eldorplus / conception-website Goto Github PK

Vulnerable Libraries - node-sass-4.13.1.tgz, CSS::Sassv3.4.11

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.

Publish Date: 2018-12-04

URL: CVE-2018-19839

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-04

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Library - growl-1.9.2.tgz

Growl unobtrusive notifications

Library home page: https://registry.npmjs.org/growl/-/growl-1.9.2.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: /node_modules/growl/package.json,/node_modules/growl/package.json

Dependency Hierarchy:

• mocha-3.4.2.tgz (Root Library)
  • ❌ growl-1.9.2.tgz (Vulnerable Library)

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

Publish Date: 2018-06-04

URL: CVE-2017-16042

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16042

Release Date: 2018-04-26

Fix Resolution (growl): 1.10.2

Direct dependency fix Resolution (mocha): 4.0.0

Vulnerable Libraries - lodash-4.16.6.tgz, lodash-3.10.1.tgz

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1067

Release Date: 2018-06-07

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (node-sass): 4.14.0

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (karma-webpack): 2.0.10

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerable Source Files (1)

/node_modules/node-sass/src/libsass/src/ast.hpp

Vulnerability Details

LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20822

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-04-23

Fix Resolution: libsass - 3.5.5;node-sass - 4.14.0

Vulnerable Libraries - mime-1.3.4.tgz, mime-1.3.6.tgz

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-04-26

Fix Resolution (mime): 1.4.1

Direct dependency fix Resolution (express): 4.16.0

Fix Resolution (mime): 1.4.1

Direct dependency fix Resolution (webpack-dev-middleware): 1.11.0

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-26.0.0-1, CSS::Sassv3.4.11

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11697

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: 4.14.0

Vulnerable Library - cryptiles-2.0.5.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cryptiles/package.json

Dependency Hierarchy:

• phantomjs-prebuilt-2.1.14.tgz (Root Library)
  • request-2.79.0.tgz
    • hawk-3.1.3.tgz
      • ❌ cryptiles-2.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (phantomjs-prebuilt): 2.1.16

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: /node_modules/js-base64/test/index.html

Path to vulnerable library: /node_modules/js-base64/test/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: d01989566d2a70e542b08bc943c5de9d223ce39d

Found in base branch: develop

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Vulnerable Libraries - lodash-4.16.6.tgz, lodash.defaultsdeep-4.3.2.tgz, lodash-3.10.1.tgz

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (node-sass): 4.14.0

Fix Resolution (lodash.defaultsdeep): 4.17.12

Direct dependency fix Resolution (nightwatch): 0.9.16

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (karma-webpack): 2.0.10

Vulnerable Library - lodash.defaultsdeep-4.3.2.tgz

The lodash method `_.defaultsDeep` exported as a module.

Library home page: https://registry.npmjs.org/lodash.defaultsdeep/-/lodash.defaultsdeep-4.3.2.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: /node_modules/lodash.defaultsdeep/package.json,/node_modules/lodash.defaultsdeep/package.json

Dependency Hierarchy:

• nightwatch-0.9.15.tgz (Root Library)
  • ❌ lodash.defaultsdeep-4.3.2.tgz (Vulnerable Library)

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

lodash.defaultsdeep before 4.6.1 is vulnerable to Prototype Pollution. The function defaultsDeep() may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2019-08-14

URL: WS-2019-0181

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1070

Release Date: 2019-08-14

Fix Resolution (lodash.defaultsdeep): 4.6.1

Direct dependency fix Resolution (nightwatch): 1.0.4

Vulnerable Library - serialize-javascript-1.7.0.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.7.0.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: conception-website/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• copy-webpack-plugin-4.6.0.tgz (Root Library)
  • ❌ serialize-javascript-1.7.0.tgz (Vulnerable Library)

Found in HEAD commit: d01989566d2a70e542b08bc943c5de9d223ce39d

Vulnerability Details

The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Publish Date: 2019-12-05

URL: CVE-2019-16769

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769

Release Date: 2019-12-05

Fix Resolution: v2.1.1

Vulnerable Library - https-proxy-agent-1.0.0.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-1.0.0.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: /node_modules/pac-proxy-agent/node_modules/https-proxy-agent/package.json,/node_modules/https-proxy-agent/package.json

Dependency Hierarchy:

• nightwatch-0.9.15.tgz (Root Library)
  • proxy-agent-2.0.0.tgz
    • ❌ https-proxy-agent-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).

