Vulnerability issues #35
Comments
|
Hi there, as far as I can tell this should not be an issue for JupyterHub as moment JS is used only on the client side. CVE-2022-24785 says:
and you can see this is not used on the server as the path where this is found is We can still open an issue on jupyterHub to make sure they bump the minimal version. Also in general, if you have doubt or want to talk about security issue you want to write to [email protected] that we monitor more closely and discussions there will be private. |
|
Thanks, @Carreau for the details, I had this in mind as well but wanted to at least have this reported to confirm what exactly this would (or would not) affect. Thanks for opening the issue for bumping the version, feel free to close this as well if needed. |
Greetings, recently we ran a security check (Trivy) in our installed Jupyter image (
jupyterhub==1.5.0)and spotted the following vulnerability issue, and looking over the discussion on #9 I thought it was worth mentioning those here:CVE-2022-24785
High
Package: moment
Installed Version: 2.29.1
Vulnerability CVE-2022-24785
Severity: HIGH
Fixed Version: 2.29.2
Link: CVE-2022-24785
maybe relevant GHSA-8hfj-j24r-96c4
found in
opt/conda/share/jupyterhub/static/components/moment/package.json:1Thanks in advance.
The text was updated successfully, but these errors were encountered: