View Code? Open in Web Editor
NEW
This project forked from openflagr /flagr
Flagr is a feature flagging, A/B testing and dynamic configuration microservice
Home Page: https://checkr.github.io/flagr
License: Apache License 2.0
Makefile 0.87%
JavaScript 0.79%
HTML 0.19%
Vue 20.56%
Shell 4.46%
Go 72.72%
Dockerfile 0.41%
flagr's People
flagr's Issues
CVE-2022-0512 - Medium Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/url-parse/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
sockjs-client-1.4.0.tgz
❌ url-parse-1.4.7.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Publish Date: 2022-02-14
URL: CVE-2022-0512
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512
Release Date: 2022-02-14
Fix Resolution (url-parse): 1.5.6
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
WS-2021-0153 - Critical Severity Vulnerability
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/ejs/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-bundle-analyzer-3.6.1.tgz
❌ ejs-2.7.4.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.
Publish Date: 2021-01-22
URL: WS-2021-0153
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-22
Fix Resolution (ejs): 3.1.6
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-43138 - High Severity Vulnerability
Vulnerable Library - async-2.6.3.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/async/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
portfinder-1.0.25.tgz
❌ async-2.6.3.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-26160 - High Severity Vulnerability
Vulnerable Library - github.com/dgrijalva/jwt-GO-v3.2.0+incompatible
ARCHIVE - Golang implementation of JSON Web Tokens (JWT). This project is now maintained at:
Library home page: https://proxy.golang.org/github.com/dgrijalva/jwt-go/@v/v3.2.0+incompatible.zip
Dependency Hierarchy:
❌ github.com/dgrijalva/jwt-GO-v3.2.0+incompatible (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
Publish Date: 2020-09-30
URL: CVE-2020-26160
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-w73w-5m7g-f7qc
Release Date: 2020-09-30
Fix Resolution: 4.0.0-preview1
CVE-2022-0155 - Medium Severity Vulnerability
Vulnerable Libraries - follow-redirects-1.5.10.tgz , follow-redirects-1.10.0.tgz
follow-redirects-1.5.10.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/axios/node_modules/follow-redirects/package.json
Dependency Hierarchy:
axios-0.19.0.tgz (Root Library)
❌ follow-redirects-1.5.10.tgz (Vulnerable Library)
follow-redirects-1.10.0.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.10.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/follow-redirects/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
http-proxy-middleware-0.19.1.tgz
http-proxy-1.18.0.tgz
❌ follow-redirects-1.10.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (axios): 0.20.0-0
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-0686 - Critical Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/url-parse/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
sockjs-client-1.4.0.tgz
❌ url-parse-1.4.7.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
CVSS 3 Score Details (9.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-8203 - High Severity Vulnerability
Vulnerable Libraries - lodash-4.17.14.tgz , lodash-4.17.15.tgz
lodash-4.17.14.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.14.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/lodash/package.json
Dependency Hierarchy:
❌ lodash-4.17.14.tgz (Vulnerable Library)
lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/vue-eslint-parser/node_modules/lodash/package.json
Dependency Hierarchy:
cli-plugin-babel-4.2.3.tgz (Root Library)
cli-shared-utils-4.2.3.tgz
request-promise-native-1.0.8.tgz
request-promise-core-1.1.3.tgz
❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7677 - Critical Severity Vulnerability
Vulnerable Library - thenify-3.3.0.tgz
Promisify a callback-based function
Library home page: https://registry.npmjs.org/thenify/-/thenify-3.3.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/thenify/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
cli-highlight-2.1.4.tgz
mz-2.7.0.tgz
thenify-all-1.6.0.tgz
❌ thenify-3.3.0.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.