Publish Date: 2018-06-07

URL: CVE-2018-3739

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3739

Release Date: 2018-04-26

Fix Resolution (https-proxy-agent): 2.2.0

Direct dependency fix Resolution (nightwatch): 1.0.4

Vulnerable Libraries - diff-3.2.0.tgz, diff-1.4.0.tgz

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (mocha): 5.0.3

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (nightwatch): 1.0.1

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: /tmp/git/conception-website/node_modules/grpc/node_modules/tar/package.json

Dependency Hierarchy:

• firebase-4.13.1.tgz (Root Library)
  • firestore-0.4.1.tgz
    • grpc-1.10.1.tgz
      • node-pre-gyp-0.7.0.tgz
        • ❌ tar-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: aafabe1f890f6614128b3e3a46fcacc878d945e9

Vulnerability Details

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Publish Date: 2019-04-05

URL: WS-2019-0047

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/803

Release Date: 2019-04-05

Fix Resolution: 4.4.2

Vulnerable Libraries - js-yaml-3.8.4.tgz, js-yaml-3.7.0.tgz

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (eslint): 4.0.0

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (optimize-css-assets-webpack-plugin): 2.0.0

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-26.0.0-1

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6283

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-01-14

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Library - mime-1.3.6.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.6.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: /tmp/git/conception-website/node_modules/url-loader/node_modules/mime/package.json

Dependency Hierarchy:

• url-loader-0.5.9.tgz (Root Library)
  • ❌ mime-1.3.6.tgz (Vulnerable Library)

Found in HEAD commit: aafabe1f890f6614128b3e3a46fcacc878d945e9

Vulnerability Details

Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.

Publish Date: 2017-09-27

URL: WS-2017-0330

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: broofa/mime@1df903f

Release Date: 2019-04-03

Fix Resolution: 1.4.1,2.0.3

Vulnerable Libraries - debug-3.2.6.tgz, debug-0.7.4.tgz, debug-2.6.0.tgz, debug-2.6.7.tgz, debug-2.6.8.tgz, debug-2.3.3.tgz, debug-2.2.0.tgz

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-gxpj-cx7g-858c

Release Date: 2018-04-26

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (googleapis): 39.2.0

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (phantomjs-prebuilt): 2.1.15

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (mocha): 3.5.0

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (express): 4.15.4

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (babel-core): 6.25.0

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (karma): 1.7.1

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (karma): 1.7.1

Vulnerable Library - eslint-3.19.0.tgz

An AST-based pattern checker for JavaScript.

Library home page: https://registry.npmjs.org/eslint/-/eslint-3.19.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/eslint/package.json

Dependency Hierarchy:

• ❌ eslint-3.19.0.tgz (Vulnerable Library)

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

A vulnerability was descovered in eslint before 4.18.2. One of the regexes in eslint is vulnerable to catastrophic backtracking.

Publish Date: 2018-02-27

URL: WS-2018-0347

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-02-27

Fix Resolution: 4.18.2

Vulnerable Libraries - braces-1.8.5.tgz, braces-0.1.5.tgz

Found in HEAD commit: aafabe1f890f6614128b3e3a46fcacc878d945e9

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-03-25

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Vulnerable Library - extend-3.0.1.tgz

Port of jQuery.extend for node.js and the browser

Library home page: https://registry.npmjs.org/extend/-/extend-3.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/extend/package.json

Dependency Hierarchy:

• eslint-friendly-formatter-2.0.7.tgz (Root Library)
  • ❌ extend-3.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16492

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/381185

Release Date: 2019-02-01

Fix Resolution (extend): 3.0.2

Direct dependency fix Resolution (eslint-friendly-formatter): 3.0.0

Vulnerable Library - hoek-2.16.3.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: /node_modules/hoek/package.json,/node_modules/hoek/package.json

Dependency Hierarchy:

• jsonwebtoken-7.4.1.tgz (Root Library)
  • joi-6.10.1.tgz
    • ❌ hoek-2.16.3.tgz (Vulnerable Library)

