levyforchh / argo Goto Github PK
View Code? Open in Web Editor NEWThis project forked from argoproj/argo-workflows
Argo Workflows: Get stuff done with Kubernetes.
Home Page: https://argoproj.github.io/argo
License: Apache License 2.0
This project forked from argoproj/argo-workflows
Argo Workflows: Get stuff done with Kubernetes.
Home Page: https://argoproj.github.io/argo
License: Apache License 2.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.0.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11694
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11694
Release Date: 2018-06-04
Fix Resolution: LibSass - 3.6.0
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11697
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11697
Release Date: 2019-09-01
Fix Resolution: LibSass - 3.6.0
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Publish Date: 2019-12-05
URL: CVE-2019-16769
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769
Release Date: 2019-12-05
Fix Resolution: v2.1.1
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.0.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-17
URL: CVE-2018-20190
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20190
Release Date: 2018-12-17
Fix Resolution: LibSass - 3.6.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.0.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.
Publish Date: 2019-01-14
URL: CVE-2019-6284
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284
Release Date: 2019-08-06
Fix Resolution: LibSass - 3.6.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.0.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.
Publish Date: 2019-01-14
URL: CVE-2019-6283
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284
Release Date: 2019-08-06
Fix Resolution: LibSass - 3.6.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.0.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.
Publish Date: 2018-12-04
URL: CVE-2018-19839
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19839
Release Date: 2018-12-04
Fix Resolution: Libsass:3.6.0
🌈 Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp.
Publish Date: 2019-11-06
URL: CVE-2019-18797
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18797
Release Date: 2019-11-06
Fix Resolution: LibSass - 3.6.3
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.0.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.
Publish Date: 2019-01-14
URL: CVE-2019-6286
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6286
Release Date: 2019-08-06
Fix Resolution: LibSass - 3.6.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.0.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().
Publish Date: 2018-12-04
URL: CVE-2018-19838
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/sass/libsass/blob/3.6.0/src/ast.cpp
Release Date: 2019-07-01
Fix Resolution: LibSass - 3.6.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: argo/ui/node_modules/sockjs/examples/multiplex/index.html
Path to vulnerable library: argo/ui/node_modules/sockjs/examples/multiplex/index.html,argo/ui/node_modules/sockjs/examples/express-3.x/index.html,argo/ui/node_modules/sockjs/examples/echo/index.html,argo/ui/node_modules/sockjs/examples/hapi/html/index.html,argo/ui/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to dependency file: argo/ui/node_modules/js-base64/.attic/test-moment/index.html
Path to vulnerable library: argo/ui/node_modules/js-base64/.attic/test-moment/index.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js
Path to dependency file: argo/ui/node_modules/superagent/docs/tail.html
Path to vulnerable library: argo/ui/node_modules/superagent/docs/tail.html
Dependency Hierarchy:
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.0.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-03
URL: CVE-2018-19797
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19797
Release Date: 2018-12-03
Fix Resolution: libsass-3.6.0
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/node-forge/package.json
Dependency Hierarchy:
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md
Release Date: 2020-09-13
Fix Resolution: node-forge - 0.10.0
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /tmp/ws-scm/argo/ui/package.json
Path to vulnerable library: /tmp/ws-scm/argo/ui/node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /tmp/ws-scm/argo/ui/package.json
Path to vulnerable library: /tmp/ws-scm/argo/ui/node_modules/optimist/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.2
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /tmp/ws-scm/argo/ui/package.json
Path to vulnerable library: /argo/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
An issue was discovered in LibSass through 3.5.2. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11695
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11695
Release Date: 2018-06-04
Fix Resolution: 3.6.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.0.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11698
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-11698
Release Date: 2018-06-04
Fix Resolution: Libsass-3.6.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: argo/ui/node_modules/sockjs/examples/multiplex/index.html
Path to vulnerable library: argo/ui/node_modules/sockjs/examples/multiplex/index.html,argo/ui/node_modules/sockjs/examples/express-3.x/index.html,argo/ui/node_modules/sockjs/examples/echo/index.html,argo/ui/node_modules/sockjs/examples/hapi/html/index.html,argo/ui/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to dependency file: argo/ui/node_modules/js-base64/.attic/test-moment/index.html
Path to vulnerable library: argo/ui/node_modules/js-base64/.attic/test-moment/index.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js
Path to dependency file: argo/ui/node_modules/superagent/docs/tail.html
Path to vulnerable library: argo/ui/node_modules/superagent/docs/tail.html
Dependency Hierarchy:
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication
Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/sockjs/package.json
Dependency Hierarchy:
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
Publish Date: 2020-07-09
URL: CVE-2020-7693
Base Score Metrics:
Type: Upgrade version
Origin: sockjs/sockjs-node#265
Release Date: 2020-07-09
Fix Resolution: sockjs - 0.3.20
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/terser-webpack-plugin/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-01
Fix Resolution: serialize-javascript - 3.1.0
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/elliptic/package.json
Dependency Hierarchy:
all versions of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
Base Score Metrics:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: argo/ui/node_modules/sockjs/examples/multiplex/index.html
Path to vulnerable library: argo/ui/node_modules/sockjs/examples/multiplex/index.html,argo/ui/node_modules/sockjs/examples/express-3.x/index.html,argo/ui/node_modules/sockjs/examples/echo/index.html,argo/ui/node_modules/sockjs/examples/hapi/html/index.html,argo/ui/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-5.0.0.tgz
Path to dependency file: /tmp/ws-scm/argo/ui/package.json
Path to vulnerable library: /tmp/ws-scm/argo/ui/node_modules/sass-graph/node_modules/yargs-parser/package.json
Dependency Hierarchy:
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /tmp/ws-scm/argo/ui/package.json
Path to vulnerable library: /tmp/ws-scm/argo/ui/node_modules/webpack-dev-server/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Publish Date: 2020-05-01
URL: WS-2020-0068
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/package/yargs-parser
Release Date: 2020-05-04
Fix Resolution: https://www.npmjs.com/package/yargs-parser/v/18.1.2,https://www.npmjs.com/package/yargs-parser/v/15.0.1
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/lodash/package.json
Dependency Hierarchy:
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-23
Fix Resolution: lodash - 4.17.19
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.0.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).
