alexandrejunqueira / reactnd-exercicio-2-componentes-controlados Goto Github PK

Vulnerable Library - react-dom-16.3.2.tgz

React package for working with the DOM.

path: /reactnd-exercicio-2-componentes-controlados/node_modules/react-dom/package.json

Library home page: https://registry.npmjs.org/react-dom/-/react-dom-16.3.2.tgz

Dependency Hierarchy:

• ❌ react-dom-16.3.2.tgz (Vulnerable Library)

Vulnerability Details

vulnerability discovered in the react-dom/server implementation. It was introduced with the version 16.0.0 and has existed in all subsequent releases/
This vulnerability can only affect some server-rendered React apps. Purely client-rendered apps are not affected. Additionally, we expect that most server-rendered apps don’t contain the vulnerable pattern described below. Nevertheless, we recommend to follow the mitigation instructions at the earliest opportunity.

Publish Date: 2018-08-07

URL: CVE-2018-6341

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: facebook/react@ff41519

Release Date: 2018-08-01

Fix Resolution: Replace or update the following files: DOMMarkupOperations.js, ReactDOMComponent-test.js

Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

path: /reactnd-exercicio-2-componentes-controlados/node_modules/merge/package.json

Library home page: http://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Dependency Hierarchy:

• ❌ merge-1.2.0.tgz (Vulnerable Library)

Vulnerability Details

The merge.recursive function in the merge package v <1.2 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.

Publish Date: 2018-10-30

URL: CVE-2018-16469

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Vulnerability Details

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

Publish Date: 2018-08-12

URL: CVE-2018-3774

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: unshiftio/url-parse@53b1794#diff-168726dbe96b3ce427e7fedce31bb0bc

Release Date: 2018-07-29

Fix Resolution: Replace or update the following files: index.js, test.js

Vulnerable Library - stringstream-0.0.5.tgz

Encode and decode streams into string streams

path: /reactnd-exercicio-2-componentes-controlados/node_modules/stringstream/package.json

Library home page: http://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz

Dependency Hierarchy:

• ❌ stringstream-0.0.5.tgz (Vulnerable Library)

Vulnerability Details

All versions of stringstream are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below.

Publish Date: 2018-05-16

URL: WS-2018-0103

CVSS 2 Score Details (5.2)

Base Score Metrics not available

Vulnerable Library - cryptiles-3.1.2.tgz

General purpose crypto utilities

path: /reactnd-exercicio-2-componentes-controlados/node_modules/cryptiles/package.json

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-3.1.2.tgz

Dependency Hierarchy:

• ❌ cryptiles-3.1.2.tgz (Vulnerable Library)

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - macaddress-0.2.8.tgz

Get the MAC addresses (hardware addresses) of the hosts network interfaces.

path: /reactnd-exercicio-2-componentes-controlados/node_modules/macaddress/package.json

Library home page: http://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz

Dependency Hierarchy:

• ❌ macaddress-0.2.8.tgz (Vulnerable Library)

Vulnerability Details

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Publish Date: 2018-07-10

URL: CVE-2018-13797

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: scravy/node-macaddress@358fd59

Release Date: 2018-06-23

Fix Resolution: Replace or update the following files: windows.js, unix.js, .travis.yml, macosx.js, package.json, linux.js

Vulnerable Library - hoek-4.2.1.tgz

General purpose node utilities

path: /reactnd-exercicio-2-componentes-controlados/node_modules/hoek/package.json

Library home page: https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz

Dependency Hierarchy:

• ❌ hoek-4.2.1.tgz (Vulnerable Library)

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: hapijs/hoek@623667e

Release Date: 2018-02-15

Fix Resolution: Replace or update the following files: index.js, index.js

Vulnerable Library - macaddress-0.2.8.tgz

Get the MAC addresses (hardware addresses) of the hosts network interfaces.

path: /reactnd-exercicio-2-componentes-controlados/node_modules/macaddress/package.json

Library home page: http://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz

Dependency Hierarchy:

• ❌ macaddress-0.2.8.tgz (Vulnerable Library)

Vulnerability Details

All versions of macaddress are vulnerable to command injection. For this vulnerability to be exploited an attacker needs to control the iface argument to the one method.

Publish Date: 2018-05-16

URL: WS-2018-0113

CVSS 2 Score Details (10.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/654

Release Date: 2018-05-16

Fix Resolution: No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is provided.

Vulnerable Library - lodash-4.17.10.tgz

Lodash modular utilities.

path: /reactnd-exercicio-2-componentes-controlados/node_modules/lodash/package.json

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Dependency Hierarchy:

• ❌ lodash-4.17.10.tgz (Vulnerable Library)

Vulnerability Details

In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2018-11-25

URL: WS-2018-0210

CVSS 2 Score Details (3.5)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: lodash/lodash@90e6199

Release Date: 2018-08-31

Fix Resolution: Replace or update the following files: lodash.js, test.js