kapseliboi / kefir Goto Github PK

Vulnerable Library - pathval-1.1.0.tgz

Object value retrieval given a string path

Library home page: https://registry.npmjs.org/pathval/-/pathval-1.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pathval/package.json

Dependency Hierarchy:

• chai-4.2.0.tgz (Root Library)
  • ❌ pathval-1.1.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

pathval before version 1.1.1 is vulnerable to prototype pollution.

Publish Date: 2020-10-26

URL: CVE-2020-7751

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7751

Release Date: 2020-10-26

Fix Resolution (pathval): 1.1.1

Direct dependency fix Resolution (chai): 4.3.0

Vulnerable Library - pug-2.0.4.tgz

A clean, whitespace-sensitive template language for writing HTML

Library home page: https://registry.npmjs.org/pug/-/pug-2.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pug/package.json

Dependency Hierarchy:

• ❌ pug-2.0.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the pretty option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

Publish Date: 2021-03-03

URL: CVE-2021-21353

CVSS 3 Score Details (9.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-p493-635q-r6gr

Release Date: 2021-03-03

Fix Resolution: 3.0.0-canary-1

Vulnerable Library - json5-0.5.1.tgz

JSON for the ES5 era.

Library home page: https://registry.npmjs.org/json5/-/json5-0.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json5/package.json

Dependency Hierarchy:

• rollup-plugin-babel-2.7.1.tgz (Root Library)
  • babel-core-6.26.3.tgz
    • ❌ json5-0.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 1.0.2

Direct dependency fix Resolution (rollup-plugin-babel): 3.0.0

Vulnerable Library - chai-4.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pathval/package.json

Found in HEAD commit: f3296c05df6d6dd40c762129c26a928187b17496

CVE-2020-7751

Vulnerable Library - pathval-1.1.0.tgz

Object value retrieval given a string path

Library home page: https://registry.npmjs.org/pathval/-/pathval-1.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pathval/package.json

Dependency Hierarchy:

• chai-4.2.0.tgz (Root Library)
  • ❌ pathval-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: f3296c05df6d6dd40c762129c26a928187b17496

Found in base branch: master

Vulnerability Details

pathval before version 1.1.1 is vulnerable to prototype pollution.

Publish Date: 2020-10-26

URL: CVE-2020-7751

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7751

Release Date: 2020-10-26

Fix Resolution (pathval): 1.1.1

Direct dependency fix Resolution (chai): 4.3.0

Step up your Open Source Security Game with WhiteSource here

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (inquirer): 7.0.5

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (inquirer): 6.4.0

Vulnerable Library - pug-2.0.4.tgz

A clean, whitespace-sensitive template language for writing HTML

Library home page: https://registry.npmjs.org/pug/-/pug-2.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pug/package.json

Found in HEAD commit: f3296c05df6d6dd40c762129c26a928187b17496

CVE-2021-21353

Vulnerable Library - pug-2.0.4.tgz

A clean, whitespace-sensitive template language for writing HTML

Library home page: https://registry.npmjs.org/pug/-/pug-2.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pug/package.json

Dependency Hierarchy:

• ❌ pug-2.0.4.tgz (Vulnerable Library)

Found in HEAD commit: f3296c05df6d6dd40c762129c26a928187b17496

Found in base branch: master

Vulnerability Details

Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the pretty option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

Publish Date: 2021-03-03

URL: CVE-2021-21353

CVSS 3 Score Details (9.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-p493-635q-r6gr

Release Date: 2021-03-03

Fix Resolution: 3.0.0-canary-1

Step up your Open Source Security Game with WhiteSource here

Vulnerable Library - inquirer-6.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/string-width/node_modules/ansi-regex/package.json

Found in HEAD commit: f3296c05df6d6dd40c762129c26a928187b17496

CVE-2021-3807

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cliui/node_modules/ansi-regex/package.json,/node_modules/wrap-ansi/node_modules/ansi-regex/package.json,/node_modules/yargs/node_modules/ansi-regex/package.json,/node_modules/inquirer/node_modules/ansi-regex/package.json

Dependency Hierarchy:

• inquirer-6.3.1.tgz (Root Library)
  • strip-ansi-5.2.0.tgz
    • ❌ ansi-regex-4.1.0.tgz (Vulnerable Library)

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/string-width/node_modules/ansi-regex/package.json

Dependency Hierarchy:

• inquirer-6.3.1.tgz (Root Library)
  • string-width-2.1.1.tgz
    • strip-ansi-4.0.0.tgz
      • ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: f3296c05df6d6dd40c762129c26a928187b17496

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (inquirer): 7.0.5

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (inquirer): 7.0.5

Step up your Open Source Security Game with WhiteSource here

Vulnerable Library - mocha-6.2.3.tgz

simple, flexible, fun test framework

Library home page: https://registry.npmjs.org/mocha/-/mocha-6.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mocha/package.json

Dependency Hierarchy:

• ❌ mocha-6.2.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

There is regular Expression Denial of Service (ReDoS) vulnerability in mocha.
It allows cause a denial of service when stripping crafted invalid function definition from strs.

Publish Date: 2021-09-18

URL: WS-2021-0638

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-18

Fix Resolution: mocha - 10.1.0

Vulnerable Library - acorn-5.7.4.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/rollup-plugin-commonjs/node_modules/acorn/package.json

Dependency Hierarchy:

• rollup-plugin-commonjs-8.4.1.tgz (Root Library)
  • ❌ acorn-5.7.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-01

Fix Resolution (acorn): 6.4.1

Direct dependency fix Resolution (rollup-plugin-commonjs): 9.0.0

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

• mocha-6.2.3.tgz (Root Library)
  • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

• mocha-6.2.3.tgz (Root Library)
  • mkdirp-0.5.4.tgz
    • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (mocha): 7.0.0-esm1