asauray / fire-gtfs Goto Github PK

Vulnerable Libraries - base64url-1.0.6.tgz, base64url-0.0.6.tgz

Found in HEAD commit: e7c17947221e9fd129f694decf0907584bf84316

Vulnerability Details

Versions of base64url before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.

Publish Date: 2018-05-16

URL: WS-2018-0096

CVSS 2 Score Details (7.1)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/321687

Release Date: 2019-01-24

Fix Resolution: 3.0.0

Vulnerable Library - fresh-0.3.0.tgz

HTTP response freshness testing

Library home page: https://registry.npmjs.org/fresh/-/fresh-0.3.0.tgz

Path to dependency file: /fire-gtfs/node_modules/express/package.json

Path to vulnerable library: /fire-gtfs/node_modules/express/node_modules/fresh/package.json

Dependency Hierarchy:

• ❌ fresh-0.3.0.tgz (Vulnerable Library)

Found in HEAD commit: e7c17947221e9fd129f694decf0907584bf84316

Vulnerability Details

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16119

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - negotiator-0.5.3.tgz

HTTP content negotiation

Library home page: https://registry.npmjs.org/negotiator/-/negotiator-0.5.3.tgz

Path to dependency file: /fire-gtfs/node_modules/express/package.json

Path to vulnerable library: /tmp/git/fire-gtfs/node_modules/express/node_modules/accepts/node_modules/negotiator/package.json

Dependency Hierarchy:

• accepts-1.2.13.tgz (Root Library)
  • ❌ negotiator-0.5.3.tgz (Vulnerable Library)

Found in HEAD commit: e7c17947221e9fd129f694decf0907584bf84316

Vulnerability Details

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Publish Date: 2018-05-31

URL: CVE-2016-10539

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/106

Release Date: 2016-06-16

Fix Resolution: Upgrade to at least version 0.6.1

Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the acceptsLanguages function call in your application will tell you if you are using this functionality.

Vulnerable Libraries - moment-2.12.0.tgz, moment-2.13.0.tgz

Found in HEAD commit: e7c17947221e9fd129f694decf0907584bf84316

Vulnerability Details

Regular expression denial of service vulnerability in the moment package, by using a specific 40 characters long string in the "format" method.

Publish Date: 2016-10-24

URL: WS-2016-0075

CVSS 2 Score Details (5.8)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: moment/moment@663f33e

Release Date: 2016-10-24

Fix Resolution: Replace or update the following files: month.js, lt.js

Vulnerable Library - base64-url-1.2.1.tgz

Base64 encode, decode, escape and unescape for URL applications

Library home page: https://registry.npmjs.org/base64-url/-/base64-url-1.2.1.tgz

Path to dependency file: /fire-gtfs/node_modules/jsonwebtoken/package.json

Path to vulnerable library: /tmp/git/fire-gtfs/node_modules/jsonwebtoken/node_modules/jws/node_modules/jwa/node_modules/ecdsa-sig-formatter/node_modules/base64-url/package.json

Dependency Hierarchy:

• jws-3.1.3.tgz (Root Library)
  • jwa-1.1.3.tgz
    • ecdsa-sig-formatter-1.0.5.tgz
      • ❌ base64-url-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: e7c17947221e9fd129f694decf0907584bf84316

Vulnerability Details

Versions of base64-url before 2.0.0 are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input.

Publish Date: 2018-05-16

URL: WS-2018-0111

CVSS 2 Score Details (8.6)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/660

Release Date: 2018-01-27

Fix Resolution: 2.0.0

Vulnerable Library - ms-0.7.1.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz

Path to dependency file: /fire-gtfs/node_modules/morgan/package.json

Path to vulnerable library: /tmp/git/fire-gtfs/node_modules/body-parser/node_modules/debug/node_modules/ms/package.json,/fire-gtfs/node_modules/body-parser/node_modules/debug/node_modules/ms/package.json,/tmp/git/fire-gtfs/node_modules/body-parser/node_modules/debug/node_modules/ms/package.json,/tmp/git/fire-gtfs/node_modules/body-parser/node_modules/debug/node_modules/ms/package.json

Dependency Hierarchy:

• debug-2.2.0.tgz (Root Library)
  • ❌ ms-0.7.1.tgz (Vulnerable Library)

Found in HEAD commit: e7c17947221e9fd129f694decf0907584bf84316

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-05-15

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: vercel/ms@305f2dd

Release Date: 2017-04-12

Fix Resolution: Replace or update the following file: index.js

Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: /fire-gtfs/node_modules/morgan/package.json

Path to vulnerable library: /fire-gtfs/node_modules/body-parser/node_modules/debug/package.json,/fire-gtfs/node_modules/body-parser/node_modules/debug/package.json,/fire-gtfs/node_modules/body-parser/node_modules/debug/package.json

Dependency Hierarchy:

• ❌ debug-2.2.0.tgz (Vulnerable Library)