Publish Date: 2019-04-23
URL: CVE-2018-20821
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20821
Release Date: 2019-04-23
Fix Resolution: LibSass - 3.6.0
🌈 Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).
Publish Date: 2019-04-23
URL: CVE-2018-20822
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20822
Release Date: 2019-08-06
Fix Resolution: LibSass - 3.6.0;node-sass - 4.13.1
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.0.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.
Publish Date: 2021-01-11
URL: CVE-2020-24025
Base Score Metrics:
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /tmp/ws-scm/argo/ui/package.json
Path to vulnerable library: /argo/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11693
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11693
Release Date: 2018-06-04
Fix Resolution: LibSass - 3.5.5
HTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.0.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/http-proxy/package.json
Dependency Hierarchy:
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-26
Fix Resolution: http-proxy - 1.18.1
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: argo/ui/node_modules/sockjs/examples/multiplex/index.html
Path to vulnerable library: argo/ui/node_modules/sockjs/examples/multiplex/index.html,argo/ui/node_modules/sockjs/examples/express-3.x/index.html,argo/ui/node_modules/sockjs/examples/echo/index.html,argo/ui/node_modules/sockjs/examples/hapi/html/index.html,argo/ui/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to dependency file: argo/ui/node_modules/js-base64/.attic/test-moment/index.html
Path to vulnerable library: argo/ui/node_modules/js-base64/.attic/test-moment/index.html
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Type: Change files
Origin: jquery/jquery@b078a62#diff-bee4304906ea68bebadfc11be4368419
Release Date: 2015-10-12
Fix Resolution: Replace or update the following files: script.js, ajax.js, ajax.js
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.2.tgz
Path to dependency file: /tmp/ws-scm/argo/ui/package.json
Path to vulnerable library: /tmp/ws-scm/argo/ui/node_modules/tar/package.json
Dependency Hierarchy:
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
Publish Date: 2019-04-30
URL: CVE-2018-20834
Base Score Metrics:
Type: Upgrade version
Origin: https://hackerone.com/reports/344595
Release Date: 2019-04-30
Fix Resolution: tar - 4.4.2
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/elliptic/package.json
Dependency Hierarchy:
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/indutny/elliptic/tree/v6.5.3
Release Date: 2020-06-04
Fix Resolution: v6.5.3
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-5.0.0.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/sass-graph/node_modules/yargs-parser/package.json
Dependency Hierarchy:
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/webpack-dev-server/node_modules/yargs-parser/package.json
Dependency Hierarchy:
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608
Release Date: 2020-03-16
Fix Resolution: v18.1.1;13.1.2;15.0.1
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /tmp/ws-scm/argo/ui/package.json
Path to vulnerable library: /argo/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters. NOTE: Upstream comments indicate this issue is closed as "won't fix" and "works as intended" by design.
Publish Date: 2018-12-03
URL: CVE-2018-19826
Base Score Metrics:
Type: Change files
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19826
Release Date: 2019-09-01
Fix Resolution: Replace or update the following file: LibSass - 3.6.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: argo/ui/node_modules/sockjs/examples/multiplex/index.html
Path to vulnerable library: argo/ui/node_modules/sockjs/examples/multiplex/index.html,argo/ui/node_modules/sockjs/examples/express-3.x/index.html,argo/ui/node_modules/sockjs/examples/echo/index.html,argo/ui/node_modules/sockjs/examples/hapi/html/index.html,argo/ui/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
Base Score Metrics:
Type: Upgrade version
Origin: rails/jquery-rails@8f601cb
Release Date: 2020-05-19
Fix Resolution: jquery-rails - 2.2.0
🌈 Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.
Publish Date: 2018-05-26
URL: CVE-2018-11499
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499
Release Date: 2018-05-26
Fix Resolution: LibSass - 3.6.0
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /tmp/ws-scm/argo/ui/package.json
Path to vulnerable library: /tmp/ws-scm/argo/ui/node_modules/lodash/package.json
Dependency Hierarchy:
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
Base Score Metrics:
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.0.tgz
Path to dependency file: argo/ui/package.json
Path to vulnerable library: argo/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-12-03
URL: CVE-2018-19827
Base Score Metrics:
Type: Upgrade version
Origin: sass/libsass#2784
Release Date: 2019-08-29
Fix Resolution: LibSass - 3.6.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to dependency file: argo/ui/node_modules/js-base64/.attic/test-moment/index.html
Path to vulnerable library: argo/ui/node_modules/js-base64/.attic/test-moment/index.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js
Path to dependency file: argo/ui/node_modules/superagent/docs/tail.html
Path to vulnerable library: argo/ui/node_modules/superagent/docs/tail.html
Dependency Hierarchy:
Found in HEAD commit: 79557f9afba42cdc1b0d94382193baee84f7412c
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.