anthony-bible / password-exchange Goto Github PK

Vulnerable Library - github.com/gin-gonic/gIn-v1.9.0

Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.9.0.zip

Dependency Hierarchy:

• ❌ github.com/gin-gonic/gIn-v1.9.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Gin Web Framework the filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.

Publish Date: 2023-04-05

URL: CVE-2023-29401

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - Werkzeug-2.2.2-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl

Path to dependency file: /slackbot/requirements.txt

Path to vulnerable library: /slackbot/requirements.txt,/slackbot/requirements.txt

Dependency Hierarchy:

• ❌ Werkzeug-2.2.2-py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie =__Host-test=bad as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.

Publish Date: 2023-02-14

URL: CVE-2023-23934

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934

Release Date: 2023-02-14

Fix Resolution: 2.2.3

Vulnerable Library - github.com/golang/text-v0.3.6

[mirror] Go text processing support

Dependency Hierarchy:

• github.com/spf13/viper-v1.9.0 (Root Library)
  • github.com/spf13/afero-v1.6.0
    • ❌ github.com/golang/text-v0.3.6 (Vulnerable Library)

Found in HEAD commit: 337b33b514b0a65fd52482aa10cefd0cbf566398

Found in base branch: master

Vulnerability Details

Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs,
this may be used as a vector for a denial of service attack.

Publish Date: 2021-08-12

URL: CVE-2021-38561

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0113

Release Date: 2021-08-12

Fix Resolution: v0.3.7

WORKSPACE

• io_bazel_rules_go v0.35.0
• bazel_gazelle v0.26.0
• build_stack_rules_proto 36ceb79a987a6de33768c8bdb08d22b516a7e32e
• build_stack_bazel_gazelle_debug 2518a88cb0908f1896ff50b506e87d880a9695cb
• bazel_skylib 1.3.0
• rules_proto_grpc 4.1.1
• rules_python 0.8.1
• com_google_protobuf v3.21.10
• io_bazel_rules_docker v0.25.0
• alpine_linux_amd64 3.16@sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870
• python3_linux_amd64 3.11.0-slim-buster@sha256:876053fd9c3f645ed21e9e03122ecc1520be76473be89e5d222c748cad432bde
• io_bazel_rules_k8s v0.6

.bazelversion

• bazel 5.3.2

.devcontainer/Dockerfile

• mcr.microsoft.com/vscode/devcontainers/go 0-1.18-bullseye

Dockerfile

• python 3.11.0-slim-buster

.github/workflows/autopr.yaml

• actions/checkout v2

.github/workflows/bazel-build.yml

• docker/login-action v2
• actions/checkout v3
• softprops/action-gh-release v1
• ubuntu 20.04

.github/workflows/codeql-analysis.yml

• actions/checkout v3
• github/codeql-action v2
• github/codeql-action v2
• github/codeql-action v2

app/go.mod

• go 1.19
• github.com/gin-gonic/gin v1.9.0
• github.com/go-kit/kit v0.12.0
• github.com/go-sql-driver/mysql v1.6.0
• github.com/golang/protobuf v1.5.2
• github.com/p768lwy3/gin-server-timing v0.0.0-20200316080543-ab69795cf847@ab69795cf847
• github.com/rabbitmq/amqp091-go v1.5.0
• github.com/rs/xid v1.4.0
• github.com/rs/zerolog v1.28.0
• github.com/spf13/cobra v1.6.1
• github.com/spf13/viper v1.13.0
• golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e@793ad666bf5e
• google.golang.org/grpc v1.51.0
• google.golang.org/protobuf v1.28.1

slackbot/requirements.txt

• beautifulsoup4 ==4.11.1
• click ==8.1.3
• Flask ==2.2.5
• google ==3.0.0
• greenlet ==2.0.1
• grpcio ==1.51.1
• grpcio-tools ==1.50.0
• gunicorn ==20.1.0
• importlib-metadata ==5.0.0
• itsdangerous ==2.1.2
• Jinja2 ==3.1.2
• mariadb ==1.0.11
• MarkupSafe ==2.1.1
• mysqlclient ==2.1.1
• protobuf ==4.21.9
• six ==1.16.0
• slack-bolt ==1.15.5
• slack-sdk ==3.19.4
• soupsieve ==2.3.2.post1
• SQLAlchemy ==1.4.44
• Werkzeug ==2.2.3
• zipp ==3.11.0

Vulnerable Library - github.com/smartystreets/goconvey-v1.6.4

Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.

Dependency Hierarchy:

• github.com/spf13/viper-v1.8.1 (Root Library)
  • github.com/go-ini/ini-v1.62.0
    • ❌ github.com/smartystreets/goconvey-v1.6.4 (Vulnerable Library)

Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4

Found in base branch: master

Vulnerability Details

The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2016-4055

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4055

Release Date: 2017-01-23

Fix Resolution: 2.11.2

Vulnerable Library - protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Protocol Buffers

Library home page: https://files.pythonhosted.org/packages/21/9b/258771d72fd2cf27eed3cfea1fc957a12666ccde394b294ac563fca23f2d/protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /slackbot/requirements.txt

Path to vulnerable library: /slackbot/requirements.txt,/slackbot/requirements.txt

Dependency Hierarchy:

• ❌ protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Publish Date: 2022-09-22

URL: CVE-2022-1941

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cloud.google.com/support/bulletins#GCP-2022-019

Release Date: 2022-09-22

Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6

Vulnerable Library - Werkzeug-2.2.2-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl

Path to dependency file: /slackbot/requirements.txt

Path to vulnerable library: /slackbot/requirements.txt,/slackbot/requirements.txt

Dependency Hierarchy:

• ❌ Werkzeug-2.2.2-py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.

