Vulnerability issue in library in the efs proxy.

[SjeYinTeoIntel]

How to update the regex version as it is come with the package?

The library regex version 0.2.11 was detected in Cargo library manager located at /home/ubuntu/efs-utils/src/proxy/Cargo.lock and is vulnerable to CVE-2022-24713, which exists in versions < 1.5.5.

The vulnerability was found in the Github Security Advisory with vendor severity: High (NVD severity: High).

The vulnerability can be remediated by updating the library to version 1.5.5 or higher.

From the cargo tree showing as below.

[build-dependencies]
└── xdrgen v0.4.4
├── bitflags v0.9.1
├── clap v2.34.0
│ ├── ansi_term v0.12.1
│ ├── atty v0.2.14 (*)
│ ├── bitflags v1.3.2
│ ├── strsim v0.8.0
│ ├── textwrap v0.11.0
│ │ └── unicode-width v0.1.14
│ ├── unicode-width v0.1.14
│ └── vec_map v0.8.2
├── env_logger v0.4.3
│ ├── log v0.3.9
│ │ └── log v0.4.25
│ └── regex v0.2.11
│ ├── aho-corasick v0.6.10
│ │ └── memchr v2.7.4
│ ├── memchr v2.7.4
│ ├── regex-syntax v0.5.6
│ │ └── ucd-util v0.1.10
│ ├── thread_local v0.3.6
│ │ └── lazy_static v1.5.0
│ └── utf8-ranges v1.0.5

[thakurmi]

Hello @SjeYinTeoIntel, Thank you for pointing this out. We tried contacting the package owner for xdrgen over the last week and they have been unresponsive. At this point, we are going to create an internal package to replace xdrgen and resolve this CVE. Thank you for your patience.

[SjeYinTeoIntel]

Thanks @thakurmi , will you inform here once the internal package is created ? So I can noticed the updated package.