Security Advisory IBEXA-SA-2022-002: Vulnerability in node-sass

Publication date: 21/03/2022, 16:14

Severity: High

Affected versions: ezsystems/ezplatform v2.5.*, ezsystems/ezplatform-admin-ui v1.5.*, ezsystems/ezplatform-page-builder v1.3.*
Resolving versions: ezsystems/ezplatform v2.5.28, ezsystems/ezplatform-admin-ui v1.5.27, ezsystems/ezplatform-page-builder v1.3.25

This security advisory is about a vulnerability in the node-sass javascript package, where certificate validation is disabled when requesting binaries even if the user is not specifying an alternative download path. Please see CVE-2020-24025.
https://github.com/advisories/GHSA-r8f7-9pfq-mjmv
https://nvd.nist.gov/vuln/detail/CVE-2020-24025

This affects eZ Platform v2.5 only. We resolve it by replacing node-sass 4.11 with sass 1.32.13. There are three affected repositories, please see affected versions.

Installation: This changes one yarn module, so all that needs to be done is reinstalling yarn modules, build assets and clearing cache. The built in post-update-cmd covers this.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories

Tech blog

Get started with Ibexa DXP

Tutorials

Training

Slack

GitHub

Product roadmap

Community packages

REST API reference

GraphQL API docs

Product security at Ibexa

Security Advisories

Software service life

Issue tracker

Security advisory: IBEXA-SA-2022-002

Vulnerability in node-sass