kaidisn / javascript Goto Github PK

Vulnerable Library - highlight.js-9.12.0.tgz

Syntax highlighting with language autodetection.

Library home page: https://registry.npmjs.org/highlight.js/-/highlight.js-9.12.0.tgz

Path to dependency file: javascript/packages/eslint-config-airbnb/package.json

Path to vulnerable library: javascript/packages/eslint-config-airbnb/node_modules/highlight.js/package.json,javascript/packages/eslint-config-airbnb-base/node_modules/highlight.js/package.json

Dependency Hierarchy:

• eclint-2.8.1.tgz (Root Library)
  • gulp-reporter-2.10.0.tgz
    • emphasize-2.1.0.tgz
      • ❌ highlight.js-9.12.0.tgz (Vulnerable Library)

Found in HEAD commit: 8b41f3e6be16f3be0b43288ca6aecc5e00b1fd01

Found in base branch: master

Vulnerability Details

If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service). This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using highlightAuto to detect the language (and have any of these grammars registered) you are vulnerable.

Publish Date: 2020-12-04

URL: WS-2020-0208

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/highlightjs/highlight.js/tree/10.4.1

Release Date: 2020-12-04

Fix Resolution: 10.4.1

Vulnerable Library - axios-0.18.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.18.1.tgz

Path to dependency file: javascript/packages/eslint-config-airbnb-base/package.json

Path to vulnerable library: javascript/packages/eslint-config-airbnb-base/node_modules/axios/package.json,javascript/packages/eslint-config-airbnb/node_modules/axios/package.json

Dependency Hierarchy:

• eclint-2.8.1.tgz (Root Library)
  • gulp-reporter-2.10.0.tgz
    • ❌ axios-0.18.1.tgz (Vulnerable Library)

Found in HEAD commit: 8b41f3e6be16f3be0b43288ca6aecc5e00b1fd01

Found in base branch: master

Vulnerability Details

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Publish Date: 2020-11-06

URL: CVE-2020-28168

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: axios/axios@c7329fe

Release Date: 2020-11-06

Fix Resolution: axios - 0.21.1

Vulnerable Libraries - mem-3.0.1.tgz, mem-1.1.0.tgz

Found in HEAD commit: 8b41f3e6be16f3be0b43288ca6aecc5e00b1fd01

Found in base branch: master

Vulnerability Details

In 'mem' before v4.0.0 there is a Denial of Service (DoS) vulnerability as a result of a failure in removal old values from the cache.

Publish Date: 2018-08-27

URL: WS-2019-0307

CVSS 3 Score Details (5.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1084

Release Date: 2019-12-01

Fix Resolution: mem - 4.0.0

Vulnerable Libraries - yargs-parser-7.0.0.tgz, yargs-parser-11.1.1.tgz

Found in HEAD commit: 8b41f3e6be16f3be0b43288ca6aecc5e00b1fd01

Found in base branch: master

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1