Found in HEAD commit: e7c17947221e9fd129f694decf0907584bf84316

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Change files

Origin: debug-js/debug@42a6ae0

Release Date: 2017-09-21

Fix Resolution: Replace or update the following file: node.js

Vulnerable Library - forwarded-0.1.0.tgz

Parse HTTP X-Forwarded-For header

Library home page: https://registry.npmjs.org/forwarded/-/forwarded-0.1.0.tgz

Path to dependency file: /fire-gtfs/node_modules/express/package.json

Path to vulnerable library: /tmp/git/fire-gtfs/node_modules/express/node_modules/proxy-addr/node_modules/forwarded/package.json

Dependency Hierarchy:

• proxy-addr-1.0.10.tgz (Root Library)
  • ❌ forwarded-0.1.0.tgz (Vulnerable Library)

Found in HEAD commit: e7c17947221e9fd129f694decf0907584bf84316

Vulnerability Details

The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16118

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/527

Release Date: 2017-09-26

Fix Resolution: Update to version 0.1.2 or later

Vulnerable Library - concat-stream-1.4.10.tgz

writable stream that concatenates strings or binary data and calls a callback with the result

Library home page: https://registry.npmjs.org/concat-stream/-/concat-stream-1.4.10.tgz

Path to dependency file: /fire-gtfs/node_modules/jsonwebtoken/package.json

Path to vulnerable library: /tmp/git/fire-gtfs/node_modules/jsonwebtoken/node_modules/jws/node_modules/base64url/node_modules/concat-stream/package.json

Dependency Hierarchy:

• jws-3.1.3.tgz (Root Library)
  • base64url-1.0.6.tgz
    • ❌ concat-stream-1.4.10.tgz (Vulnerable Library)

Found in HEAD commit: e7c17947221e9fd129f694decf0907584bf84316

Vulnerability Details

Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write()

Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.

Publish Date: 2018-04-25

URL: WS-2018-0075

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/597

Release Date: 2018-01-27

Fix Resolution: 1.5.2

Vulnerable Libraries - moment-2.12.0.tgz, moment-2.13.0.tgz

Found in HEAD commit: e7c17947221e9fd129f694decf0907584bf84316

Vulnerability Details

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.

Publish Date: 2018-03-04

URL: CVE-2017-18214

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/532

Release Date: 2017-11-27

Fix Resolution: Update to version 2.19.3

Vulnerable Library - http-signature-0.11.0.tgz

Reference implementation of Joyent's HTTP Signature scheme.

Library home page: https://registry.npmjs.org/http-signature/-/http-signature-0.11.0.tgz

Path to dependency file: /fire-gtfs/node_modules/google-auth-library/package.json

Path to vulnerable library: /tmp/git/fire-gtfs/node_modules/google-auth-library/node_modules/http-signature/package.json

Dependency Hierarchy:

• request-2.60.0.tgz (Root Library)
  • ❌ http-signature-0.11.0.tgz (Vulnerable Library)

Found in HEAD commit: e7c17947221e9fd129f694decf0907584bf84316

Vulnerability Details

Affected versions (before 1.0.0) of the http-signature package are vulnerable to Timing Attacks.

Publish Date: 2017-06-28

URL: WS-2017-0266

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: TritonDataCenter/node-http-signature#36

Release Date: 2017-01-31

Fix Resolution: 1.0.0

Vulnerable Library - request-2.60.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.60.0.tgz

Path to dependency file: /fire-gtfs/node_modules/google-auth-library/package.json

Path to vulnerable library: /fire-gtfs/node_modules/google-auth-library/node_modules/request/package.json

Dependency Hierarchy:

• ❌ request-2.60.0.tgz (Vulnerable Library)

Found in HEAD commit: e7c17947221e9fd129f694decf0907584bf84316

Vulnerability Details

Request is an http client. If a request is made using multipart, and the body type is a number, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.

Publish Date: 2018-06-04

URL: CVE-2017-16026

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16026

Release Date: 2018-06-04

Fix Resolution: 2.47.1,2.67.1

Vulnerable Library - lodash-4.12.0.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.12.0.tgz

Path to dependency file: /fire-gtfs/node_modules/sequelize/package.json

Path to vulnerable library: /fire-gtfs/node_modules/sequelize/node_modules/lodash/package.json

Dependency Hierarchy:

• ❌ lodash-4.12.0.tgz (Vulnerable Library)

Found in HEAD commit: e7c17947221e9fd129f694decf0907584bf84316

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

Vulnerable Library - lodash-4.12.0.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.12.0.tgz

Path to dependency file: /fire-gtfs/node_modules/sequelize/package.json

Path to vulnerable library: /fire-gtfs/node_modules/sequelize/node_modules/lodash/package.json

Dependency Hierarchy:

• ❌ lodash-4.12.0.tgz (Vulnerable Library)

Found in HEAD commit: e7c17947221e9fd129f694decf0907584bf84316

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11