Open vulnerabilities for express-fileupload

[jhtann]

Currently, at the latest master e107592, I've observed that express-fileupload using version 1.4.0, which exposes vulnerabilities CVE-2022-27140 (critical) and CVE-2022-27261 (high).

Despite upgrading to version 1.5.0, both vulnerabilities persist in the Express-fileupload library.

Details:

CVE-2022-27140 (CRITICAL): being disputed in the NIST database
CVE-2022-27261 (HIGH): still open, might pose a risk for file overwrite

Previous Discussions:

Issue #312: Link
Issue #316: Link

Do we assess the risks associated with these vulnerabilities, given that we are using express-fileupload: 1.4.0?

[benzino77]

Hi,

Based on the CVE links you provided v1.4.0 version of express-fileupload is not vulnerable.
Based on the Issue links you provided it is also indicated that the vulnerability is "questionable":

CVE-2022-27140 is marked as "disputed".

[jhtann]

yea, is there any plan to upgrade the version express-fileupload to 1.5.0, even the "disputed" cve existed in latest version 🤔

[benzino77]

Will take a look at that after my vacations.

[benzino77]

Looks like v1.5.0 brings some "unexpected" breaking changes. For now I've upgraded express-fileupload package to v1.4.3 and push new docker image to repository.
When I have more time, I will try to investigate why clamav-rest-api is not working as expected with version v1.5.0.

[jhtann]

thanks @benzino77 for the update and finding 👍

[benzino77]

I have updated express-fileupload to v1.5.0 and pushed new docker image version.