monch1962 / cypress-cucumber-docker Goto Github PK

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /cypress-cucumber-docker/package.json

Path to vulnerable library: /tmp/git/cypress-cucumber-docker/node_modules/lodash/package.json

Dependency Hierarchy:

• cypress-3.3.2.tgz (Root Library)
  • ❌ lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: e291ce02747e88e9db2fbdfcc18344ae48244956

Vulnerability Details

A Prototype Pollution vulnerability was found in lodash through version 4.17.11.

Publish Date: 2019-07-08

URL: CVE-2019-10744

CVSS 2 Score Details (7.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@a01e4fa

Release Date: 2019-07-08

Fix Resolution: 4.17.12

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /cypress-cucumber-docker/package.json

Path to vulnerable library: /tmp/git/cypress-cucumber-docker/node_modules/mixin-deep/package.json

Dependency Hierarchy:

• cypress-cucumber-preprocessor-1.12.0.tgz (Root Library)
  • chokidar-2.1.6.tgz
    • braces-2.3.2.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: e291ce02747e88e9db2fbdfcc18344ae48244956

Vulnerability Details

mixin-deep before 1.3.2 is vulnerable to Prototype Pollution.

Publish Date: 2019-07-11

URL: CVE-2019-10746

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-07-11

Fix Resolution: 1.3.2

Vulnerable Library - jquery-1.11.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js

Path to dependency file: /cypress-cucumber-docker/demo-app/index.html

Path to vulnerable library: /cypress-cucumber-docker/demo-app/index.html

Dependency Hierarchy:

• ❌ jquery-1.11.3.min.js (Vulnerable Library)

Found in HEAD commit: 4253b915161898e513dd495c947cd11d4a64a459

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: 3.0.0

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: /cypress-cucumber-docker/package.json

Path to vulnerable library: /tmp/git/cypress-cucumber-docker/node_modules/watchify/node_modules/braces/package.json

Dependency Hierarchy:

• cypress-cucumber-preprocessor-1.12.0.tgz (Root Library)
  • browserify-preprocessor-1.1.2.tgz
    • watchify-3.11.0.tgz
      • anymatch-1.3.2.tgz
        • micromatch-2.3.11.tgz
          • ❌ braces-1.8.5.tgz (Vulnerable Library)

Found in HEAD commit: 811025ae7399333c7a1ea142d85f851817af4cb3

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-03-25

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz

Found in HEAD commit: e291ce02747e88e9db2fbdfcc18344ae48244956

Vulnerability Details

A vulnerability was found in set-value before 2.0.1 and from 3.0.0 before 3.0.1 previously reported as WS-2019-0176

Publish Date: 2019-07-24

URL: CVE-2019-10747

CVSS 2 Score Details (7.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/set-value@95e9d99

Release Date: 2019-07-24

Fix Resolution: 2.0.1,3.0.1

Vulnerable Library - jquery-1.11.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js

Path to dependency file: /cypress-cucumber-docker/demo-app/index.html

Path to vulnerable library: /cypress-cucumber-docker/demo-app/index.html

Dependency Hierarchy:

• ❌ jquery-1.11.3.min.js (Vulnerable Library)

Found in HEAD commit: 4253b915161898e513dd495c947cd11d4a64a459

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0