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2018-03-30

Fix Resolution (hoek): 4.2.0

Direct dependency fix Resolution (jsonwebtoken): 8.0.0

Vulnerable Library - fstream-1.0.11.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: conception-website/node_modules/grpc/node_modules/fstream/package.json

Dependency Hierarchy:

• firebase-4.13.1.tgz (Root Library)
  • firestore-0.4.1.tgz
    • grpc-1.10.1.tgz
      • node-pre-gyp-0.7.0.tgz
        • tar-2.2.1.tgz
          • ❌ fstream-1.0.11.tgz (Vulnerable Library)

Found in HEAD commit: aafabe1f890f6614128b3e3a46fcacc878d945e9

Vulnerability Details

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Publish Date: 2019-07-02

URL: CVE-2019-13173

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173

Release Date: 2019-07-02

Fix Resolution: 1.0.12

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: aafabe1f890f6614128b3e3a46fcacc878d945e9

Found in base branch: develop

Vulnerable Source Files (1)

/node_modules/node-sass/src/libsass/src/inspect.cpp

Vulnerability Details

** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters. NOTE: Upstream comments indicate this issue is closed as "won't fix" and "works as intended" by design.

Publish Date: 2018-12-03

URL: CVE-2018-19826

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - node-sassv4.12.0

🌈 Node.js bindings to libsass

Library home page: https://github.com/sass/node-sass.git

Found in HEAD commit: aafabe1f890f6614128b3e3a46fcacc878d945e9

Library Source Files (72)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /conception-website/node_modules/node-sass/src/libsass/src/expand.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/expand.cpp
• /conception-website/node_modules/node-sass/src/sass_types/factory.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/operators.cpp
• /conception-website/node_modules/node-sass/src/sass_types/boolean.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/util.hpp
• /conception-website/node_modules/node-sass/src/sass_types/value.h
• /conception-website/node_modules/node-sass/src/libsass/src/emitter.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/lexer.cpp
• /conception-website/node_modules/node-sass/src/callback_bridge.h
• /conception-website/node_modules/node-sass/src/libsass/src/file.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/sass.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/operation.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/operators.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/constants.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/error_handling.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/ast_fwd_decl.cpp
• /conception-website/node_modules/node-sass/src/custom_importer_bridge.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/parser.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/constants.cpp
• /conception-website/node_modules/node-sass/src/sass_types/list.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/cssize.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/functions.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/util.cpp
• /conception-website/node_modules/node-sass/src/custom_function_bridge.cpp
• /conception-website/node_modules/node-sass/src/custom_importer_bridge.h
• /conception-website/node_modules/node-sass/src/libsass/src/bind.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/eval.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/inspect.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/backtrace.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/extend.cpp
• /conception-website/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
• /conception-website/node_modules/node-sass/src/libsass/src/error_handling.cpp
• /conception-website/node_modules/node-sass/src/sass_context_wrapper.h
• /conception-website/node_modules/node-sass/src/libsass/src/node.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/parser.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/debugger.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/emitter.cpp
• /conception-website/node_modules/node-sass/src/sass_types/number.cpp
• /conception-website/node_modules/node-sass/src/sass_types/color.h
• /conception-website/node_modules/node-sass/src/libsass/src/ast.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/sass_values.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/output.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/check_nesting.cpp
• /conception-website/node_modules/node-sass/src/sass_types/null.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/cssize.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/functions.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/prelexer.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/ast.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/to_c.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/to_value.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
• /conception-website/node_modules/node-sass/src/sass_types/color.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/inspect.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/values.cpp
• /conception-website/node_modules/node-sass/src/sass_context_wrapper.cpp
• /conception-website/node_modules/node-sass/src/sass_types/list.h
• /conception-website/node_modules/node-sass/src/libsass/src/memory/SharedPtr.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/check_nesting.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/to_c.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/to_value.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/context.cpp
• /conception-website/node_modules/node-sass/src/sass_types/map.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/listize.hpp
• /conception-website/node_modules/node-sass/src/binding.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/sass_context.cpp
• /conception-website/node_modules/node-sass/src/sass_types/string.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/context.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/prelexer.hpp
• /conception-website/node_modules/node-sass/src/sass_types/boolean.h
• /conception-website/node_modules/node-sass/src/libsass/src/eval.cpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.2. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11695