Publish Date: 2023-02-14

URL: CVE-2023-25577

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-25577

Release Date: 2023-02-14

Fix Resolution: 2.2.3

Vulnerable Library - github.com/smartystreets/goconvey-v1.6.4

Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.

Dependency Hierarchy:

• github.com/spf13/viper-v1.8.1 (Root Library)
  • github.com/go-ini/ini-v1.62.0
    • ❌ github.com/smartystreets/goconvey-v1.6.4 (Vulnerable Library)

Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4

Found in base branch: master

Vulnerability Details

Regular expression denial of service vulnerability in the moment package, by using a specific 40 characters long string in the "format" method.

Publish Date: 2016-10-24

URL: WS-2016-0075

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: moment/moment#3525

Release Date: 2016-10-24

Fix Resolution: 2.15.2

Vulnerable Library - github.com/smartystreets/goconvey-v1.6.4

Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.

Dependency Hierarchy:

• github.com/spf13/viper-v1.8.1 (Root Library)
  • github.com/go-ini/ini-v1.62.0
    • ❌ github.com/smartystreets/goconvey-v1.6.4 (Vulnerable Library)

Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Library - github.com/smartystreets/goconvey-v1.6.4

Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.

Dependency Hierarchy:

• github.com/spf13/viper-v1.8.1 (Root Library)
  • github.com/go-ini/ini-v1.62.0
    • ❌ github.com/smartystreets/goconvey-v1.6.4 (Vulnerable Library)

Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4

Found in base branch: master

Vulnerability Details

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.

Publish Date: 2018-03-04

URL: CVE-2017-18214

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18214

Release Date: 2018-03-04

Fix Resolution: 2.19.3

Vulnerable Library - Flask-2.2.2-py3-none-any.whl

A simple framework for building complex web applications.

Library home page: https://files.pythonhosted.org/packages/0f/43/15f4f9ab225b0b25352412e8daa3d0e3d135fcf5e127070c74c3632c8b4c/Flask-2.2.2-py3-none-any.whl

Path to dependency file: /slackbot/requirements.txt

Path to vulnerable library: /slackbot/requirements.txt

Dependency Hierarchy:

• ❌ Flask-2.2.2-py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.

1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
2. The application sets session.permanent = True
3. The application does not access or modify the session at any point during a request.
4. SESSION_REFRESH_EACH_REQUEST enabled (the default).
5. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.

This happens because vulnerable versions of Flask only set the Vary: Cookie header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.

Publish Date: 2023-05-02

URL: CVE-2023-30861

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-30861

Release Date: 2023-05-02

Fix Resolution: 2.3.2

Vulnerable Library - github.com/smartystreets/goconvey-v1.6.4

Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.

Dependency Hierarchy:

• github.com/spf13/viper-v1.8.1 (Root Library)
  • github.com/go-ini/ini-v1.62.0
    • ❌ github.com/smartystreets/goconvey-v1.6.4 (Vulnerable Library)

Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Vulnerable Library - github.com/gin-gonic/gin-v1.8.1

Gin is a HTTP web framework written in Go (Golang). It features a Martini-like API with much better performance -- up to 40 times faster. If you need smashing performance, get yourself some Gin.

Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.8.1.zip

Dependency Hierarchy:

• ❌ github.com/gin-gonic/gin-v1.8.1 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.

Note: Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.

Publish Date: 2023-05-04

URL: CVE-2023-26125

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2023-05-04

Fix Resolution: v1.9.0

Vulnerable Library - github.com/smartystreets/goconvey-v1.6.4

Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.

Dependency Hierarchy:

• github.com/spf13/viper-v1.8.1 (Root Library)
  • github.com/go-ini/ini-v1.62.0
    • ❌ github.com/smartystreets/goconvey-v1.6.4 (Vulnerable Library)

Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - github.com/golang/crypto-a769d52b0f97a420f3dcafc17f8b3384217859a2

[mirror] Go supplementary cryptography libraries

Dependency Hierarchy:

• github.com/gin-gonic/gin-v1.7.7 (Root Library)
  • github.com/go-playground/validator/v10-v10.9.0
    • ❌ github.com/golang/crypto-a769d52b0f97a420f3dcafc17f8b3384217859a2 (Vulnerable Library)

Found in HEAD commit: 337b33b514b0a65fd52482aa10cefd0cbf566398

Found in base branch: master

Vulnerability Details

There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.

Publish Date: 2021-11-10

URL: CVE-2021-43565

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - github.com/smartystreets/goconvey-v1.6.4

Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.

Dependency Hierarchy:

• github.com/spf13/viper-v1.8.1 (Root Library)
  • github.com/go-ini/ini-v1.62.0
    • ❌ github.com/smartystreets/goconvey-v1.6.4 (Vulnerable Library)

Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4

Found in base branch: master

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

Publish Date: 2017-03-15

URL: CVE-2016-7103

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-7103

Release Date: 2017-03-15

Fix Resolution: 1.12.0

Vulnerable Library - github.com/smartystreets/goconvey-v1.6.4

Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.

Dependency Hierarchy:

• github.com/spf13/viper-v1.8.1 (Root Library)
  • github.com/go-ini/ini-v1.62.0
    • ❌ github.com/smartystreets/goconvey-v1.6.4 (Vulnerable Library)

Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0