From 495098a129f7624ff57dda8b34f4c0d8a5c05cad Mon Sep 17 00:00:00 2001
From: ruzell22 <ruzell.vince.aquino@accenture.com>
Date: Wed, 15 Mar 2023 11:21:15 +0800
Subject: [PATCH] fix(security): vulnerabilities found in cactus-cmd-api-server
 #2039 - fix CVE-2022-24434 and CVE-2022-24999

fixes: #2039

related to: #2241

Verified that these changes will fix the vulnerabilities in
cactus-cmd-api-server in addition to the following CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com>
---
 .github/containerscan/allowedlist.yaml                    | 4 ++--
 packages/cactus-core/package.json                         | 4 ++--
 packages/cactus-plugin-keychain-memory/package.json       | 2 +-
 packages/cactus-plugin-ledger-connector-besu/package.json | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/containerscan/allowedlist.yaml b/.github/containerscan/allowedlist.yaml
index ecb29320e9..f64bc37594 100644
--- a/.github/containerscan/allowedlist.yaml
+++ b/.github/containerscan/allowedlist.yaml
@@ -2,5 +2,5 @@ general:
   vulnerabilities:
     #besu-all-in-one
 
-    -CVE-2022-37734
-    -CVE-2022-25857
+    - CVE-2022-37734
+    - CVE-2022-25857
diff --git a/packages/cactus-core/package.json b/packages/cactus-core/package.json
index 8cc492b496..03e21c9bd9 100644
--- a/packages/cactus-core/package.json
+++ b/packages/cactus-core/package.json
@@ -52,9 +52,9 @@
   "dependencies": {
     "@hyperledger/cactus-common": "1.1.3",
     "@hyperledger/cactus-core-api": "1.1.3",
-    "express": "4.17.1",
+    "express": "4.17.3",
     "express-jwt-authz": "2.4.1",
-    "express-openapi-validator": "4.12.12",
+    "express-openapi-validator": "4.13.8",
     "typescript-optional": "2.0.1"
   },
   "devDependencies": {
diff --git a/packages/cactus-plugin-keychain-memory/package.json b/packages/cactus-plugin-keychain-memory/package.json
index 3f25d8c341..1bc8c72c8c 100644
--- a/packages/cactus-plugin-keychain-memory/package.json
+++ b/packages/cactus-plugin-keychain-memory/package.json
@@ -57,7 +57,7 @@
     "@hyperledger/cactus-core": "1.1.3",
     "@hyperledger/cactus-core-api": "1.1.3",
     "axios": "0.21.4",
-    "express": "4.17.1",
+    "express": "4.17.3",
     "prom-client": "13.2.0",
     "uuid": "8.3.2"
   },
diff --git a/packages/cactus-plugin-ledger-connector-besu/package.json b/packages/cactus-plugin-ledger-connector-besu/package.json
index c9501e75af..246aff319c 100644
--- a/packages/cactus-plugin-ledger-connector-besu/package.json
+++ b/packages/cactus-plugin-ledger-connector-besu/package.json
@@ -57,7 +57,7 @@
     "@hyperledger/cactus-core": "1.1.3",
     "@hyperledger/cactus-core-api": "1.1.3",
     "axios": "0.21.4",
-    "express": "4.17.1",
+    "express": "4.17.3",
     "joi": "17.4.2",
     "openapi-types": "9.1.0",
     "prom-client": "13.2.0",