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - jquery-2.1.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/conception-website/node_modules/js-base64/test/index.html

Path to vulnerable library: /conception-website/node_modules/js-base64/test/index.html

Dependency Hierarchy:

• ❌ jquery-2.1.4.min.js (Vulnerable Library)

Found in HEAD commit: d01989566d2a70e542b08bc943c5de9d223ce39d

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-26.0.0-1

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-17

URL: CVE-2018-20190

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-17

Fix Resolution: GR.PageRender.Razor - 1.8.0;Fable.Template.Elmish.React - 0.1.6

Vulnerable Library - webpack-bundle-analyzer-2.8.2.tgz

Webpack plugin and CLI utility that represents bundle content as convenient interactive zoomable treemap

Library home page: https://registry.npmjs.org/webpack-bundle-analyzer/-/webpack-bundle-analyzer-2.8.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/webpack-bundle-analyzer/package.json

Dependency Hierarchy:

• ❌ webpack-bundle-analyzer-2.8.2.tgz (Vulnerable Library)

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

Versions of webpack-bundle-analyzer prior to 3.3.2 are vulnerable to Cross-Site Scripting. The package uses JSON.stringify() without properly escaping input which may lead to Cross-Site Scripting.

Publish Date: 2019-04-11

URL: WS-2019-0058

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2019-04-11

Fix Resolution: 3.3.2

Vulnerable Library - http-proxy-agent-1.0.0.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTP

Library home page: https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-1.0.0.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: conception-website/node_modules/http-proxy-agent/package.json

Dependency Hierarchy:

• nightwatch-0.9.21.tgz (Root Library)
  • proxy-agent-2.0.0.tgz
    • ❌ http-proxy-agent-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: aafabe1f890f6614128b3e3a46fcacc878d945e9

Vulnerability Details

Versions of http-proxy-agent before 2.1.0 are vulnerable to denial of service and uninitialized memory leak when unsanitized options are passed to Buffer.

Publish Date: 2018-04-25

URL: WS-2018-0085

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/607

Release Date: 2018-01-27

Fix Resolution: 2.1.0

Vulnerable Libraries - ws-2.3.1.tgz, ws-1.1.2.tgz

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

Denial of Service vulnerability was found in ws npm package 0.2.6 through 1.1.4 and 2.0.0 through 3.3.0. ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names are sent.

Publish Date: 2017-11-08

URL: WS-2017-0421

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5v72-xg48-5rpm

Release Date: 2017-11-08

Fix Resolution (ws): 3.3.1

Direct dependency fix Resolution (webpack-bundle-analyzer): 2.9.1

Fix Resolution (ws): 3.3.1

Direct dependency fix Resolution (karma): 1.7.1

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-26.0.0-1

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.

Publish Date: 2019-01-14

URL: CVE-2019-6286

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-07-23

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Library - parsejson-0.0.3.tgz

Method that parses a JSON string and returns a JSON object

Library home page: https://registry.npmjs.org/parsejson/-/parsejson-0.0.3.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: /node_modules/parsejson/package.json,/node_modules/parsejson/package.json

Dependency Hierarchy:

• karma-1.7.0.tgz (Root Library)
  • socket.io-1.7.3.tgz
    • socket.io-client-1.7.3.tgz
      • engine.io-client-1.8.3.tgz
        • ❌ parsejson-0.0.3.tgz (Vulnerable Library)

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.

Publish Date: 2018-06-07

URL: CVE-2017-16113

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - deep-extend-0.4.2.tgz

Recursive object extending

Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.2.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: conception-website/node_modules/grpc/node_modules/deep-extend/package.json

Dependency Hierarchy:

• firebase-4.13.1.tgz (Root Library)
  • firestore-0.4.1.tgz
    • grpc-1.10.1.tgz
      • node-pre-gyp-0.7.0.tgz
        • rc-1.2.6.tgz
          • ❌ deep-extend-0.4.2.tgz (Vulnerable Library)

