Example local server
I am Martial Le TOULLEC, people call me Koromerzhin,
| projet | description | Continuous Integration |
|---|---|---|
| docker | docker |  |
| js-commands | js-commands |  |
| labstag | labstag |  |
| lampy | lampy |  |
| repocheck | repocheck |  |
| streamchat | streamchat |  |
| userscripts | userscripts |  |
| webcrawler | webcrawler |  |
| webserver | webserver |  |
No activity tracked
Vulnerabilities
DepShield reports that this application's usage of lodash.includes:4.3.0 results in the following vulnerability(s):
Occurrences
lodash.includes:4.3.0 is a transitive dependency introduced by the following direct dependency(s):
• semantic-git-commit-cli:3.7.0
└─ json-extra:0.5.0
└─ lodash.includes:4.3.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of mem:1.1.0 results in the following vulnerability(s):
Occurrences
mem:1.1.0 is a transitive dependency introduced by the following direct dependency(s):
• gitmoji-changelog:2.1.0
└─ libnpm:1.5.0
└─ lock-verify:2.2.1
└─ @iarna/cli:1.2.0
└─ yargs:8.0.2
└─ os-locale:2.1.0
└─ mem:1.1.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
docker-compose.yml
dunglas/mercure v0.15redis 7.2.3mariadb 11.2.2postgres 16.1mailhog/mailhog v1.0.1phpmyadmin/phpmyadmin 5.2.1portainer/portainer-ce 2.19.4traefik 2.10.7
.github/workflows/ci.yml
actions/checkout v4actions/cache v3actions/checkout v4actions/cache v3
package.json
korojscommands ^1.2.7
Vulnerable Library - korojscommands-1.2.7.tgzPath to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Found in HEAD commit: cc4277846c82a9af0df898479984a0c391665dfe
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (korojscommands version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-25912 |  High |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-24433 | High |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-24066 | High |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-25881 | High |
7.5 | http-cache-semantics-3.8.1.tgz | Transitive | N/A* | ❌ |
| CVE-2023-28155 |  Medium |
5.5 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
| CVE-2022-33987 | Medium |
5.3 | got-6.7.1.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2022-25912Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-git/package.json
Dependency Hierarchy:
Found in HEAD commit: cc4277846c82a9af0df898479984a0c391665dfe
Found in base branch: develop
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.
Publish Date: 2022-12-06
URL: CVE-2022-25912
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25912
Release Date: 2022-12-06
Fix Resolution: simple-git - 3.15.0
Step up your Open Source Security Game with Mend here
CVE-2022-24433Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-git/package.json
Dependency Hierarchy:
Found in HEAD commit: cc4277846c82a9af0df898479984a0c391665dfe
Found in base branch: develop
The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.
Publish Date: 2022-03-11
URL: CVE-2022-24433
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3f95-r44v-8mrg
Release Date: 2022-03-11
Fix Resolution: simple-git - 3.3.0
Step up your Open Source Security Game with Mend here
CVE-2022-24066Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-git/package.json
Dependency Hierarchy:
Found in HEAD commit: cc4277846c82a9af0df898479984a0c391665dfe
Found in base branch: develop
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
Publish Date: 2022-04-01
URL: CVE-2022-24066
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-28xr-mwxg-3qc8
Release Date: 2022-04-01
Fix Resolution: simple-git - 3.5.0
Step up your Open Source Security Game with Mend here
CVE-2022-25881Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/http-cache-semantics/package.json
Dependency Hierarchy:
Found in HEAD commit: cc4277846c82a9af0df898479984a0c391665dfe
Found in base branch: develop
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25881
Release Date: 2023-01-31
Fix Resolution: http-cache-semantics - 4.1.1
Step up your Open Source Security Game with Mend here
CVE-2023-28155Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
Found in HEAD commit: cc4277846c82a9af0df898479984a0c391665dfe
Found in base branch: develop
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Base Score Metrics:
Step up your Open Source Security Game with Mend here
CVE-2022-33987Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-6.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Dependency Hierarchy:
Found in HEAD commit: cc4277846c82a9af0df898479984a0c391665dfe
Found in base branch: develop
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of pug-code-gen:3.0.2 results in the following vulnerability(s):
Occurrences
pug-code-gen:3.0.2 is a transitive dependency introduced by the following direct dependency(s):
• koromerzhin-dependencies:1.3.0
└─ jscpd:3.4.2
└─ @jscpd/finder:3.4.5
└─ pug:3.0.2
└─ pug-code-gen:3.0.2
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerable Library - korojscommands-1.2.20.tgz
Found in HEAD commit: 2c0b9f4addc880e81b6c55eb373c910278d92b88
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (korojscommands version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-26136 |  Critical |
9.8 | tough-cookie-2.5.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-25912 | Critical |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-24433 | Critical |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-24066 | Critical |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-25881 |  High |
7.5 | http-cache-semantics-3.8.1.tgz | Transitive | N/A* | ❌ |
| CVE-2023-28155 |  Medium |
6.1 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
| CVE-2022-33987 | Medium |
5.3 | got-6.7.1.tgz | Transitive | N/A* | ❌ |
| CVE-2023-0842 | Medium |
5.3 | xml2js-0.4.23.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-26136RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 2c0b9f4addc880e81b6c55eb373c910278d92b88
Found in base branch: develop
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution: tough-cookie - 4.1.3
Step up your Open Source Security Game with Mend here
CVE-2022-25912Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 2c0b9f4addc880e81b6c55eb373c910278d92b88
Found in base branch: develop
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.
Publish Date: 2022-12-06
URL: CVE-2022-25912
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25912
Release Date: 2022-12-06
Fix Resolution: simple-git - 3.15.0
Step up your Open Source Security Game with Mend here
CVE-2022-24433Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 2c0b9f4addc880e81b6c55eb373c910278d92b88
Found in base branch: develop
The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.
Publish Date: 2022-03-11
URL: CVE-2022-24433
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3f95-r44v-8mrg
Release Date: 2022-03-11
Fix Resolution: simple-git - 3.3.0
Step up your Open Source Security Game with Mend here
CVE-2022-24066Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 2c0b9f4addc880e81b6c55eb373c910278d92b88
Found in base branch: develop
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
Publish Date: 2022-04-01
URL: CVE-2022-24066
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-28xr-mwxg-3qc8
Release Date: 2022-04-01
Fix Resolution: simple-git - 3.5.0
Step up your Open Source Security Game with Mend here
CVE-2022-25881Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 2c0b9f4addc880e81b6c55eb373c910278d92b88
Found in base branch: develop
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-rc47-6667-2j5j
Release Date: 2023-01-31
Fix Resolution: http-cache-semantics - 4.1.1;org.webjars.npm:http-cache-semantics:4.1.1
Step up your Open Source Security Game with Mend here
CVE-2023-28155Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Dependency Hierarchy:
Found in HEAD commit: 2c0b9f4addc880e81b6c55eb373c910278d92b88
Found in base branch: develop
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Base Score Metrics:
Step up your Open Source Security Game with Mend here
CVE-2022-33987Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-6.7.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 2c0b9f4addc880e81b6c55eb373c910278d92b88
Found in base branch: develop
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
Step up your Open Source Security Game with Mend here
CVE-2023-0842Simple XML to JavaScript object converter.
Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz
Dependency Hierarchy:
Found in HEAD commit: 2c0b9f4addc880e81b6c55eb373c910278d92b88
Found in base branch: develop
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
Publish Date: 2023-04-05
URL: CVE-2023-0842
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-0842
Release Date: 2023-04-05
Fix Resolution: xml2js - 0.5.0
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of npm-registry-fetch:3.9.1 results in the following vulnerability(s):
Occurrences
npm-registry-fetch:3.9.1 is a transitive dependency introduced by the following direct dependency(s):
• gitmoji-changelog:2.1.0
└─ libnpm:1.5.0
└─ libnpmaccess:2.0.1
└─ npm-registry-fetch:3.9.1
└─ npm-registry-fetch:3.9.1
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerable Library - korojscommands-1.2.18.tgzPath to dependency file: /package.json
Path to vulnerable library: /node_modules/xml2js/package.json
Found in HEAD commit: ba38da18b86f4097e8d4bb4785914a2134589a70
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (korojscommands version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-25912 | Critical |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-24433 | Critical |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2023-29827 | Critical |
9.8 | ejs-3.1.9.tgz | Transitive | N/A* | ❌ |
| CVE-2022-24066 | Critical |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2023-2251 | High |
7.5 | yaml-2.2.1.tgz | Transitive | N/A* | ❌ |
| CVE-2022-25881 | High |
7.5 | http-cache-semantics-3.8.1.tgz | Transitive | N/A* | ❌ |
| CVE-2023-28155 | Medium |
6.1 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
| CVE-2022-33987 | Medium |
5.3 | got-6.7.1.tgz | Transitive | N/A* | ❌ |
| CVE-2023-0842 | Medium |
5.3 | xml2js-0.4.23.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2022-25912Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-git/package.json
Dependency Hierarchy:
Found in HEAD commit: ba38da18b86f4097e8d4bb4785914a2134589a70
Found in base branch: develop
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.