Publish Date: 2022-07-25
URL: CVE-2020-7677
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-29xr-v42j-r956
Release Date: 2020-07-21
Fix Resolution (thenify): 3.3.1
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-44906 - Critical Severity Vulnerability
Vulnerable Libraries - minimist-1.2.5.tgz , minimist-0.0.8.tgz
minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/json5/node_modules/minimist/package.json,/browser/flagr-ui/node_modules/json5/node_modules/minimist/package.json
Dependency Hierarchy:
❌ minimist-1.2.5.tgz (Vulnerable Library)
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
eslint-6.8.0.tgz (Root Library)
mkdirp-0.5.1.tgz
❌ minimist-0.0.8.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (eslint): 7.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2012-6708 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html,/browser/flagr-ui/node_modules/sockjs/examples/express-3.x/index.html,/browser/flagr-ui/node_modules/sockjs/examples/multiplex/index.html,/browser/flagr-ui/node_modules/sockjs/examples/echo/index.html,/browser/flagr-ui/node_modules/sockjs/examples/hapi/html/index.html
Dependency Hierarchy:
❌ jquery-1.7.1.min.js (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
WS-2020-0091 - High Severity Vulnerability
Vulnerable Library - http-proxy-1.18.0.tgz
HTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/http-proxy/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
http-proxy-middleware-0.19.1.tgz
❌ http-proxy-1.18.0.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-14
Fix Resolution (http-proxy): 1.18.1
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-13822 - High Severity Vulnerability
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/elliptic/package.json
Dependency Hierarchy:
cli-plugin-babel-4.2.3.tgz (Root Library)
webpack-4.41.5.tgz
node-libs-browser-2.2.1.tgz
crypto-browserify-3.12.0.tgz
browserify-sign-4.0.4.tgz
❌ elliptic-6.5.2.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
CVSS 3 Score Details (7.7 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-0122 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/node-forge/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
selfsigned-1.10.7.tgz
❌ node-forge-0.9.0.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.
Publish Date: 2022-01-06
URL: CVE-2022-0122
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-0536 - Medium Severity Vulnerability
Vulnerable Libraries - follow-redirects-1.5.10.tgz , follow-redirects-1.10.0.tgz
follow-redirects-1.5.10.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/axios/node_modules/follow-redirects/package.json
Dependency Hierarchy:
axios-0.19.0.tgz (Root Library)
❌ follow-redirects-1.5.10.tgz (Vulnerable Library)
follow-redirects-1.10.0.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.10.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/follow-redirects/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
http-proxy-middleware-0.19.1.tgz
http-proxy-1.18.0.tgz
❌ follow-redirects-1.10.0.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (axios): 0.20.0-0
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-27515 - Medium Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/url-parse/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
sockjs-client-1.4.0.tgz
❌ url-parse-1.4.7.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
Publish Date: 2021-02-22
URL: CVE-2021-27515
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515
Release Date: 2021-02-22
Fix Resolution (url-parse): 1.5.0
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7598 - Medium Severity Vulnerability
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
eslint-6.8.0.tgz (Root Library)
mkdirp-0.5.1.tgz
❌ minimist-0.0.8.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto " payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (eslint): 7.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-42740 - Critical Severity Vulnerability
Vulnerable Library - shell-quote-1.6.1.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/shell-quote/package.json
Dependency Hierarchy:
cli-plugin-babel-4.2.3.tgz (Root Library)
cli-shared-utils-4.2.3.tgz
launch-editor-2.2.1.tgz
❌ shell-quote-1.6.1.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-29078 - Critical Severity Vulnerability
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/ejs/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-bundle-analyzer-3.6.1.tgz
❌ ejs-2.7.4.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Publish Date: 2022-04-25
URL: CVE-2022-29078
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~
Release Date: 2022-04-25
Fix Resolution (ejs): 3.1.7
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-33502 - High Severity Vulnerability
Vulnerable Libraries - normalize-url-3.3.0.tgz , normalize-url-1.9.1.tgz
normalize-url-3.3.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/normalize-url/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
optimize-cssnano-plugin-1.0.6.tgz
cssnano-preset-default-4.0.7.tgz
postcss-normalize-url-4.0.1.tgz
❌ normalize-url-3.3.0.tgz (Vulnerable Library)
normalize-url-1.9.1.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/mini-css-extract-plugin/node_modules/normalize-url/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
mini-css-extract-plugin-0.9.0.tgz
❌ normalize-url-1.9.1.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1
CVE-2022-25858 - High Severity Vulnerability
Vulnerable Library - terser-4.6.3.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-4.6.3.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/terser/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
terser-webpack-plugin-2.3.5.tgz
❌ terser-4.6.3.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 4.8.1
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-28168 - Medium Severity Vulnerability
Vulnerable Library - axios-0.19.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/axios/package.json
Dependency Hierarchy:
❌ axios-0.19.0.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-11-06
Fix Resolution: 0.21.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-1650 - Critical Severity Vulnerability
Vulnerable Library - eventsource-1.0.7.tgz
W3C compliant EventSource client for Node.js and browser (polyfill)
Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.0.7.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/eventsource/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
sockjs-client-1.4.0.tgz
❌ eventsource-1.0.7.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.
