Skip to content

Commit

Permalink
fix(security): address CVE-2024-39338 SSRF in axios >= 1.3.2, <= 1.7.3
Browse files Browse the repository at this point in the history 
https://github.com/hyperledger/cacti/security/dependabot/1172

CVE ID
CVE-2024-39338

GHSA ID
GHSA-8hc4-vh64-cxmj

axios 1.7.2 allows SSRF via unexpected behavior where requests for path
relative URLs get processed as protocol relative URLs.

Signed-off-by: Peter Somogyvari <[email protected]>
  • Loading branch information
@petermetz
petermetz committed Aug 30, 2024
1 parent 444e04c commit 7e7bb44
Show file tree
Hide file tree
Showing 42 changed files with 82 additions and 82 deletions.
2 changes: 1 addition & 1 deletion examples/cactus-example-carbon-accounting-business-logic-plugin/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
"@hyperledger/cactus-plugin-ledger-connector-fabric": "2.0.0-rc.3",
"@hyperledger/cactus-plugin-ledger-connector-xdai": "2.0.0-rc.3",
"async-exit-hook": "2.0.1",
"axios": "1.6.0",
"axios": "1.7.5",
"express": "4.19.2",
"openapi-types": "12.1.3",
"typescript-optional": "2.0.1",
Expand Down
2 changes: 1 addition & 1 deletion examples/cactus-example-cbdc-bridging-backend/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@
"@openzeppelin/contracts": "4.9.6",
"@openzeppelin/contracts-upgradeable": "4.9.6",
"async-exit-hook": "2.0.1",
"axios": "1.6.0",
"axios": "1.7.5",
"crypto-js": "4.2.0",
"dotenv": "16.0.1",
"fabric-network": "2.2.20",
Expand Down
2 changes: 1 addition & 1 deletion examples/cactus-example-cbdc-bridging-frontend/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
"@types/node": "18.11.9",
"@types/react": "^18.2.39",
"@types/react-dom": "^18.2.17",
"axios": "1.6.0",
"axios": "1.7.5",
"react": "^18.2.0",
"react-dom": "^18.2.0",
"react-scripts": "5.0.1",
Expand Down
2 changes: 1 addition & 1 deletion examples/cactus-example-discounted-asset-trade-client/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@
"@hyperledger/anoncreds-nodejs": "0.2.0",
"@hyperledger/aries-askar-nodejs": "0.2.0",
"@hyperledger/indy-vdr-nodejs": "0.2.0",
"axios": "1.6.0",
"axios": "1.7.5",
"inquirer": "8.2.6",
"loglevel": "1.8.1"
},
Expand Down
2 changes: 1 addition & 1 deletion examples/cactus-example-discounted-asset-trade/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
"@hyperledger/cactus-plugin-ledger-connector-ethereum": "2.0.0-rc.3",
"@hyperledger/cactus-plugin-ledger-connector-fabric": "2.0.0-rc.3",
"@types/node": "18.11.9",
"axios": "1.7.2",
"axios": "1.7.5",
"body-parser": "1.20.2",
"cookie-parser": "1.4.6",
"debug": "3.1.0",
Expand Down
2 changes: 1 addition & 1 deletion examples/cactus-example-supply-chain-backend/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@
"@hyperledger/cactus-plugin-ledger-connector-xdai": "2.0.0-rc.3",
"@hyperledger/cactus-test-tooling": "2.0.0-rc.3",
"async-exit-hook": "2.0.1",
"axios": "1.6.0",
"axios": "1.7.5",
"dotenv": "16.0.0",
"express": "4.19.2",
"express-jwt": "8.4.1",
Expand Down
2 changes: 1 addition & 1 deletion examples/cactus-example-supply-chain-business-logic-plugin/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@
"@hyperledger/cactus-plugin-ledger-connector-fabric": "2.0.0-rc.3",
"@hyperledger/cactus-plugin-ledger-connector-xdai": "2.0.0-rc.3",
"async-exit-hook": "2.0.1",
"axios": "1.6.0",
"axios": "1.7.5",
"express": "4.19.2",
"openapi-types": "12.1.3",
"run-time-error-cjs": "1.4.0",
Expand Down
2 changes: 1 addition & 1 deletion extensions/cactus-plugin-htlc-coordinator-besu/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@
"@hyperledger/cactus-plugin-htlc-eth-besu-erc20": "2.0.0-rc.3",
"@hyperledger/cactus-plugin-ledger-connector-besu": "2.0.0-rc.3",
"@hyperledger/cactus-test-plugin-htlc-eth-besu-erc20": "2.0.0-rc.3",
"axios": "1.7.2",
"axios": "1.7.5",
"body-parser": "1.20.2",
"fast-safe-stringify": "2.1.1",
"joi": "17.13.3",
Expand Down
2 changes: 1 addition & 1 deletion extensions/cactus-plugin-object-store-ipfs/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.6.0",
"axios": "1.7.5",
"run-time-error-cjs": "1.4.0",
"typescript-optional": "2.0.1",
"uuid": "10.0.0"
Expand Down
2 changes: 1 addition & 1 deletion packages/cacti-plugin-consortium-static/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.6.0",
"axios": "1.7.5",
"body-parser": "1.20.2",
"express": "4.19.2",
"http-errors-enhanced-cjs": "2.0.1",
Expand Down
2 changes: 1 addition & 1 deletion packages/cacti-plugin-ledger-connector-stellar/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.7.2",
