axios security issue

[kelvah]

Hi,

We got a new CVE ticket about axios for our project (OCM):
https://issues.redhat.com/browse/OCMUI-1491

CVE-2023-45857 axios: exposure of confidential data stored in cookies
https://bugzilla.redhat.com/show_bug.cgi?id=2248979

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

https://github.com/axios/axios/issues/6006
https://github.com/jeffbski/wait-on/pull/147

@redhat-cloud-services/frontend-components-utilities is on axios@^0.28.0
https://github.com/RedHatInsights/frontend-components/blob/master/packages/utils/package.json#L42

It's not clear if the reported issue was introduced with 1.5.1. Anyway, older versions of axios got their share of CVEs reported over time.

Do you think it could be possible to update it to latest?
Thanks!

[Hyperkid123]

We can't upgrade to ^1.x.x as of yet. There are still some dependencies that require the old version. We are working on these at the moment.

[Ginxo]

two new CVEs related with this arrived to OCMUI

https://issues.redhat.com/browse/OCMUI-1554
https://issues.redhat.com/browse/OCMUI-1596

for now we decided to add resolution since yarn was resolving latest axios library (no matter @redhat-cloud-services one) so it was about to remove any reference to old one on lock file. We would like to avoid such kind of configuration in our side to avoid future problems caused by this kind of overriding.

Any effort/update on this will be appreciated. Thanks

[Hyperkid123]

The update will be a part of the next major release. There are breaking changes between 0.2.x and 1.x. Next major release should happen this Q