pauldcomanici / babel-plugin-auto-logger Goto Github PK

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/babel-plugin-auto-logger/package.json

Path to vulnerable library: /tmp/ws-scm/babel-plugin-auto-logger/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-24.9.0.tgz (Root Library)
  • jest-cli-24.9.0.tgz
    • core-24.9.0.tgz
      • reporters-24.9.0.tgz
        • istanbul-reports-2.2.6.tgz
          • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 73b5e2f2d43383a8cbc950b500177c161d0861ad

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.

Publish Date: 2019-12-05

URL: WS-2019-0332

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: /babel-plugin-auto-logger/package.json

Path to vulnerable library: /tmp/git/babel-plugin-auto-logger/node_modules/jest-runtime/node_modules/braces/package.json

Dependency Hierarchy:

• helper-plugin-test-runner-7.1.0.tgz (Root Library)
  • helper-transform-fixture-test-runner-7.1.2.tgz
    • jest-22.4.4.tgz
      • jest-cli-22.4.4.tgz
        • micromatch-2.3.11.tgz
          • ❌ braces-1.8.5.tgz (Vulnerable Library)

Found in HEAD commit: 224edd0aa59428f727062a3c989430170056cead

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-03-25

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Vulnerable Library - handlebars-4.1.0.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz

Path to dependency file: /babel-plugin-auto-logger/package.json

Path to vulnerable library: /tmp/git/babel-plugin-auto-logger/node_modules/handlebars/package.json

Dependency Hierarchy:

• helper-plugin-test-runner-7.1.0.tgz (Root Library)
  • helper-transform-fixture-test-runner-7.1.2.tgz
    • jest-22.4.4.tgz
      • jest-cli-22.4.4.tgz
        • istanbul-api-1.3.7.tgz
          • istanbul-reports-1.5.1.tgz
            • ❌ handlebars-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 224edd0aa59428f727062a3c989430170056cead

Vulnerability Details

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Publish Date: 2019-04-30

URL: WS-2019-0064

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/755/versions

Release Date: 2019-04-30

Fix Resolution: 1.0.6-2,4.0.14,4.1.2

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: /babel-plugin-auto-logger/package.json

Path to vulnerable library: /tmp/git/babel-plugin-auto-logger/node_modules/mem/package.json

Dependency Hierarchy:

• helper-plugin-test-runner-7.1.0.tgz (Root Library)
  • helper-transform-fixture-test-runner-7.4.4.tgz
    • jest-22.4.4.tgz
      • jest-cli-22.4.4.tgz
        • yargs-10.1.2.tgz
          • os-locale-2.1.0.tgz
            • ❌ mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: fbaffc67b42096310e47c9f846174e9446aa690f

Vulnerability Details

In nodejs-mem before version 4.0.0 there is a memory leak due to old results not being removed from the cache despite reaching maxAge. Exploitation of this can lead to exhaustion of memory and subsequent denial of service.

Publish Date: 2019-05-30

URL: WS-2018-0236

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1623744

Release Date: 2019-05-30

Fix Resolution: 4.0.0

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/babel-plugin-auto-logger/package.json

Path to vulnerable library: /tmp/ws-scm/babel-plugin-auto-logger/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-24.9.0.tgz (Root Library)
  • jest-cli-24.9.0.tgz
    • core-24.9.0.tgz
      • reporters-24.9.0.tgz
        • istanbul-reports-2.2.6.tgz
          • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: d8d59aa135694e2dbe20e063a6ed127972900e3d

Vulnerability Details

A Denial of Service vulnerability found in handlebars 4.x before 4.4.5.While processing specially-crafted templates, the parser may be forced into endless loop. Attackers may exhaust system resources.

Publish Date: 2019-12-01

URL: WS-2019-0318

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2019-12-01

Fix Resolution: handlebars - 4.4.5

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/babel-plugin-auto-logger/package.json

Path to vulnerable library: /tmp/ws-scm/babel-plugin-auto-logger/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-24.9.0.tgz (Root Library)
  • jest-cli-24.9.0.tgz
    • core-24.9.0.tgz
      • reporters-24.9.0.tgz
        • istanbul-reports-2.2.6.tgz
          • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 73b5e2f2d43383a8cbc950b500177c161d0861ad

Vulnerability Details

Prototype Pollution vulnerability found in handlebars 1.0.6 before 4.5.3. It is possible to add or modify properties to the Object prototype through a malicious template. Attacker may crash the application or execute Arbitrary Code in specific conditions.

Publish Date: 2019-12-05

URL: WS-2019-0333

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1325

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/babel-plugin-auto-logger/package.json

Path to vulnerable library: /tmp/ws-scm/babel-plugin-auto-logger/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-24.9.0.tgz (Root Library)
  • jest-cli-24.9.0.tgz
    • core-24.9.0.tgz
      • reporters-24.9.0.tgz
        • istanbul-reports-2.2.6.tgz
          • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: d8d59aa135694e2dbe20e063a6ed127972900e3d

Vulnerability Details

handlebars before 4.3.0 is vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-10-06

URL: WS-2019-0291

CVSS 2 Score Details (7.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1164

Release Date: 2019-10-06

Fix Resolution: 4.3.0

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: /babel-plugin-auto-logger/package.json

Path to vulnerable library: /tmp/git/babel-plugin-auto-logger/node_modules/mem/package.json,/tmp/ws-scm/babel-plugin-auto-logger/node_modules/mem/package.json

Dependency Hierarchy:

• npm-check-5.9.0.tgz (Root Library)
  • depcheck-0.6.11.tgz
    • yargs-8.0.2.tgz
      • os-locale-2.1.0.tgz
        • ❌ mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: d8d59aa135694e2dbe20e063a6ed127972900e3d

Vulnerability Details

Denial of Service (DoS) vulnerability found in mem before 4.0.0. There is a failure in removal of old values from the cache. As a result, attacker may exhaust the system's memory.

Publish Date: 2019-12-01

URL: WS-2019-0307

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1084

Release Date: 2019-12-01

Fix Resolution: mem - 4.0.0

Vulnerable Library - tar-4.4.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.1.tgz

Dependency Hierarchy:

• helper-plugin-test-runner-7.1.0.tgz (Root Library)
  • helper-transform-fixture-test-runner-7.1.2.tgz
    • jest-22.4.4.tgz
      • jest-cli-22.4.4.tgz
        • jest-haste-map-22.4.3.tgz
          • sane-2.5.2.tgz
            • fsevents-1.2.4.tgz
              • node-pre-gyp-0.10.0.tgz
                • ❌ tar-4.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 224edd0aa59428f727062a3c989430170056cead

Vulnerability Details

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Publish Date: 2019-04-05

URL: WS-2019-0047

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/803

Release Date: 2019-04-05

Fix Resolution: 4.4.2

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/babel-plugin-auto-logger/package.json

Path to vulnerable library: /tmp/ws-scm/babel-plugin-auto-logger/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-24.9.0.tgz (Root Library)
  • jest-cli-24.9.0.tgz
    • core-24.9.0.tgz
      • reporters-24.9.0.tgz
        • istanbul-reports-2.2.6.tgz
          • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 73b5e2f2d43383a8cbc950b500177c161d0861ad

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-12-05

URL: WS-2019-0331

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.2