"axios": "1.7.5",
"express": "4.19.2",
"http-errors-enhanced-cjs": "2.0.1",
"joi": "17.13.3",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-cmd-api-server/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"@thream/socketio-jwt": "2.1.1",
"async-exit-hook": "2.0.1",
"axios": "1.7.2",
"axios": "1.7.5",
"bluebird": "3.7.2",
"body-parser": "1.20.2",
"compression": "1.7.4",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-core-api/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
"dependencies": {
"@grpc/grpc-js": "1.11.1",
"@hyperledger/cactus-common": "2.0.0-rc.3",
"axios": "1.7.2",
"axios": "1.7.5",
"google-protobuf": "3.21.4"
},
"devDependencies": {
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-bungee-hermes/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@
"@hyperledger/cactus-plugin-ledger-connector-besu": "2.0.0-rc.3",
"@hyperledger/cactus-plugin-ledger-connector-ethereum": "2.0.0-rc.3",
"@hyperledger/cactus-plugin-ledger-connector-fabric": "2.0.0-rc.3",
"axios": "1.7.2",
"axios": "1.7.5",
"body-parser": "1.20.2",
"fs-extra": "11.2.0",
"http-errors-enhanced-cjs": "2.0.1",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-consortium-manual/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.6.0",
"axios": "1.7.5",
"body-parser": "1.20.2",
"express": "4.19.2",
"jose": "4.15.5",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-htlc-eth-besu-erc20/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"@hyperledger/cactus-plugin-ledger-connector-besu": "2.0.0-rc.3",
"axios": "1.6.0",
"axios": "1.7.5",
"express": "4.19.2",
"joi": "17.13.3",
"openapi-types": "12.1.3",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-htlc-eth-besu/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@
"@hyperledger/cactus-plugin-keychain-memory": "2.0.0-rc.3",
"@hyperledger/cactus-plugin-ledger-connector-besu": "2.0.0-rc.3",
"@hyperledger/cactus-test-tooling": "2.0.0-rc.3",
"axios": "1.6.0",
"axios": "1.7.5",
"bn.js": "5.2.1",
"dotenv": "16.0.3",
"ethers": "6.3.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-keychain-aws-sm/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"aws-sdk": "2.965.0",
"axios": "1.6.0",
"axios": "1.7.5",
"http-status-codes": "2.1.4",
"prom-client": "15.1.3",
"typescript-optional": "2.0.1"
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-keychain-azure-kv/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.7.2",
"axios": "1.7.5",
"http-status-codes": "2.1.4",
"typescript-optional": "2.0.1"
},
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-keychain-google-sm/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.6.0",
"axios": "1.7.5",
"http-status-codes": "2.1.4",
"typescript-optional": "2.0.1",
"uuid": "10.0.0"
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-keychain-memory-wasm/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.6.0",
"axios": "1.7.5",
"express": "4.19.2",
"prom-client": "15.1.3",
"uuid": "10.0.0"
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-keychain-memory/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.6.0",
"axios": "1.7.5",
"express": "4.19.2",
"prom-client": "15.1.3",
"rxjs": "7.8.1",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-keychain-vault/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.6.0",
"axios": "1.7.5",
"http-status-codes": "2.1.4",
"node-vault": "0.9.22",
"prom-client": "15.1.3",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-ledger-connector-aries/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"@hyperledger/indy-vdr-nodejs": "0.2.0",
"axios": "1.7.2",
"axios": "1.7.5",
"rxjs": "7.8.1",
"socket.io-client-fixed-types": "4.5.4"
},
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-ledger-connector-besu/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.7.2",
"axios": "1.7.5",
"express": "4.19.2",
"google-protobuf": "3.21.4",
"http-errors": "2.0.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-ledger-connector-cdl/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.6.0",
"axios": "1.7.5",
"sanitize-html": "2.12.1"
},
"devDependencies": {
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-ledger-connector-corda/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.6.0",
"axios": "1.7.5",
"express": "4.19.2",
"express-openapi-validator": "5.2.0",
"http-errors-enhanced-cjs": "2.0.1",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-ledger-connector-ethereum/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.7.2",
"axios": "1.7.5",
