mathigon / tropicsu Goto Github PK
View Code? Open in Web Editor NEWFree lesson plans for teaching about climate change, funded by the International Science Council.
Home Page: https://climatescienceteaching.org
Free lesson plans for teaching about climate change, funded by the International Science Council.
Home Page: https://climatescienceteaching.org
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
CVE | Severity | CVSS | Dependency | Type | Fixed in (firebase-tools version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-30547 | Critical | 10.0 | vm2-3.9.15.tgz | Transitive | 11.24.1 | ❌ |
CVE-2023-29199 | Critical | 10.0 | vm2-3.9.15.tgz | Transitive | 11.24.1 | ❌ |
CVE-2023-37903 | Critical | 10.0 | vm2-3.9.15.tgz | Transitive | N/A* | ❌ |
CVE-2023-32314 | Critical | 10.0 | vm2-3.9.15.tgz | Transitive | 11.24.1 | ❌ |
CVE-2023-37466 | Critical | 9.8 | vm2-3.9.15.tgz | Transitive | N/A* | ❌ |
CVE-2023-26136 | Critical | 9.8 | tough-cookie-2.5.0.tgz | Transitive | N/A* | ❌ |
CVE-2023-36665 | Critical | 9.8 | protobufjs-7.2.3.tgz | Transitive | 11.24.1 | ❌ |
CVE-2023-26115 | High | 7.5 | word-wrap-1.2.3.tgz | Transitive | N/A* | ❌ |
CVE-2022-25883 | High | 7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2023-28155 | Medium | 6.1 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
CVE-2023-32313 | Medium | 5.3 | vm2-3.9.15.tgz | Transitive | 11.24.1 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.15.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside handleException()
which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version 3.9.17
of vm2
. There are no known workarounds for this vulnerability. Users are advised to upgrade.
Publish Date: 2023-04-17
URL: CVE-2023-30547
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-30547
Release Date: 2023-04-17
Fix Resolution (vm2): 3.9.18
Direct dependency fix Resolution (firebase-tools): 11.24.1
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.15.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass handleException()
and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.16
of vm2
.
Publish Date: 2023-04-14
URL: CVE-2023-29199
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-xj72-wvfv-8985
Release Date: 2023-04-14
Fix Resolution (vm2): 3.9.16
Direct dependency fix Resolution (firebase-tools): 11.24.1
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.15.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.
Publish Date: 2023-07-21
URL: CVE-2023-37903
Base Score Metrics:
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.15.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of Proxy
. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.18
of vm2
. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2023-05-15
URL: CVE-2023-32314
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-whpj-8f3w-67p5
Release Date: 2023-05-15
Fix Resolution (vm2): 3.9.18
Direct dependency fix Resolution (firebase-tools): 11.24.1
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.15.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, Promise
handler sanitization can be bypassed with @@species
accessor property allowing attackers to escape the sandbox and run arbitrary code. Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.
Publish Date: 2023-07-14
URL: CVE-2023-37466
Base Score Metrics:
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution: tough-cookie - 4.1.3
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.2.3.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about "Object.constructor.prototype. = ...;" whereas CVE-2022-25878 was about "Object.proto. = ...;" instead.
Publish Date: 2023-07-05
URL: CVE-2023-36665
Base Score Metrics:
Type: Upgrade version
Origin: https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665
Release Date: 2023-07-05
Fix Resolution (protobufjs): 7.2.4
Direct dependency fix Resolution (firebase-tools): 11.24.1
Wrap words to a specified length.
Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
Publish Date: 2023-06-22
URL: CVE-2023-26115
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-j8xg-fqg3-53r7
Release Date: 2023-06-22
Fix Resolution: word-wrap - 1.2.4
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.5.tgz
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.7.tgz
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.8.tgz
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Base Score Metrics:
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.15.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node inspect
method and edit options for console.log
. As a result a threat actor can edit options for the console.log
command. This vulnerability was patched in the release of version 3.9.18
of vm2
. Users are advised to upgrade. Users unable to upgrade may make the inspect
method readonly with vm.readonly(inspect)
after creating a vm.
Publish Date: 2023-05-15
URL: CVE-2023-32313
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-32313
Release Date: 2023-05-15
Fix Resolution (vm2): 3.9.18
Direct dependency fix Resolution (firebase-tools): 11.24.1
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
CVE | Severity | CVSS | Dependency | Type | Fixed in (express version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2022-24999 | High | 7.5 | qs-6.7.0.tgz | Transitive | 4.17.2 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.7.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.7.3
Direct dependency fix Resolution (express): 4.17.2
The main link (green button) on
https://climatescienceteaching.org/lesson/natural-selection/activity
is broken, the resource appears to have been removed.
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
BSD 3
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/54fcc1c1-dc31-4c37-9c83-114a4e92decc
GPL 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/54fcc1c1-dc31-4c37-9c83-114a4e92decc
⛔ License Policy Violation - [Reject][Global] Block CopyLeft Licenses
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
CVE | Severity | CVSS | Dependency | Type | Fixed in (firebase version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-36665 | Critical | 9.8 | protobufjs-6.11.3.tgz | Transitive | 8.0.0-2020922203858 | ❌ |
CVE-2022-0235 | Medium | 6.1 | node-fetch-2.6.1.tgz | Transitive | 8.10.1-2022028193537 | ❌ |
CVE-2020-7765 | Medium | 5.3 | util-0.3.2.tgz | Transitive | 8.0.0-2020922203858 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-6.11.3.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about "Object.constructor.prototype. = ...;" whereas CVE-2022-25878 was about "Object.proto. = ...;" instead.
Publish Date: 2023-07-05
URL: CVE-2023-36665
Base Score Metrics:
Type: Upgrade version
Origin: https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665
Release Date: 2023-07-05
Fix Resolution (protobufjs): 7.2.4
Direct dependency fix Resolution (firebase): 8.0.0-2020922203858
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (firebase): 8.10.1-2022028193537
_NOTE: This is specifically tailored for Firebase JS SDK usage, if you are not a member of the Firebase team, please avoid using this package_
Library home page: https://registry.npmjs.org/@firebase/util/-/util-0.3.2.tgz
Dependency Hierarchy:
Found in HEAD commit: 84871f913299c03569bde7baed81829733ed9798
Found in base branch: master
This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
Publish Date: 2020-11-16
URL: CVE-2020-7765
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7765
Release Date: 2020-11-16
Fix Resolution (@firebase/util): 0.3.3-2020922203858
Direct dependency fix Resolution (firebase): 8.0.0-2020922203858
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.