mvalle21 / haste-server Goto Github PK

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

• mocha-3.4.2.tgz (Root Library)
  • mkdirp-0.5.1.tgz
    • ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 0.2.2

Direct dependency fix Resolution (mocha): 6.2.3

Vulnerable Libraries - mime-1.2.11.tgz, mime-1.3.6.tgz

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Mend Note: Converted from WS-2017-0330, on 2022-11-08.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-06-07

Fix Resolution (mime): 1.4.1

Direct dependency fix Resolution (st): 1.2.1

Vulnerable Libraries - debug-2.2.0.tgz, debug-2.6.0.tgz

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137

Release Date: 2018-04-26

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (connect): 3.6.5

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (mocha): 4.0.0

Vulnerable Library - dicer-0.2.3.tgz

A very fast streaming multipart parser for node.js

Library home page: https://registry.npmjs.org/dicer/-/dicer-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/dicer/package.json

Dependency Hierarchy:

• busboy-0.2.8.tgz (Root Library)
  • ❌ dicer-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.

Publish Date: 2022-05-20

URL: CVE-2022-24434

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - request-2.16.6.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.16.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Dependency Hierarchy:

• winston-0.7.3.tgz (Root Library)
  • ❌ request-2.16.6.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

Request is an http client. If a request is made using multipart, and the body type is a number, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.

Publish Date: 2018-06-04

URL: CVE-2017-16026

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16026

Release Date: 2018-06-04

Fix Resolution (request): 2.68.0

Direct dependency fix Resolution (winston): 0.8.0

Vulnerable Library - request-2.16.6.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.16.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Dependency Hierarchy:

• winston-0.7.3.tgz (Root Library)
  • ❌ request-2.16.6.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Vulnerable Library - diff-3.2.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-3.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/diff/package.json

Dependency Hierarchy:

• mocha-3.4.2.tgz (Root Library)
  • ❌ diff-3.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (mocha): 5.0.3

Vulnerable Library - st-1.1.0.tgz

A module for serving static files. Does etags, caching, etc.

Library home page: https://registry.npmjs.org/st/-/st-1.1.0.tgz

Path to dependency file: haste-server/package.json

Path to vulnerable library: haste-server/node_modules/st/package.json

Dependency Hierarchy:

• ❌ st-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

st versions before 1.2.2 has an Open Redirect vulnerability. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain.An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain.An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain.An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain.

Publish Date: 2017-10-13

URL: WS-2019-0154

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/547

Release Date: 2019-07-15

Fix Resolution: 1.2.2

Vulnerable Library - hoek-0.7.6.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/hoek/-/hoek-0.7.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hoek/package.json

Dependency Hierarchy:

• winston-0.7.3.tgz (Root Library)
  • request-2.16.6.tgz
    • hawk-0.10.2.tgz
      • ❌ hoek-0.7.6.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2018-03-30

Fix Resolution (hoek): 4.2.0

Direct dependency fix Resolution (winston): 0.8.0

Vulnerable Library - growl-1.9.2.tgz

Growl unobtrusive notifications

Library home page: https://registry.npmjs.org/growl/-/growl-1.9.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/growl/package.json

Dependency Hierarchy:

• mocha-3.4.2.tgz (Root Library)
  • ❌ growl-1.9.2.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.
Mend Note: Converted from WS-2017-0236, on 2022-11-08.

Publish Date: 2018-06-04

URL: CVE-2017-16042

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16042

Release Date: 2018-06-04

Fix Resolution (growl): 1.10.2

Direct dependency fix Resolution (mocha): 4.0.0

Vulnerable Library - bl-1.0.3.tgz

Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!

Library home page: https://registry.npmjs.org/bl/-/bl-1.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/bl/package.json

Dependency Hierarchy:

• st-1.1.0.tgz (Root Library)
  • ❌ bl-1.0.3.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Publish Date: 2020-08-30

URL: CVE-2020-8244

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-pp7h-53gx-mx7r

Release Date: 2020-08-30

Fix Resolution (bl): 1.2.3

Direct dependency fix Resolution (st): 1.2.1

Vulnerable Libraries - debug-2.2.0.tgz, debug-2.6.0.tgz

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.

Publish Date: 2023-01-09

URL: CVE-2017-20165

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9vvw-cc9w-f27h

Release Date: 2023-01-09

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (connect): 3.6.5

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (mocha): 4.0.0

Vulnerable Library - mocha-3.4.2.tgz

simple, flexible, fun test framework

Library home page: https://registry.npmjs.org/mocha/-/mocha-3.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mocha/package.json

Dependency Hierarchy:

• ❌ mocha-3.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

There is regular Expression Denial of Service (ReDoS) vulnerability in mocha.
It allows cause a denial of service when stripping crafted invalid function definition from strs.