"ethers": "6.8.1",
"express": "4.19.2",
"http-proxy-middleware": "2.0.6",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-ledger-connector-fabric/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.7.2",
"axios": "1.7.5",
"bl": "6.0.12",
"bn.js": "4.12.0",
"elliptic": "6.5.4",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-ledger-connector-iroha2/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
"@iroha2/crypto-core": "0.1.1",
"@iroha2/crypto-target-node": "0.4.0",
"@iroha2/data-model": "4.0.0",
"axios": "1.7.2",
"axios": "1.7.5",
"express": "4.19.2",
"fast-safe-stringify": "2.1.1",
"hada": "0.0.8",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-ledger-connector-polkadot/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@
"@polkadot/rpc-provider": "10.9.1",
"@polkadot/types": "10.9.1",
"@polkadot/util": "12.6.2",
"axios": "1.6.0",
"axios": "1.7.5",
"bl": "6.0.0",
"express": "4.19.2",
"express-openapi-validator": "5.2.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-ledger-connector-sawtooth/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.7.2",
"axios": "1.7.5",
"cbor": "9.0.1",
"rxjs": "7.8.1",
"socket.io-client-fixed-types": "4.5.4"
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-ledger-connector-xdai/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
"@hyperledger/cactus-common": "2.0.0-rc.3",
"@hyperledger/cactus-core": "2.0.0-rc.3",
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"axios": "1.6.0",
"axios": "1.7.5",
"express": "4.19.2",
"joi": "17.13.3",
"openapi-types": "12.1.3",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-persistence-ethereum/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"@hyperledger/cactus-plugin-ledger-connector-ethereum": "2.0.0-rc.3",
"async-mutex": "0.4.0",
"axios": "1.7.2",
"axios": "1.7.5",
"pg": "8.8.0",
"run-time-error-cjs": "1.4.0",
"uuid": "10.0.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-persistence-fabric/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"@hyperledger/cactus-plugin-ledger-connector-fabric": "2.0.0-rc.3",
"async-mutex": "0.4.0",
"axios": "1.7.2",
"axios": "1.7.5",
"pg": "8.8.0",
"run-time-error-cjs": "1.4.0",
"uuid": "10.0.0"
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-satp-hermes/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
"@hyperledger/cactus-plugin-ledger-connector-fabric": "2.0.0-rc.3",
"@hyperledger/cactus-plugin-object-store-ipfs": "2.0.0-rc.3",
"@hyperledger/cactus-test-tooling": "2.0.0-rc.3",
"axios": "1.7.2",
"axios": "1.7.5",
"crypto-js": "4.2.0",
"fs-extra": "11.2.0",
"knex": "2.4.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-test-plugin-consortium-manual/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@
"@hyperledger/cactus-core-api": "2.0.0-rc.3",
"@hyperledger/cactus-plugin-consortium-manual": "2.0.0-rc.3",
"@hyperledger/cactus-plugin-keychain-memory": "2.0.0-rc.3",
"axios": "1.6.0",
"axios": "1.7.5",
"jose": "4.15.5"
},
"devDependencies": {
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-test-plugin-htlc-eth-besu-erc20/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
"@hyperledger/cactus-plugin-keychain-memory": "2.0.0-rc.3",
"@hyperledger/cactus-plugin-ledger-connector-besu": "2.0.0-rc.3",
"@hyperledger/cactus-test-tooling": "2.0.0-rc.3",
"axios": "1.6.0",
"axios": "1.7.5",
"express": "4.19.2",
"web3-eth-abi": "4.0.3",
"web3-utils": "4.2.1"
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-test-plugin-htlc-eth-besu/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
"@hyperledger/cactus-plugin-keychain-memory": "2.0.0-rc.3",
"@hyperledger/cactus-plugin-ledger-connector-besu": "2.0.0-rc.3",
"@hyperledger/cactus-test-tooling": "2.0.0-rc.3",
"axios": "1.6.0",
"axios": "1.7.5",
"key-encoder": "2.0.3",
"web3": "1.6.1",
"web3js-quorum": "22.4.0"
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-test-plugin-ledger-connector-besu/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@
"devDependencies": {
"@types/express": "4.17.21",
"@types/uuid": "10.0.0",
"axios": "1.7.2",
"axios": "1.7.5",
"express": "4.19.2",
"uuid": "10.0.0",
"web3-core": "1.6.1"
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-test-tooling/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@
},
"dependencies": {
"@hyperledger/cactus-common": "2.0.0-rc.3",
"axios": "1.7.2",
"axios": "1.7.5",
"compare-versions": "3.6.0",
"dockerode": "3.3.0",
"elliptic": "6.5.4",
Expand Down
Loading

0 comments on commit 7e7bb44

Please sign in to comment.