(2)@firebase/database ^0.6.0 ➔ ^0.7.1;
Note:
node-forge@0.10.0(>=0.10.0) has fixed the vulnerability (CVE-2020-7720);
@firebase/database@0.7.1(>=0.7.1) transitively depends on @firebase/util@0.3.4(a vulnerability CVE-2020-7765 patched version)
Thanks again for your contributions.
Best regards,
Paimon