GMS-2022-564: Improper Certificate Validation
(updated )
Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path. This affects eZ Platform v2.5 only. The maintainers resolved it by replacing node-sass 4.11 with sass 1.32.13. This issue also affects ezsystems/ezplatform and ezsystems/ezplatform-page-builder.
References
- developers.ibexa.co/security-advisories/ibexa-sa-2022-002-vulnerability-in-node-sass
- github.com/advisories/GHSA-6v6p-g8cg-2hgg
- github.com/advisories/GHSA-r8f7-9pfq-mjmv
- github.com/ezsystems/ezplatform-admin-ui/releases/tag/v1.5.27
- github.com/ezsystems/ezplatform-admin-ui/security/advisories/GHSA-6v6p-g8cg-2hgg
- nvd.nist.gov/vuln/detail/CVE-2020-24025
Code Behaviors & Features
Detect and mitigate GMS-2022-564 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →