Vulnerable Library - speech-4.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (speech version) |
Remediation Available |
CVE-2020-7774 |
High |
9.8 |
y18n-4.0.0.tgz |
Transitive |
4.1.4 |
✅ |
CVE-2021-3807 |
High |
7.5 |
ansi-regex-5.0.0.tgz |
Transitive |
4.1.4 |
✅ |
CVE-2022-25878 |
High |
7.5 |
protobufjs-6.10.1.tgz |
Transitive |
4.1.4 |
✅ |
CVE-2022-24772 |
High |
7.5 |
node-forge-0.10.0.tgz |
Transitive |
4.1.4 |
✅ |
CVE-2022-24771 |
High |
7.5 |
node-forge-0.10.0.tgz |
Transitive |
4.1.4 |
✅ |
WS-2022-0008 |
Medium |
6.6 |
node-forge-0.10.0.tgz |
Transitive |
4.1.4 |
✅ |
CVE-2022-0122 |
Medium |
6.1 |
node-forge-0.10.0.tgz |
Transitive |
4.1.4 |
✅ |
CVE-2022-0235 |
Medium |
6.1 |
node-fetch-2.6.1.tgz |
Transitive |
4.1.4 |
✅ |
CVE-2022-24773 |
Medium |
5.3 |
node-forge-0.10.0.tgz |
Transitive |
4.1.4 |
✅ |
Details
CVE-2020-7774
Vulnerable Library - y18n-4.0.0.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/y18n/package.json
Dependency Hierarchy:
- speech-4.1.3.tgz (Root Library)
- google-gax-2.9.1.tgz
- grpc-js-1.1.8.tgz
- proto-loader-0.6.0-pre9.tgz
- yargs-15.4.1.tgz
- ❌ y18n-4.0.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 4.0.1
Direct dependency fix Resolution (@google-cloud/speech): 4.1.4
⛑️ Automatic Remediation is available for this issue
CVE-2021-3807
Vulnerable Library - ansi-regex-5.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ansi-regex/package.json
Dependency Hierarchy:
- speech-4.1.3.tgz (Root Library)
- google-gax-2.9.1.tgz
- grpc-js-1.1.8.tgz
- proto-loader-0.6.0-pre9.tgz
- yargs-15.4.1.tgz
- string-width-4.2.0.tgz
- strip-ansi-6.0.0.tgz
- ❌ ansi-regex-5.0.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 5.0.1
Direct dependency fix Resolution (@google-cloud/speech): 4.1.4
⛑️ Automatic Remediation is available for this issue
CVE-2022-25878
Vulnerable Library - protobufjs-6.10.1.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-6.10.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/protobufjs/package.json
Dependency Hierarchy:
- speech-4.1.3.tgz (Root Library)
- ❌ protobufjs-6.10.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files
Publish Date: 2022-05-27
URL: CVE-2022-25878
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25878
Release Date: 2022-05-27
Fix Resolution (protobufjs): 6.10.3
Direct dependency fix Resolution (@google-cloud/speech): 4.1.4
⛑️ Automatic Remediation is available for this issue
CVE-2022-24772
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- speech-4.1.3.tgz (Root Library)
- common-3.4.1.tgz
- google-auth-library-6.1.3.tgz
- gtoken-5.0.5.tgz
- google-p12-pem-3.0.3.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@google-cloud/speech): 4.1.4
⛑️ Automatic Remediation is available for this issue
CVE-2022-24771
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- speech-4.1.3.tgz (Root Library)
- common-3.4.1.tgz
- google-auth-library-6.1.3.tgz
- gtoken-5.0.5.tgz
- google-p12-pem-3.0.3.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@google-cloud/speech): 4.1.4
⛑️ Automatic Remediation is available for this issue
WS-2022-0008
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- speech-4.1.3.tgz (Root Library)
- common-3.4.1.tgz
- google-auth-library-6.1.3.tgz
- gtoken-5.0.5.tgz
- google-p12-pem-3.0.3.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
CVSS 3 Score Details (6.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@google-cloud/speech): 4.1.4
⛑️ Automatic Remediation is available for this issue
CVE-2022-0122
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- speech-4.1.3.tgz (Root Library)
- common-3.4.1.tgz
- google-auth-library-6.1.3.tgz
- gtoken-5.0.5.tgz
- google-p12-pem-3.0.3.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
forge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@google-cloud/speech): 4.1.4
⛑️ Automatic Remediation is available for this issue
CVE-2022-0235
Vulnerable Library - node-fetch-2.6.1.tgz
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-fetch/package.json
Dependency Hierarchy:
- speech-4.1.3.tgz (Root Library)
- google-gax-2.9.1.tgz
- ❌ node-fetch-2.6.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (@google-cloud/speech): 4.1.4
⛑️ Automatic Remediation is available for this issue
CVE-2022-24773
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- speech-4.1.3.tgz (Root Library)
- common-3.4.1.tgz
- google-auth-library-6.1.3.tgz
- gtoken-5.0.5.tgz
- google-p12-pem-3.0.3.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo
for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24773
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@google-cloud/speech): 4.1.4
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.