Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #40110 Ignore vue CVE-2024-9506
    Actions
    Infos
    #40110
    Joris MASSON (jmasson)
    2024-11-04 11:10
    2024-10-25 10:19
    41736
    Details
    Ignore vue CVE-2024-9506

    Vue 2 is EOL; migration to Vue 3 is underway. Moreover, it's not clear whether this issue can actually be triggered:

    1. I could not reproduce it with our .vue files. In the example, the template is provided as a string. Doing a quick search on the Tuleap codebase, I have found zero such cases, we always pass template via single-file components, which go through a "compilation" step that seems to remove this issue.
    2. I don't think there are any bad closing tags in our codebase. My IDE would not let me write it, I had to copy/paste the bad snippet, and then eslint would complain, it would appear during code review, etc. Basically, there are very few chances of triggering this.
    3. At the worst case, it is a ReDoS, the app will be very slow, but it's not an XSS where data can be extracted.
    Dependencies
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Joris MASSON (jmasson)
    Closed
    2024-10-25
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #37899 Tuleap Releases 16.1 Delivered 2024-11-06 15:29 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #40110

    Git commit

    tuleap/tuleap/stable

    chore: request #40110 Ignore vue CVE-2024-9506 631b52a81c
    User avatar Joris MASSON (jmasson) , 2024-10-25 10:21
    Merge commit '631b52a81cdea36c3960389fe025aeb32f004726' into HEAD 1e46a08e62
    User avatar Clarck Robinson (robinsoc) , 2024-10-25 11:29
    chore: Permanently ignore CVE-2024-9506 b05cc3f5e4
    User avatar Thomas Gerbet (tgerbet) , 2024-11-04 11:05
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2024-11-04 11:10

    I confirm there is no security impact, we do not render arbitrary templates. Moving it the permenent ignore list until we can drop Vue 2 entirely, see gerrit #32361.