Publish Date: 2021-09-18

URL: WS-2021-0638

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-18

Fix Resolution: 6.0.0-0

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

• mocha-3.4.2.tgz (Root Library)
  • mkdirp-0.5.1.tgz
    • ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (mocha): 6.2.3

Vulnerable Library - mocha-3.4.2.tgz

simple, flexible, fun test framework

Library home page: https://registry.npmjs.org/mocha/-/mocha-3.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mocha/package.json

Dependency Hierarchy:

• ❌ mocha-3.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.

Publish Date: 2019-01-24

URL: WS-2019-0425

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2019-01-24

Fix Resolution: 6.0.0

Vulnerable Library - tunnel-agent-0.2.0.tgz

HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.

Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tunnel-agent/package.json

Dependency Hierarchy:

• winston-0.7.3.tgz (Root Library)
  • request-2.16.6.tgz
    • ❌ tunnel-agent-0.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.

Publish Date: 2017-03-05

URL: WS-2018-0076

CVSS 3 Score Details (5.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/598

Release Date: 2017-03-05

Fix Resolution (tunnel-agent): 0.6.0

Direct dependency fix Resolution (winston): 0.8.0

Vulnerable Library - async-0.2.10.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-0.2.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json

Dependency Hierarchy:

• uglify-js-2.4.15.tgz (Root Library)
  • ❌ async-0.2.10.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (uglify-js): 2.8.6

Vulnerable Library - hawk-0.10.2.tgz

HTTP Hawk Authentication Scheme

Library home page: https://registry.npmjs.org/hawk/-/hawk-0.10.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hawk/package.json

Dependency Hierarchy:

• winston-0.7.3.tgz (Root Library)
  • request-2.16.6.tgz
    • ❌ hawk-0.10.2.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.

Publish Date: 2016-04-13

URL: CVE-2016-2515

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2515

Release Date: 2016-04-13

Fix Resolution (hawk): 3.1.3

Direct dependency fix Resolution (winston): 0.8.0

Vulnerable Libraries - jquery-2.1.1.min.js, jquery-1.6.2.js

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Library - uglify-js-2.4.15.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.4.15.tgz

Path to dependency file: haste-server/package.json

Path to vulnerable library: haste-server/node_modules/uglify-js/package.json

Dependency Hierarchy:

• ❌ uglify-js-2.4.15.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

uglifier incorrectly handles non-boolean comparisons during minification.The upstream library for the Ruby uglifier gem, UglifyJS, is affected by a vulnerability that allows a specially crafted Javascript file to have altered functionality after minification. This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated to allow potentially malicious code to be hidden within secure code, and activated by the minification process.

Publish Date: 2015-07-22

URL: WS-2015-0033

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://hakiri.io/technologies/uglifier/issues/279911d9720338

Release Date: 2020-06-07

Fix Resolution: Uglifier - 2.7.2;uglify-js - v2.4.24

Vulnerable Library - jquery-1.6.2.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.6.2/jquery.js

Path to dependency file: /node_modules/qs/test/browser/index.html

Path to vulnerable library: /node_modules/qs/test/browser/jquery.js

Dependency Hierarchy:

• ❌ jquery-1.6.2.js (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Library - qs-0.5.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.5.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

• winston-0.7.3.tgz (Root Library)
  • request-2.16.6.tgz
    • ❌ qs-0.5.6.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.

Publish Date: 2022-03-17

URL: CVE-2021-44907

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44907

Release Date: 2022-03-17

Fix Resolution (qs): 6.8.1

Direct dependency fix Resolution (winston): 0.8.0

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

• mocha-3.4.2.tgz (Root Library)
  • glob-7.1.1.tgz
    • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Vulnerable Library - uglify-js-2.4.15.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.4.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/uglify-js/package.json

Dependency Hierarchy:

• ❌ uglify-js-2.4.15.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8858

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2017-01-23

Fix Resolution: 2.6.0

Vulnerable Library - qs-0.5.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.5.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

• winston-0.7.3.tgz (Root Library)
  • request-2.16.6.tgz
    • ❌ qs-0.5.6.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

Publish Date: 2018-05-31

URL: CVE-2014-10064

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-10064

Release Date: 2018-04-26

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (winston): 0.8.0

Vulnerable Library - jquery-1.6.2.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.6.2/jquery.js