Publish Date: 2022-05-12
URL: CVE-2022-1650
CVSS 3 Score Details (9.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-37599 - High Severity Vulnerability
Vulnerable Library - loader-utils-1.2.3.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/loader-utils/package.json
Dependency Hierarchy:
less-loader-5.0.0.tgz (Root Library)
❌ loader-utils-1.2.3.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: 2022-10-11
URL: CVE-2022-37599
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
CVE-2020-28469 - High Severity Vulnerability
Vulnerable Libraries - glob-parent-5.1.0.tgz , glob-parent-3.1.0.tgz
glob-parent-5.1.0.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/eslint/node_modules/glob-parent/package.json
Dependency Hierarchy:
eslint-6.8.0.tgz (Root Library)
❌ glob-parent-5.1.0.tgz (Vulnerable Library)
glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/glob-parent/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
copy-webpack-plugin-5.1.1.tgz
❌ glob-parent-3.1.0.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (eslint): 7.0.0
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7660 - High Severity Vulnerability
Vulnerable Library - serialize-javascript-2.1.2.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
terser-webpack-plugin-2.3.5.tgz
❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-08
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-0639 - Medium Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/url-parse/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
sockjs-client-1.4.0.tgz
❌ url-parse-1.4.7.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
Publish Date: 2022-02-17
URL: CVE-2022-0639
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639
Release Date: 2022-02-17
Fix Resolution (url-parse): 1.5.7
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-24772 - High Severity Vulnerability
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/node-forge/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
selfsigned-1.10.7.tgz
❌ node-forge-0.9.0.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-3749 - High Severity Vulnerability
Vulnerable Library - axios-0.19.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/axios/package.json
Dependency Hierarchy:
❌ axios-0.19.0.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution: 0.20.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-11023 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html,/browser/flagr-ui/node_modules/sockjs/examples/express-3.x/index.html,/browser/flagr-ui/node_modules/sockjs/examples/multiplex/index.html,/browser/flagr-ui/node_modules/sockjs/examples/echo/index.html,/browser/flagr-ui/node_modules/sockjs/examples/hapi/html/index.html
Dependency Hierarchy:
❌ jquery-1.7.1.min.js (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2022-0691 - Critical Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/url-parse/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
sockjs-client-1.4.0.tgz
❌ url-parse-1.4.7.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
WS-2022-0008 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/node-forge/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
selfsigned-1.10.7.tgz
❌ node-forge-0.9.0.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
CVSS 3 Score Details (6.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: High
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-23337 - High Severity Vulnerability
Vulnerable Libraries - lodash-4.17.14.tgz , lodash-4.17.15.tgz
lodash-4.17.14.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.14.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/lodash/package.json
Dependency Hierarchy:
❌ lodash-4.17.14.tgz (Vulnerable Library)
lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/vue-eslint-parser/node_modules/lodash/package.json
Dependency Hierarchy:
cli-plugin-babel-4.2.3.tgz (Root Library)
cli-shared-utils-4.2.3.tgz
request-promise-native-1.0.8.tgz
request-promise-core-1.1.3.tgz
❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7720 - High Severity Vulnerability
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/node-forge/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
