Improper Certificate Validation in node-sass affects eZ Platform

Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path. This affects eZ Platform v2.5 only. The maintainers resolved it by replacing node-sass 4.11 with sass 1.32.13. This issue also affects ezsystems/ezplatform and ezsystems/ezplatform-page-builder.

Published: Apr 1, 2022
Updated: Apr 14, 2023
GHSA: GHSA-6v6p-g8cg-2hgg
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWEs:

CWE-295

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
ezsystems / ezplatform-admin-ui	1.5.0	1.5.27

https://developers.ibexa.co/security-advisories/ibexa-sa-2022-002-vulnerability-in-node-sass
https://github.com/ezsystems/ezplatform-admin-ui/releases/tag/v1.5.27
https://github.com/ezsystems/ezplatform-admin-ui/security/advisories/GHSA-6v6p-g8cg-2hgg

Vulnerability Database

289,871

Improper Certificate Validation in node-sass affects eZ Platform