ZoweDevelopers: NPM Vulnerabiity affecting Zowe components APIML, Zowe Desktop, Zowe CLI and Imperative

[Joe-Winchester]

See related announcement ZoweUsers: NPM vulnerability affecting Zowe CLI secure credentials store Nov 4th to Nov 5th 2021.

We found additional Zowe components which the above vulnerability affects at development time, during the same time period of Nov 4th - Nov 5th. There was a second hijacked dependency, which contained the same exploit.

Conditions for vulnerability:

• Zowe API Mediation Layer, Frontend Catalog (path: api-catalog-ui/frontend).
  • If you issued an “npm install” for the first time in this directory Nov 4 or Nov 5, you may have been compromised.
  • If you deleted any existing “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised.
• Zowe Desktop Sample React Application (path: webClient)
  • If you issued an “npm install” for the first time in this directory Nov 4 or Nov 5, you may have been compromised.
  • If you deleted any existing “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised.
• Zowe CLI
  • If you deleted “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised.
• Imperative
  • If you deleted “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised.