Hey guys o/ We are currently developing an app for Confluence cloud and during the development we stumbled across the following requirements regarding externally used libraries:
No problem for us, so we added auditjs to our build stack and we are now scanning our dependencies and the dependencies of our dependencies. Unfortunately our scanner stumbled across a vulnerability which is as follows:
Vulnerability Title: CWE-400: Uncontrolled Resource Consumption (‘Resource Exhaustion’) (node-fetch)
Description: The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Reference: CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - Sonatype OSS Index
After tracking down the usage of the npm/node-fetch dependency, we found the following dependency chain: node-fetch → isomorphic-fetch → fbjs → styled-components → @atlaskit/banner, @atlaskit/form and other AtlasKit modules
So actually we can’t do anything regarding this vulnerability besides of acknowledging it and whitelisting it internally. You might ask yourself now “why is he here” My key message is basically for the team at Atlassian that maintains the AtlasKit to check for that vulnerability and maybe fix it by using the latest version of this dependency (just as you suggest us to do in the previously mentioned page: “We recommend that you use the latest stable version of any library to minimize the risk of exploitation.”).
If this thing is already fixed, just let me know and we will try to solve the issue on our end. That’s it Over and out o/