Publish Date: 2022-12-06
URL: CVE-2022-25912
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25912
Release Date: 2022-12-06
Fix Resolution: simple-git - 3.15.0
Step up your Open Source Security Game with Mend here
CVE-2022-24433Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-git/package.json
Dependency Hierarchy:
Found in HEAD commit: ba38da18b86f4097e8d4bb4785914a2134589a70
Found in base branch: develop
The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.
Publish Date: 2022-03-11
URL: CVE-2022-24433
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3f95-r44v-8mrg
Release Date: 2022-03-11
Fix Resolution: simple-git - 3.3.0
Step up your Open Source Security Game with Mend here
CVE-2023-29827Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ejs/package.json
Dependency Hierarchy:
Found in HEAD commit: ba38da18b86f4097e8d4bb4785914a2134589a70
Found in base branch: develop
** DISPUTED ** ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input.
Publish Date: 2023-05-04
URL: CVE-2023-29827
Base Score Metrics:
Step up your Open Source Security Game with Mend here
CVE-2022-24066Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-git/package.json
Dependency Hierarchy:
Found in HEAD commit: ba38da18b86f4097e8d4bb4785914a2134589a70
Found in base branch: develop
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
Publish Date: 2022-04-01
URL: CVE-2022-24066
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-28xr-mwxg-3qc8
Release Date: 2022-04-01
Fix Resolution: simple-git - 3.5.0
Step up your Open Source Security Game with Mend here
CVE-2023-2251Library home page: https://registry.npmjs.org/yaml/-/yaml-2.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/yaml/package.json
Dependency Hierarchy:
Found in HEAD commit: ba38da18b86f4097e8d4bb4785914a2134589a70
Found in base branch: develop
Uncaught Exception in GitHub repository eemeli/yaml prior to 2.0.0-5.
Mend Note: After conducting further research, Mend has determined that CVE-2023-2251 only affects environments with versions 2.0.0-4--v2.2.1 of yaml.
Publish Date: 2023-04-24
URL: CVE-2023-2251
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-f9xv-q969-pqx4
Release Date: 2023-04-24
Fix Resolution: yaml - 2.2.2
Step up your Open Source Security Game with Mend here
CVE-2022-25881Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/http-cache-semantics/package.json
Dependency Hierarchy:
Found in HEAD commit: ba38da18b86f4097e8d4bb4785914a2134589a70
Found in base branch: develop
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25881
Release Date: 2023-01-31
Fix Resolution: http-cache-semantics - 4.1.1
Step up your Open Source Security Game with Mend here
CVE-2023-28155Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
Found in HEAD commit: ba38da18b86f4097e8d4bb4785914a2134589a70
Found in base branch: develop
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Base Score Metrics:
Step up your Open Source Security Game with Mend here
CVE-2022-33987Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-6.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Dependency Hierarchy:
Found in HEAD commit: ba38da18b86f4097e8d4bb4785914a2134589a70
Found in base branch: develop
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
Step up your Open Source Security Game with Mend here
CVE-2023-0842Simple XML to JavaScript object converter.
Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xml2js/package.json
Dependency Hierarchy:
Found in HEAD commit: ba38da18b86f4097e8d4bb4785914a2134589a70
Found in base branch: develop
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
Publish Date: 2023-04-05
URL: CVE-2023-0842
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-0842
Release Date: 2023-04-05
Fix Resolution: xml2js - 0.5.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - korojscommands-1.2.19.tgzPath to dependency file: /package.json
Path to vulnerable library: /node_modules/xml2js/package.json
Found in HEAD commit: 05e331c062b9fd8ea9919210838dc9ae4ee0ac63
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (korojscommands version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-25912 | Critical |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-24433 | Critical |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-24066 | Critical |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-25881 | High |
7.5 | http-cache-semantics-3.8.1.tgz | Transitive | N/A* | ❌ |
| CVE-2023-28155 | Medium |
6.1 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
| CVE-2022-33987 | Medium |
5.3 | got-6.7.1.tgz | Transitive | N/A* | ❌ |
| CVE-2023-0842 | Medium |
5.3 | xml2js-0.4.23.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2022-25912Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-git/package.json
Dependency Hierarchy:
Found in HEAD commit: 05e331c062b9fd8ea9919210838dc9ae4ee0ac63
Found in base branch: develop
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.
Publish Date: 2022-12-06
URL: CVE-2022-25912
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25912
Release Date: 2022-12-06
Fix Resolution: simple-git - 3.15.0
Step up your Open Source Security Game with Mend here
CVE-2022-24433Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-git/package.json
Dependency Hierarchy:
Found in HEAD commit: 05e331c062b9fd8ea9919210838dc9ae4ee0ac63
Found in base branch: develop
The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.
Publish Date: 2022-03-11
URL: CVE-2022-24433
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3f95-r44v-8mrg
Release Date: 2022-03-11
Fix Resolution: simple-git - 3.3.0
Step up your Open Source Security Game with Mend here
CVE-2022-24066Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-git/package.json
Dependency Hierarchy:
Found in HEAD commit: 05e331c062b9fd8ea9919210838dc9ae4ee0ac63
Found in base branch: develop
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
Publish Date: 2022-04-01
URL: CVE-2022-24066
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-28xr-mwxg-3qc8
Release Date: 2022-04-01
Fix Resolution: simple-git - 3.5.0
Step up your Open Source Security Game with Mend here
CVE-2022-25881Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/http-cache-semantics/package.json
Dependency Hierarchy:
Found in HEAD commit: 05e331c062b9fd8ea9919210838dc9ae4ee0ac63
Found in base branch: develop
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25881
Release Date: 2023-01-31
Fix Resolution: http-cache-semantics - 4.1.1
Step up your Open Source Security Game with Mend here
CVE-2023-28155Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
Found in HEAD commit: 05e331c062b9fd8ea9919210838dc9ae4ee0ac63
Found in base branch: develop
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Base Score Metrics:
Step up your Open Source Security Game with Mend here
CVE-2022-33987Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-6.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Dependency Hierarchy:
Found in HEAD commit: 05e331c062b9fd8ea9919210838dc9ae4ee0ac63
Found in base branch: develop
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
Step up your Open Source Security Game with Mend here
CVE-2023-0842Simple XML to JavaScript object converter.
Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xml2js/package.json
Dependency Hierarchy:
Found in HEAD commit: 05e331c062b9fd8ea9919210838dc9ae4ee0ac63
Found in base branch: develop
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
Publish Date: 2023-04-05
URL: CVE-2023-0842
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-0842
Release Date: 2023-04-05
Fix Resolution: xml2js - 0.5.0
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of yargs-parser:11.1.1 results in the following vulnerability(s):
Occurrences
yargs-parser:11.1.1 is a transitive dependency introduced by the following direct dependency(s):
• gitmoji-changelog:2.1.0
└─ yargs:12.0.5
└─ yargs-parser:11.1.1
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of yargs-parser:7.0.0 results in the following vulnerability(s):
Occurrences
yargs-parser:7.0.0 is a transitive dependency introduced by the following direct dependency(s):
• gitmoji-changelog:2.1.0
└─ libnpm:1.5.0
└─ lock-verify:2.2.1
└─ @iarna/cli:1.2.0
└─ yargs:8.0.2
└─ yargs-parser:7.0.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of lodash.clonedeep:4.5.0 results in the following vulnerability(s):
Occurrences
lodash.clonedeep:4.5.0 is a transitive dependency introduced by the following direct dependency(s):
• gitmoji-changelog:2.1.0
└─ libnpm:1.5.0
└─ libnpmpublish:1.1.3
└─ lodash.clonedeep:4.5.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of lodash.flatten:4.4.0 results in the following vulnerability(s):
Occurrences
lodash.flatten:4.4.0 is a transitive dependency introduced by the following direct dependency(s):
• markdownlint-cli:0.24.0
└─ lodash.flatten:4.4.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerable Library - korojscommands-1.2.17.tgzPath to dependency file: /package.json
Path to vulnerable library: /node_modules/xml2js/package.json
Found in HEAD commit: 6cd705355322b8784542e5d9f3db00aec99a955f
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (korojscommands version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-25912 | High |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-24433 | High |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-24066 | High |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2023-2251 | High |
7.5 | yaml-2.2.1.tgz | Transitive | N/A* | ❌ |
| CVE-2022-25881 | High |
7.5 | http-cache-semantics-3.8.1.tgz | Transitive | N/A* | ❌ |
| CVE-2023-28155 | Medium |
6.1 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
| CVE-2023-29827 | Medium |
5.5 | ejs-3.1.9.tgz | Transitive | N/A* | ❌ |
| CVE-2022-33987 | Medium |
5.3 | got-6.7.1.tgz | Transitive | N/A* | ❌ |
| CVE-2023-0842 | Medium |
5.3 | xml2js-0.4.23.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2022-25912Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-git/package.json
Dependency Hierarchy:
Found in HEAD commit: 6cd705355322b8784542e5d9f3db00aec99a955f
Found in base branch: develop
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.