Found in HEAD commit: aafabe1f890f6614128b3e3a46fcacc878d945e9

Vulnerability Details

The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

Publish Date: 2018-07-03

URL: CVE-2018-3750

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750

Release Date: 2019-01-24

Fix Resolution: 0.5.1

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-26.0.0-1

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-12-03

URL: CVE-2018-19827

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-03

Fix Resolution: GR.PageRender.Razor - 1.8.0;Fable.Template.Elmish.React - 0.1.6

Vulnerable Library - https-proxy-agent-1.0.0.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-1.0.0.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: conception-website/node_modules/pac-proxy-agent/node_modules/https-proxy-agent/package.json,conception-website/node_modules/https-proxy-agent/package.json

Dependency Hierarchy:

• nightwatch-0.9.15.tgz (Root Library)
  • proxy-agent-2.0.0.tgz
    • ❌ https-proxy-agent-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: aafabe1f890f6614128b3e3a46fcacc878d945e9

Found in base branch: develop

Vulnerability Details

Versions of https-proxy-agent before 2.2.0 are vulnerable to a denial of service. This is due to unsanitized options (proxy.auth) being passed to Buffer().

Publish Date: 2018-02-28

URL: WS-2018-0072

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/593

Release Date: 2018-02-28

Fix Resolution: 2.2.0

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-26.0.0-1

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20821

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-04-23

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-26.0.0-1

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().

Publish Date: 2018-12-04

URL: CVE-2018-19838

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-04

Fix Resolution: 4.14.0

Vulnerable Library - stringstream-0.0.5.tgz

Encode and decode streams into string streams

Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: /node_modules/grpc/node_modules/stringstream/package.json,/node_modules/stringstream/package.json

Dependency Hierarchy:

• phantomjs-prebuilt-2.1.14.tgz (Root Library)
  • request-2.79.0.tgz
    • ❌ stringstream-0.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

All versions of stringstream are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below.

Publish Date: 2018-05-16

URL: WS-2018-0103

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/664

Release Date: 2018-01-27

Fix Resolution (stringstream): 0.0.6

Direct dependency fix Resolution (phantomjs-prebuilt): 2.1.15

Vulnerable Libraries - js-yaml-3.8.4.tgz, js-yaml-3.7.0.tgz

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (eslint): 4.0.0

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (optimize-css-assets-webpack-plugin): 2.0.0

Vulnerable Library - growl-1.9.2.tgz

Growl unobtrusive notifications

Library home page: https://registry.npmjs.org/growl/-/growl-1.9.2.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: /tmp/git/conception-website/node_modules/growl/package.json

Dependency Hierarchy:

• mocha-3.5.3.tgz (Root Library)
  • ❌ growl-1.9.2.tgz (Vulnerable Library)

Found in HEAD commit: aafabe1f890f6614128b3e3a46fcacc878d945e9

Vulnerability Details

Affected versions of the package are vulnerable to Arbitrary Code Injection.

Publish Date: 2017-05-01

URL: WS-2017-0236

CVSS 2 Score Details (5.6)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: tj/node-growl@d9f6ea2

Release Date: 2016-09-05

Fix Resolution: Replace or update the following files: package.json, growl.js

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerable Source Files (1)

/node_modules/node-sass/src/libsass/src/sass_context.cpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11698

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: node-sass - 3.6.0

Vulnerable Libraries - jquery-1.7.2.min.js, jquery-1.7.1.min.js

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Vulnerable Library - ms-0.7.2.tgz

Tiny milisecond conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.2.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: conception-website/node_modules/engine.io/node_modules/ms/package.json,conception-website/node_modules/ms/package.json

Dependency Hierarchy:

• karma-1.7.0.tgz (Root Library)
  • socket.io-1.7.3.tgz
    • debug-2.3.3.tgz
      • ❌ ms-0.7.2.tgz (Vulnerable Library)

Found in HEAD commit: aafabe1f890f6614128b3e3a46fcacc878d945e9

Found in base branch: develop

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-04-12

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: vercel/ms#89

Release Date: 2017-04-12

Fix Resolution: 2.1.1

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-26.0.0-1

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11694

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-26.0.0-1

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.