Path to dependency file: /node_modules/qs/test/browser/index.html

Path to vulnerable library: /node_modules/qs/test/browser/jquery.js

Dependency Hierarchy:

• ❌ jquery-1.6.2.js (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-19

Fix Resolution: jquery - 1.9.0

Vulnerable Libraries - ms-0.7.1.tgz, ms-0.7.2.tgz

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-04-12

URL: WS-2017-0247

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: vercel/ms#89

Release Date: 2017-04-12

Fix Resolution: 2.1.1

Vulnerable Library - qs-0.5.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.5.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

• winston-0.7.3.tgz (Root Library)
  • request-2.16.6.tgz
    • ❌ qs-0.5.6.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048

Release Date: 2017-07-13

Fix Resolution (qs): 6.0.4

Direct dependency fix Resolution (winston): 0.8.0

Vulnerable Library - st-1.1.0.tgz

A module for serving static files. Does etags, caching, etc.

Library home page: https://registry.npmjs.org/st/-/st-1.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/st/package.json

Dependency Hierarchy:

• ❌ st-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

yjmyjmyjm all versions has Directory Traversal vulnerability when resolving relative file paths

Publish Date: 2017-10-13

URL: WS-2019-0153

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0153

Release Date: 2017-10-13

Fix Resolution: 1.2.2

Vulnerable Library - qs-0.5.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.5.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

• winston-0.7.3.tgz (Root Library)
  • request-2.16.6.tgz
    • ❌ qs-0.5.6.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time

Publish Date: 2014-07-31

URL: WS-2014-0005

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2014-0005

Release Date: 2014-07-31

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (winston): 0.8.0

Vulnerable Library - st-1.1.0.tgz

A module for serving static files. Does etags, caching, etc.

Library home page: https://registry.npmjs.org/st/-/st-1.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/st/package.json

Dependency Hierarchy:

• ❌ st-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used. Mitigating factor: In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e").
Mend Note: Converted from WS-2019-0154, on 2021-08-19.

Publish Date: 2018-06-07

URL: CVE-2017-16224

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16224

Release Date: 2018-06-07

Fix Resolution: 1.2.2

Vulnerable Libraries - jquery-2.1.1.min.js, jquery-1.6.2.js

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Vulnerable Libraries - jquery-2.1.1.min.js, jquery-1.6.2.js

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Vulnerable Library - jquery-1.6.2.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.6.2/jquery.js

Path to dependency file: /node_modules/qs/test/browser/index.html

Path to vulnerable library: /node_modules/qs/test/browser/jquery.js

Dependency Hierarchy:

• ❌ jquery-1.6.2.js (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Publish Date: 2013-03-08

URL: CVE-2011-4969

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969

Release Date: 2013-03-08

Fix Resolution: 1.6.3

Vulnerable Library - pg-4.1.1.tgz

PostgreSQL client - pure javascript & libpq with the same API

Library home page: https://registry.npmjs.org/pg/-/pg-4.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pg/package.json

Dependency Hierarchy:

• ❌ pg-4.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.

Publish Date: 2018-06-07

URL: CVE-2017-16082

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2018-04-26

Fix Resolution: 4.5.7

Vulnerable Library - jquery-2.1.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js

Path to dependency file: /static/index.html

Path to vulnerable library: /static/jquery-2.1.1.min.js

Dependency Hierarchy:

• ❌ jquery-2.1.1.min.js (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Vulnerable Library - qs-0.5.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.5.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

• winston-0.7.3.tgz (Root Library)
  • request-2.16.6.tgz
    • ❌ qs-0.5.6.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.

Publish Date: 2014-10-19

URL: CVE-2014-7191

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191

Release Date: 2014-10-19

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (winston): 0.8.0

Vulnerable Library - uglify-js-2.4.15.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.4.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/uglify-js/package.json

Dependency Hierarchy:

• ❌ uglify-js-2.4.15.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.

Publish Date: 2017-01-23

URL: CVE-2015-8857

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2017-01-23

Fix Resolution: 2.4.24

Vulnerable Library - cryptiles-0.1.3.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-0.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cryptiles/package.json

Dependency Hierarchy:

• winston-0.7.3.tgz (Root Library)
  • request-2.16.6.tgz
    • hawk-0.10.2.tgz
      • ❌ cryptiles-0.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 06b23f007a2ea7a5fd0b841cca3392a66b9ce50b

Found in base branch: master

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (winston): 0.8.0