Publish Date: 2022-12-06
URL: CVE-2022-25912
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25912
Release Date: 2022-12-06
Fix Resolution: simple-git - 3.15.0
Step up your Open Source Security Game with Mend here
CVE-2022-24433Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-git/package.json
Dependency Hierarchy:
Found in HEAD commit: 6cd705355322b8784542e5d9f3db00aec99a955f
Found in base branch: develop
The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.
Publish Date: 2022-03-11
URL: CVE-2022-24433
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3f95-r44v-8mrg
Release Date: 2022-03-11
Fix Resolution: simple-git - 3.3.0
Step up your Open Source Security Game with Mend here
CVE-2022-24066Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-git/package.json
Dependency Hierarchy:
Found in HEAD commit: 6cd705355322b8784542e5d9f3db00aec99a955f
Found in base branch: develop
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
Publish Date: 2022-04-01
URL: CVE-2022-24066
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-28xr-mwxg-3qc8
Release Date: 2022-04-01
Fix Resolution: simple-git - 3.5.0
Step up your Open Source Security Game with Mend here
CVE-2023-2251Library home page: https://registry.npmjs.org/yaml/-/yaml-2.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/yaml/package.json
Dependency Hierarchy:
Found in HEAD commit: 6cd705355322b8784542e5d9f3db00aec99a955f
Found in base branch: develop
Uncaught Exception in yaml prior to 2.2.2.
Mend Note: After conducting further research, Mend has determined that CVE-2023-2251 only affects environments with versions 2.0.0-4--v2.2.1 of yaml.
Publish Date: 2023-04-24
URL: CVE-2023-2251
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-f9xv-q969-pqx4
Release Date: 2023-04-24
Fix Resolution: yaml - 2.2.2
Step up your Open Source Security Game with Mend here
CVE-2022-25881Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/http-cache-semantics/package.json
Dependency Hierarchy:
Found in HEAD commit: 6cd705355322b8784542e5d9f3db00aec99a955f
Found in base branch: develop
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25881
Release Date: 2023-01-31
Fix Resolution: http-cache-semantics - 4.1.1
Step up your Open Source Security Game with Mend here
CVE-2023-28155Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
Found in HEAD commit: 6cd705355322b8784542e5d9f3db00aec99a955f
Found in base branch: develop
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Base Score Metrics:
Step up your Open Source Security Game with Mend here
CVE-2023-29827Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ejs/package.json
Dependency Hierarchy:
Found in HEAD commit: 6cd705355322b8784542e5d9f3db00aec99a955f
Found in base branch: develop
ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter.
Publish Date: 2023-05-04
URL: CVE-2023-29827
Base Score Metrics:
Step up your Open Source Security Game with Mend here
CVE-2022-33987Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-6.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Dependency Hierarchy:
Found in HEAD commit: 6cd705355322b8784542e5d9f3db00aec99a955f
Found in base branch: develop
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
Step up your Open Source Security Game with Mend here
CVE-2023-0842Simple XML to JavaScript object converter.
Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xml2js/package.json
Dependency Hierarchy:
Found in HEAD commit: 6cd705355322b8784542e5d9f3db00aec99a955f
Found in base branch: develop
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
Publish Date: 2023-04-05
URL: CVE-2023-0842
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of markdown-it:12.2.0 results in the following vulnerability(s):
Occurrences
markdown-it:12.2.0 is a transitive dependency introduced by the following direct dependency(s):
• koromerzhin-dependencies:1.3.0
└─ markdownlint-cli:0.30.0
└─ markdownlint:0.24.0
└─ markdown-it:12.2.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerable Library - korojscommands-1.2.16.tgzPath to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Found in HEAD commit: 04c9a7139ff909190f26ba512febf4c34ddfaec4
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (korojscommands version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-25912 | High |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-24433 | High |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-24066 | High |
9.8 | simple-git-1.132.0.tgz | Transitive | N/A* | ❌ |
| CVE-2022-25881 | High |
7.5 | http-cache-semantics-3.8.1.tgz | Transitive | N/A* | ❌ |
| CVE-2023-28155 | Medium |
6.1 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
| CVE-2022-33987 | Medium |
5.3 | got-6.7.1.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2022-25912Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-git/package.json
Dependency Hierarchy:
Found in HEAD commit: 04c9a7139ff909190f26ba512febf4c34ddfaec4
Found in base branch: develop
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.
Publish Date: 2022-12-06
URL: CVE-2022-25912
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25912
Release Date: 2022-12-06
Fix Resolution: simple-git - 3.15.0
Step up your Open Source Security Game with Mend here
CVE-2022-24433Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-git/package.json
Dependency Hierarchy:
Found in HEAD commit: 04c9a7139ff909190f26ba512febf4c34ddfaec4
Found in base branch: develop
The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.
Publish Date: 2022-03-11
URL: CVE-2022-24433
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3f95-r44v-8mrg
Release Date: 2022-03-11
Fix Resolution: simple-git - 3.3.0
Step up your Open Source Security Game with Mend here
CVE-2022-24066Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-git/package.json
Dependency Hierarchy:
Found in HEAD commit: 04c9a7139ff909190f26ba512febf4c34ddfaec4
Found in base branch: develop
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
Publish Date: 2022-04-01
URL: CVE-2022-24066
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-28xr-mwxg-3qc8
Release Date: 2022-04-01
Fix Resolution: simple-git - 3.5.0
Step up your Open Source Security Game with Mend here
CVE-2022-25881Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/http-cache-semantics/package.json
Dependency Hierarchy:
Found in HEAD commit: 04c9a7139ff909190f26ba512febf4c34ddfaec4
Found in base branch: develop
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25881
Release Date: 2023-01-31
Fix Resolution: http-cache-semantics - 4.1.1
Step up your Open Source Security Game with Mend here
CVE-2023-28155Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
Found in HEAD commit: 04c9a7139ff909190f26ba512febf4c34ddfaec4
Found in base branch: develop
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Base Score Metrics:
Step up your Open Source Security Game with Mend here
CVE-2022-33987Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-6.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Dependency Hierarchy:
Found in HEAD commit: 04c9a7139ff909190f26ba512febf4c34ddfaec4
Found in base branch: develop
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of ini:1.3.8 results in the following vulnerability(s):
Occurrences
ini:1.3.8 is a transitive dependency introduced by the following direct dependency(s):
• gitmoji-changelog:2.1.0
└─ @gitmoji-changelog/core:2.2.1
└─ git-remote-origin-url:2.0.0
└─ gitconfiglocal:1.0.0
└─ ini:1.3.8
└─ libnpm:1.5.0
└─ libnpmconfig:1.2.1
└─ ini:1.3.8
└─ rc:1.2.8
└─ ini:1.3.8
• readme-md-generator:1.0.0
└─ git-repo-name:1.0.1
└─ remote-origin-url:2.0.0
└─ parse-git-config:3.0.0
└─ ini:1.3.8
• semantic-git-commit-cli:3.7.0
└─ findup-sync:4.0.0
└─ resolve-dir:1.0.1
└─ global-modules:1.0.0
└─ global-prefix:1.0.2
└─ ini:1.3.8
└─ update-notifier:2.5.0
└─ is-installed-globally:0.1.0
└─ global-dirs:0.1.1
└─ ini:1.3.8
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.