Publish Date: 2018-05-26

URL: CVE-2018-11499

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-05-26

Fix Resolution: 4.14.0

Vulnerable Library - node-sassv4.12.0

🌈 Node.js bindings to libsass

Library home page: https://github.com/sass/node-sass.git

Found in HEAD commit: aafabe1f890f6614128b3e3a46fcacc878d945e9

Library Source Files (72)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /conception-website/node_modules/node-sass/src/libsass/src/expand.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/expand.cpp
• /conception-website/node_modules/node-sass/src/sass_types/factory.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/operators.cpp
• /conception-website/node_modules/node-sass/src/sass_types/boolean.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/util.hpp
• /conception-website/node_modules/node-sass/src/sass_types/value.h
• /conception-website/node_modules/node-sass/src/libsass/src/emitter.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/lexer.cpp
• /conception-website/node_modules/node-sass/src/callback_bridge.h
• /conception-website/node_modules/node-sass/src/libsass/src/file.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/sass.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/operation.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/operators.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/constants.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/error_handling.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/ast_fwd_decl.cpp
• /conception-website/node_modules/node-sass/src/custom_importer_bridge.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/parser.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/constants.cpp
• /conception-website/node_modules/node-sass/src/sass_types/list.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/cssize.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/functions.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/util.cpp
• /conception-website/node_modules/node-sass/src/custom_function_bridge.cpp
• /conception-website/node_modules/node-sass/src/custom_importer_bridge.h
• /conception-website/node_modules/node-sass/src/libsass/src/bind.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/eval.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/inspect.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/backtrace.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/extend.cpp
• /conception-website/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
• /conception-website/node_modules/node-sass/src/libsass/src/error_handling.cpp
• /conception-website/node_modules/node-sass/src/sass_context_wrapper.h
• /conception-website/node_modules/node-sass/src/libsass/src/node.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/parser.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/debugger.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/emitter.cpp
• /conception-website/node_modules/node-sass/src/sass_types/number.cpp
• /conception-website/node_modules/node-sass/src/sass_types/color.h
• /conception-website/node_modules/node-sass/src/libsass/src/ast.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/sass_values.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/output.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/check_nesting.cpp
• /conception-website/node_modules/node-sass/src/sass_types/null.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/cssize.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/functions.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/prelexer.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/ast.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/to_c.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/to_value.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
• /conception-website/node_modules/node-sass/src/sass_types/color.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/inspect.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/values.cpp
• /conception-website/node_modules/node-sass/src/sass_context_wrapper.cpp
• /conception-website/node_modules/node-sass/src/sass_types/list.h
• /conception-website/node_modules/node-sass/src/libsass/src/memory/SharedPtr.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/check_nesting.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/to_c.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/to_value.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/context.cpp
• /conception-website/node_modules/node-sass/src/sass_types/map.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/listize.hpp
• /conception-website/node_modules/node-sass/src/binding.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/sass_context.cpp
• /conception-website/node_modules/node-sass/src/sass_types/string.cpp
• /conception-website/node_modules/node-sass/src/libsass/src/context.hpp
• /conception-website/node_modules/node-sass/src/libsass/src/prelexer.hpp
• /conception-website/node_modules/node-sass/src/sass_types/boolean.h
• /conception-website/node_modules/node-sass/src/libsass/src/eval.cpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11693

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-26.0.0-1

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6284

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-6284

Release Date: 2019-01-14

Fix Resolution: 5.0.0

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-26.0.0-1

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-03

URL: CVE-2018-19797

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-03

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Libraries - lodash-4.16.6.tgz, lodash-3.10.1.tgz

Found in HEAD commit: 388e228fdc3fb332f3a4d2cb33d84668e0e8f99a

Found in base branch: develop

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/380873

Release Date: 2019-02-01

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (node-sass): 4.14.0

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (karma-webpack): 2.0.10

Vulnerable Library - fstream-1.0.11.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz

Path to dependency file: /conception-website/package.json

Path to vulnerable library: /tmp/git/conception-website/node_modules/grpc/node_modules/fstream/package.json

Dependency Hierarchy:

• firebase-4.13.1.tgz (Root Library)
  • firestore-0.4.1.tgz
    • grpc-1.10.1.tgz
      • node-pre-gyp-0.7.0.tgz
        • tar-2.2.1.tgz
          • ❌ fstream-1.0.11.tgz (Vulnerable Library)

Found in HEAD commit: aafabe1f890f6614128b3e3a46fcacc878d945e9

Vulnerability Details

Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite.

Publish Date: 2019-05-23

URL: WS-2019-0100

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/886

Release Date: 2019-05-23

Fix Resolution: 1.0.12