kaidisn / encore Goto Github PK

Vulnerable Library - json5-2.2.0.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-2.2.0.tgz

Path to dependency file: /cli/daemon/dash/dashapp/package.json

Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/json5/package.json

Dependency Hierarchy:

• plugin-react-refresh-1.2.2.tgz (Root Library)
  • core-7.12.13.tgz
    • ❌ json5-2.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 2.2.2

Direct dependency fix Resolution (@vitejs/plugin-react-refresh): 1.3.0

Vulnerable Library - color-string-1.5.4.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.4.tgz

Path to dependency file: /cli/daemon/dash/dashapp/package.json

Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/color-string/package.json

Dependency Hierarchy:

• tailwindcss-2.0.2.tgz (Root Library)
  • color-3.1.3.tgz
    • ❌ color-string-1.5.4.tgz (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.

Publish Date: 2021-06-21

URL: CVE-2021-29060

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-257v-vj4p-3w2h

Release Date: 2021-06-21

Fix Resolution (color-string): 1.5.5

Direct dependency fix Resolution (tailwindcss): 2.0.3

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /cli/daemon/dash/dashapp/package.json

Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/minimist/package.json

Dependency Hierarchy:

• tailwindcss-2.0.2.tgz (Root Library)
  • detective-5.2.0.tgz
    • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (tailwindcss): 2.0.3

Vulnerable Library - nanoid-3.1.23.tgz

A tiny (108 bytes), secure URL-friendly unique string ID generator

Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.23.tgz

Path to dependency file: /cli/daemon/dash/dashapp/package.json

Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/nanoid/package.json

Dependency Hierarchy:

• postcss-8.2.15.tgz (Root Library)
  • ❌ nanoid-3.1.23.tgz (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Publish Date: 2022-01-14

URL: CVE-2021-23566

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-14

Fix Resolution (nanoid): 3.1.31

Direct dependency fix Resolution (postcss): 8.3.0

Vulnerable Library - github.com/golang/text-v0.3.3

[mirror] Go text processing support

Library home page: https://proxy.golang.org/github.com/golang/text/@v/v0.3.3.zip

Dependency Hierarchy:

• github.com/jackc/pgx-v4.10.1 (Root Library)
  • github.com/Jackc/pgconn-v1.8.0
    • ❌ github.com/golang/text-v0.3.3 (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

Publish Date: 2021-01-02

URL: CVE-2020-28851

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28851

Release Date: 2021-01-02

Fix Resolution: golang-golang-x-text-dev - 0.3.6-1,0.3.6-1

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /cli/daemon/dash/dashapp/package.json

Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/path-parse/package.json

Dependency Hierarchy:

• tailwindcss-2.0.2.tgz (Root Library)
  • resolve-1.19.0.tgz
    • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (tailwindcss): 2.0.3

Vulnerable Library - github.com/golang/crypto-v0.0.0-20200707235045-ab33eee955e0

[mirror] Go supplementary cryptography libraries

Library home page: https://proxy.golang.org/github.com/golang/crypto/@v/v0.0.0-20200707235045-ab33eee955e0.zip

Dependency Hierarchy:

• github.com/jackc/pgx-v4.10.1 (Root Library)
  • github.com/Jackc/pgconn-v1.8.0
    • ❌ github.com/golang/crypto-v0.0.0-20200707235045-ab33eee955e0 (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.

Publish Date: 2022-09-06

URL: CVE-2021-43565

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43565

Release Date: 2021-11-10

Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20211202.5770296-1;golang-go.crypto-dev - 1:0.0~git20211202.5770296-1

Vulnerable Library - github.com/golang/text-v0.3.3

[mirror] Go text processing support

Library home page: https://proxy.golang.org/github.com/golang/text/@v/v0.3.3.zip

Dependency Hierarchy:

• github.com/jackc/pgx-v4.10.1 (Root Library)
  • github.com/Jackc/pgconn-v1.8.0
    • ❌ github.com/golang/text-v0.3.3 (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

Publish Date: 2022-12-26

URL: CVE-2021-38561

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0113

Release Date: 2021-08-12

Fix Resolution: v0.3.7

Vulnerable Library - browserslist-4.16.3.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.3.tgz

Path to dependency file: /cli/daemon/dash/dashapp/package.json

Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/browserslist/package.json

Dependency Hierarchy:

• autoprefixer-10.2.4.tgz (Root Library)
  • ❌ browserslist-4.16.3.tgz (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution (browserslist): 4.16.5

Direct dependency fix Resolution (autoprefixer): 10.2.5

Vulnerable Library - color-string-1.5.4.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.4.tgz

Path to dependency file: /cli/daemon/dash/dashapp/package.json

Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/color-string/package.json

Dependency Hierarchy:

• tailwindcss-2.0.2.tgz (Root Library)
  • color-3.1.3.tgz
    • ❌ color-string-1.5.4.tgz (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.

