Dependency to vulnerable phpseclib package

Created on 11 July 2024, 5 months ago
Updated 6 August 2024, 5 months ago

Steps to reproduce

Run composer audit

You'll see the phpseclib/phpseclib package as a dependency with vulnerable version

+-------------------+----------------------------------------------------------------------------------+
| Package           | phpseclib/phpseclib                                                              |
| Severity          | high                                                                             |
| CVE               | CVE-2024-27354                                                                   |
| Title             | phpseclib a large prime can cause a denial of service                            |
| URL               | https://github.com/advisories/GHSA-hg35-mp25-qf6h                                |
| Affected versions | >=3.0.0,<3.0.36|>=2.0.0,<2.0.47|>=1.0.0,<1.0.23                                  |
| Reported at       | 2024-03-02T00:31:33+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | phpseclib/phpseclib                                                              |
| Severity          | high                                                                             |
| CVE               | CVE-2024-27355                                                                   |
| Title             | phpseclib does not properly limit the ASN1 OID length                            |
| URL               | https://github.com/advisories/GHSA-jr22-8qgm-4q87                                |
| Affected versions | >=3.0.0,<3.0.36|>=2.0.0,<2.0.47|>=1.0.0,<1.0.23                                  |
| Reported at       | 2024-03-02T00:31:33+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Proposed resolution

Update composer to use newer version of the phpseclib/phpseclib library eg.: ^3.0.36

πŸ› Bug report
Status

Fixed

Version

1.1

Component

Code

Created by

πŸ‡¬πŸ‡§United Kingdom endrukk

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024