selfsigned-1.10.7.tgz
❌ node-forge-0.9.0.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
CVSS 3 Score Details (7.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-09-01
Fix Resolution (node-forge): 0.10.0
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-28500 - Medium Severity Vulnerability
Vulnerable Libraries - lodash-4.17.14.tgz , lodash-4.17.15.tgz
lodash-4.17.14.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.14.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/lodash/package.json
Dependency Hierarchy:
❌ lodash-4.17.14.tgz (Vulnerable Library)
lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/vue-eslint-parser/node_modules/lodash/package.json
Dependency Hierarchy:
cli-plugin-babel-4.2.3.tgz (Root Library)
cli-shared-utils-4.2.3.tgz
request-promise-native-1.0.8.tgz
request-promise-core-1.1.3.tgz
❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7656 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html,/browser/flagr-ui/node_modules/sockjs/examples/express-3.x/index.html,/browser/flagr-ui/node_modules/sockjs/examples/multiplex/index.html,/browser/flagr-ui/node_modules/sockjs/examples/echo/index.html,/browser/flagr-ui/node_modules/sockjs/examples/hapi/html/index.html
Dependency Hierarchy:
❌ jquery-1.7.1.min.js (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-19
Fix Resolution: jquery - 1.9.0
CVE-2020-7662 - High Severity Vulnerability
Vulnerable Library - websocket-extensions-0.1.3.tgz
Generic extension manager for WebSocket connections
Library home page: https://registry.npmjs.org/websocket-extensions/-/websocket-extensions-0.1.3.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/websocket-extensions/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
sockjs-0.3.19.tgz
faye-websocket-0.10.0.tgz
websocket-driver-0.7.3.tgz
❌ websocket-extensions-0.1.3.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
Publish Date: 2020-06-02
URL: CVE-2020-7662
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-g78m-2chm-r7qv
Release Date: 2020-06-02
Fix Resolution (websocket-extensions): 0.1.4
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-11022 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html,/browser/flagr-ui/node_modules/sockjs/examples/express-3.x/index.html,/browser/flagr-ui/node_modules/sockjs/examples/multiplex/index.html,/browser/flagr-ui/node_modules/sockjs/examples/echo/index.html,/browser/flagr-ui/node_modules/sockjs/examples/hapi/html/index.html
Dependency Hierarchy:
❌ jquery-1.7.1.min.js (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
CVE-2020-7693 - Medium Severity Vulnerability
Vulnerable Library - sockjs-0.3.19.tgz
SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication
Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/sockjs/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
❌ sockjs-0.3.19.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
Publish Date: 2020-07-09
URL: CVE-2020-7693
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-14
Fix Resolution (sockjs): 0.3.20
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2015-9251 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html,/browser/flagr-ui/node_modules/sockjs/examples/express-3.x/index.html,/browser/flagr-ui/node_modules/sockjs/examples/multiplex/index.html,/browser/flagr-ui/node_modules/sockjs/examples/echo/index.html,/browser/flagr-ui/node_modules/sockjs/examples/hapi/html/index.html
Dependency Hierarchy:
❌ jquery-1.7.1.min.js (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
WS-2020-0208 - Medium Severity Vulnerability
Vulnerable Library - highlight.js-9.15.8.tgz
Syntax highlighting with language autodetection.
Library home page: https://registry.npmjs.org/highlight.js/-/highlight.js-9.15.8.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/highlight.js/package.json
Dependency Hierarchy:
mavon-editor-2.7.4.tgz (Root Library)
❌ highlight.js-9.15.8.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service). This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using highlightAuto to detect the language (and have any of these grammars registered) you are vulnerable.
