Release v1.0.7, Fix for axios CVE (#22)

* Release v1.0.7, Fix for axios CVE
aws-solutions · Aug 23, 2024 · 1a3a5e5 · 1a3a5e5
1 parent 503f6e9
commit 1a3a5e5
Show file tree

Hide file tree

Showing 7 changed files with 155 additions and 138 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.7] - 2024-08
+
+### Changed
+
+- Library updates to address [axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.](https://avd.aquasec.com/nvd/cve-2024-39338)
+
 ## [1.0.6] - 2024-07
 
 ### Changed
@@ -51,4 +57,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
-- New solution AWS Network Firewall Deployment Automations for AWS Transit Gateway, initial version
+- New solution AWS Network Firewall Deployment Automations for AWS Transit Gateway, initial version
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,11 @@
+# Reporting Security Issues
+
+We take all security reports seriously.
+When we receive such reports,
+we will investigate and subsequently address
+any potential vulnerabilities as quickly as possible.
+If you discover a potential security issue in this project,
+please notify AWS/Amazon Security via our
+[vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/)
+or directly via email to [AWS Security](mailto:[email protected]).
+Please do *not* create a public GitHub issue in this project.
diff --git a/solution-manifest.yaml b/solution-manifest.yaml
@@ -1,7 +1,7 @@
 ---
 id: SO0108 # Solution Id
 name: centralized-network-inspection-on-aws # trademarked name
-version: v1.0.5 # current version of the solution. Used to verify template headers
+version: v1.0.7 # current version of the solution. Used to verify template headers
 cloudformation_templates: # This list should match with AWS CloudFormation templates section of IG
   - template: centralized-network-inspection-on-aws.template
     main_template: true

diff --git a/source/centralizedNetworkInspection/package-lock.json b/source/centralizedNetworkInspection/package-lock.json
diff --git a/source/centralizedNetworkInspection/package.json b/source/centralizedNetworkInspection/package.json
@@ -1,6 +1,6 @@
 {
   "name": "centralized-network-inspection",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "description": "Centralized Network Inspection on AWS",
   "main": "index.js",
   "types": "index.d.ts",
@@ -11,7 +11,7 @@
   "license": "Apache-2.0",
   "dependencies": {
     "aws-sdk": "^2.1482.0",
-    "axios": "^1.6.0",
+    "axios": "^1.7.4",
     "moment": "^2.27.0",
     "uuid": "^9.0.1"
   },