Outdated packages in third_party/webkit/PerformanceTests/Speedometer3 and third_party/webkit/PerformanceTests/Speedometer
Categories
(Testing :: Performance, defect, P3)
Tracking
(Not tracked)
People
(Reporter: u771097, Unassigned)
References
(Depends on 1 open bug)
Details
(Keywords: reporter-external, Whiteboard: [fxp])
Attachments
(1 file)
|
110.96 KB,
image/png
|
Details |
some angular vulns
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Steps to reproduce:
1.third_party/webkit/PerformanceTests/Speedometer3/resources/newssite/news-nuxt/package.json
2.third_party/webkit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/angularjs/package.json
3.third_party/webkit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react/package.json
Actual results:
in this packages files have outdated depencies
1.Improper Handling of Extra Parameters
https://nvd.nist.gov/vuln/detail/CVE-2023-26159
https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137(POC too)
Information Exposure
https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6444610 (POC too)
2.Angular Js have 10 vuln so i do screnshoot
3.react@15.5.4 and react-dom@15.5.4 have depencies
ua-parser-js https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599
https://nvd.nist.gov/vuln/detail/CVE-2020-7793
Expected results:
packages and their depencies must be upgraded to newest version
|
||
Comment 1•19 days ago
|
||
This is code used by a benchmark that is going to only run on fixed data that we control. How can this be exploited by an attacker?
Yes, you’re correct that this code is used in a controlled benchmark environment, where the risk of external exploitation is low. However, there are still potential concerns:
Unintentional Propagation: Vulnerabilities could be inadvertently carried over into other projects or environments that lack the same strict controls.
Internal Risks: Even in a controlled environment, trusted developers or teams could unintentionally or maliciously exploit vulnerabilities.
Security Best Practices: Regularly updating dependencies to their latest versions is a standard security practice. This reduces the risk of data leaks and helps maintain a high security standard across the codebase.
Recommendation: While the likelihood of exploitation may be minimal, updating dependencies is still the best course of action to mitigate potential risks and ensure a secure development environment.
Ultimately, it all depends on the developer. If he has access, he can use it for his own purposes. Because it often happens that the developer himself sometimes provides vulnerable software.
|
|
||
Comment 3•19 days ago
|
||
I'm not interested in theoretical concerns, I'd like an actual demonstration of specific harm from an attacker.
(In reply to Andrew McCreight [:mccr8] from comment #3)
I'm not interested in theoretical concerns, I'd like an actual demonstration of specific harm from an attacker.
Isn't that the point? The vulnerability is there in advance, even if it's theoretical, in any case, even if this package is not used, remove it, and if it is used, update it.
What is the point of development and support in general then?
After all, anything can happen not today, but tomorrow, and then whose fault will it be, the person who reported it or the developer who ignored it?
|
||
Updated•16 days ago
|
|
|
||
Comment 5•14 days ago
|
||
if it is used, update it.
That would invalidate it as a standard cross-browser comparison if we're running a different version than other browser vendors use to test.
|
||
Comment 6•2 days ago
|
||
The severity field is not set for this bug.
:afinder, could you have a look please?
For more information, please visit BugBot documentation.
|
||
Updated•2 days ago
|
|
|
||
Updated•2 days ago
|
|
||
Updated•2 days ago
|
Description
•