Publish Date: 2020-12-04
URL: WS-2020-0208
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-12-04
Fix Resolution (highlight.js): 10.4.1
Direct dependency fix Resolution (mavon-editor): 2.10.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-24771 - High Severity Vulnerability
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/node-forge/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
selfsigned-1.10.7.tgz
❌ node-forge-0.9.0.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-24773 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/node-forge/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
selfsigned-1.10.7.tgz
❌ node-forge-0.9.0.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo
for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24773
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-15366 - Medium Severity Vulnerability
Vulnerable Libraries - ajv-6.12.0.tgz , ajv-6.10.0.tgz , ajv-6.11.0.tgz
ajv-6.12.0.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/@vue/cli-service/node_modules/ajv/package.json
Dependency Hierarchy:
eslint-6.8.0.tgz (Root Library)
table-5.4.6.tgz
❌ ajv-6.12.0.tgz (Vulnerable Library)
ajv-6.10.0.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/ajv/package.json
Dependency Hierarchy:
eslint-6.8.0.tgz (Root Library)
❌ ajv-6.10.0.tgz (Vulnerable Library)
ajv-6.11.0.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.11.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/cache-loader/node_modules/ajv/package.json
Dependency Hierarchy:
cli-plugin-babel-4.2.3.tgz (Root Library)
cache-loader-4.1.0.tgz
schema-utils-2.6.4.tgz
❌ ajv-6.11.0.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
CVSS 3 Score Details (5.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (eslint): 7.0.0
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (eslint): 7.0.0
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7774 - Critical Severity Vulnerability
Vulnerable Library - y18n-4.0.0.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/y18n/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
cli-highlight-2.1.4.tgz
yargs-15.3.1.tgz
❌ y18n-4.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 4.0.1
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
WS-2019-0424 - Medium Severity Vulnerability
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/elliptic/package.json
Dependency Hierarchy:
cli-plugin-babel-4.2.3.tgz (Root Library)
webpack-4.41.5.tgz
node-libs-browser-2.2.1.tgz
crypto-browserify-3.12.0.tgz
browserify-sign-4.0.4.tgz
❌ elliptic-6.5.2.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
all versions of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Adjacent
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0424
Release Date: 2019-11-13
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-28498 - Medium Severity Vulnerability
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/elliptic/package.json
Dependency Hierarchy:
cli-plugin-babel-4.2.3.tgz (Root Library)
webpack-4.41.5.tgz
node-libs-browser-2.2.1.tgz
crypto-browserify-3.12.0.tgz
browserify-sign-4.0.4.tgz
❌ elliptic-6.5.2.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
CVSS 3 Score Details (6.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Changed
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution (elliptic): 6.5.4
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
WS-2019-0283 - Medium Severity Vulnerability
Vulnerable Library - mavon-editor-2.7.4.tgz
Vue markdown editor
Library home page: https://registry.npmjs.org/mavon-editor/-/mavon-editor-2.7.4.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/mavon-editor/package.json
Dependency Hierarchy:
❌ mavon-editor-2.7.4.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Mavon-editor is vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize entered input, allowing attackers to execute arbitrary JavaScript in a victim's browser. All version are affected.
Publish Date: 2019-10-06
URL: WS-2019-0283
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0283
Release Date: 2019-10-06
Fix Resolution: 2.7.7
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7608 - Medium Severity Vulnerability
Vulnerable Library - yargs-parser-11.1.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/webpack-dev-server/node_modules/yargs-parser/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
yargs-12.0.5.tgz
❌ yargs-parser-11.1.1.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto " payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-35065 - High Severity Vulnerability
Vulnerable Libraries - glob-parent-5.1.0.tgz , glob-parent-3.1.0.tgz
glob-parent-5.1.0.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/eslint/node_modules/glob-parent/package.json
Dependency Hierarchy:
eslint-6.8.0.tgz (Root Library)
❌ glob-parent-5.1.0.tgz (Vulnerable Library)
glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/glob-parent/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
copy-webpack-plugin-5.1.1.tgz
❌ glob-parent-3.1.0.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution (glob-parent): 6.0.1
Direct dependency fix Resolution (eslint): 8.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2021-3664 - Medium Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/url-parse/package.json
Dependency Hierarchy:
cli-service-4.2.3.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
sockjs-client-1.4.0.tgz
❌ url-parse-1.4.7.tgz (Vulnerable Library)
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
url-parse is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2021-07-26
URL: CVE-2021-3664
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
Release Date: 2021-07-26
Fix Resolution (url-parse): 1.5.2
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.