Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-gkxt-qw12-gfeb

Summary

Malware in fsevents
This advisory is intended to inform the npm ecosystem with details to resolve a third-party malware incident that may have impacted your infrastructure if you are directly or transitively dependent on the [fsevents](https://www.npmjs.com/package/fsevents) npm package.

fsevents v1.0.0 <= v1.2.10 downloaded binary executables that contained unintended code due to an expired cloud storage resource being reclaimed by a third party.

The fsevents npm package v1.0.0 through v1.2.10 attempts to fetch a pre-built binary executable artifact (fse.node) from cloud storage. If this fetch fails, fsevents v1.x will attempt to build this artifact directly from source.

Version 1.x of fsevents has been deprecated for several years and as a result the aforementioned cloud storage resource namespace was available for registration. A third party, unrelated to the fsevents maintainers, subsequently claimed this namespace and in April 2023 this third party started serving modified versions of the “fse.node” binary executable artifact to new fsevents v1.x users.

As of April 27, 2023 the cloud storage resource in question has been indefinitely suspended and is no longer serving binaries.

The affected cloud storage pre-fetch was [removed](https://github.com/fsevents/fsevents/commit/909af26846834642c81d19f4148afa3b7557b058) in fsevents version 1.2.11.

The impact of the modified versions of fse.node appears to be limited to information gathering.

Note that initial analysis was performed for the modified artifact associated with fsevents v1.2.9, which was distributed as fse-v1.2.9-node-v72-darwin-x64.tar.gz prior to the cloud storage resource being suspended.

For more detailed analysis you may compare a decompilation of the v1.x fse.node artifacts on your systems with the intended fsevents v1.x source as it exists at https://github.com/fsevents/fsevents/tree/v1.x

 If you are dependent on the deprecated version of fsevents v1.x, the recommended course of action is to upgrade to fsevents v2.x or remove the dependency altogether as currently maintained versions of Node.js no longer require fsevents for file system watching on macOS.

Aliases

alias	GHSA-xv2f-5jw4-v95m

alias	GMS-2023-2160

Fixed_packages

url	pkg:npm/fsevents@1.2.11
purl	pkg:npm/fsevents@1.2.11
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/fsevents@1.2.11

Affected_packages

url pkg:npm/fsevents@1.0.0

purl pkg:npm/fsevents@1.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-gkxt-qw12-gfeb

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fsevents@1.0.0

References

reference_url	https://github.com/fsevents/fsevents/commit/909af26846834642c81d19f4148afa3b7557b058
reference_id
reference_type
scores
url	https://github.com/fsevents/fsevents/commit/909af26846834642c81d19f4148afa3b7557b058

reference_url	https://github.com/advisories/GHSA-xv2f-5jw4-v95m
reference_id	GHSA-xv2f-5jw4-v95m
reference_type
scores
url	https://github.com/advisories/GHSA-xv2f-5jw4-v95m

Weaknesses

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	506
name	Embedded Malicious Code
description	The product contains code that appears to be malicious in nature.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gkxt-qw12-gfeb

Vulnerability Instance