Publish Date: 2021-03-12

URL: WS-2021-0152

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-12

Fix Resolution (color-string): 1.5.5

Direct dependency fix Resolution (tailwindcss): 2.0.3

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /cli/daemon/dash/dashapp/package.json

Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/minimatch/package.json

Dependency Hierarchy:

• tailwindcss-2.0.2.tgz (Root Library)
  • postcss-functions-3.0.0.tgz
    • glob-7.1.6.tgz
      • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Vulnerable Library - postcss-6.0.23.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz

Path to dependency file: /cli/daemon/dash/dashapp/package.json

Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/postcss-functions/node_modules/postcss/package.json

Dependency Hierarchy:

• tailwindcss-2.0.2.tgz (Root Library)
  • postcss-functions-3.0.0.tgz
    • ❌ postcss-6.0.23.tgz (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (tailwindcss): 2.1.2-internal.1

Vulnerable Library - github.com/golang/tools-gopls/v0.5.0-pre1

[mirror] Go Tools

Dependency Hierarchy:

• ❌ github.com/golang/tools-gopls/v0.5.0-pre1 (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Vulnerable Library - github.com/golang/crypto-v0.0.0-20200707235045-ab33eee955e0

[mirror] Go supplementary cryptography libraries

Library home page: https://proxy.golang.org/github.com/golang/crypto/@v/v0.0.0-20200707235045-ab33eee955e0.zip

Dependency Hierarchy:

• github.com/jackc/pgx-v4.10.1 (Root Library)
  • github.com/Jackc/pgconn-v1.8.0
    • ❌ github.com/golang/crypto-v0.0.0-20200707235045-ab33eee955e0 (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.

Publish Date: 2020-12-17

URL: CVE-2020-29652

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1

Release Date: 2020-12-17

Fix Resolution: v0.0.0-20201216223049-8b5274cf687f

Vulnerable Library - github.com/alecaivazis/survey-v2.2.8

A golang library for building interactive prompts with full support for windows and posix terminals.

Dependency Hierarchy:

• ❌ github.com/alecaivazis/survey-v2.2.8 (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17

URL: CVE-2020-14040

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0015

Release Date: 2020-06-17

Fix Resolution: v0.3.3

Vulnerable Library - github.com/golang/tools-gopls/v0.5.0-pre1

[mirror] Go Tools

Dependency Hierarchy:

• ❌ github.com/golang/tools-gopls/v0.5.0-pre1 (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Library - github.com/golang/text-v0.3.3

[mirror] Go text processing support

Library home page: https://proxy.golang.org/github.com/golang/text/@v/v0.3.3.zip

Dependency Hierarchy:

• github.com/jackc/pgx-v4.10.1 (Root Library)
  • github.com/Jackc/pgconn-v1.8.0
    • ❌ github.com/golang/text-v0.3.3 (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

Publish Date: 2021-01-02

URL: CVE-2020-28852

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28852

Release Date: 2021-01-02

Fix Resolution: golang-golang-x-text-dev - 0.3.5-1,0.3.5-1

Vulnerable Library - luxon-1.25.0.tgz

Immutable date wrapper

Library home page: https://registry.npmjs.org/luxon/-/luxon-1.25.0.tgz

Path to dependency file: /cli/daemon/dash/dashapp/package.json

Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/luxon/package.json

Dependency Hierarchy:

• ❌ luxon-1.25.0.tgz (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.

Publish Date: 2023-01-04

URL: CVE-2023-22467

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-3xq5-wjfh-ppjc

Release Date: 2023-01-04

Fix Resolution: 1.28.1

Vulnerable Library - github.com/golang/tools-gopls/v0.5.0-pre1

[mirror] Go Tools

Dependency Hierarchy:

• ❌ github.com/golang/tools-gopls/v0.5.0-pre1 (Vulnerable Library)

Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781

Found in base branch: main

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0