Code Monkey home page Code Monkey logo

fork-sync's People

Contributors

alextmjugador avatar ashekr avatar dependabot[bot] avatar drscream avatar fm-sys avatar jgoz avatar kasbah avatar mathew-fleisch avatar mend-for-github-com[bot] avatar mxhenry-godaddy avatar r0wi avatar splitice avatar supercilex avatar tg908 avatar tgymnich avatar themisir avatar williamdes avatar

Stargazers

avatar avatar

Watchers

avatar

Forkers

ekmixon

fork-sync's Issues

CVE-2022-0235 (Medium) detected in node-fetch-2.6.1.tgz - autoclosed

CVE-2022-0235 - Medium Severity Vulnerability

Vulnerable Library - node-fetch-2.6.1.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

  • github-4.0.0.tgz (Root Library)
    • core-3.1.2.tgz
      • request-5.4.7.tgz
        • โŒ node-fetch-2.6.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

CVE-2022-35954 (Medium) detected in core-1.6.0.tgz - autoclosed

CVE-2022-35954 - Medium Severity Vulnerability

Vulnerable Library - core-1.6.0.tgz

Actions core lib

Library home page: https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@actions/core/package.json

Dependency Hierarchy:

  • โŒ core-1.6.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to @actions/core v1.9.1. If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.

Publish Date: 2022-08-15

URL: CVE-2022-35954

CVSS 3 Score Details (5.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35954

Release Date: 2022-08-13

Fix Resolution: @actions/core - 1.9.1

  • Check this box to open an automated fix PR

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.