socialtables / saml-protocol Goto Github PK

Vulnerable Library - node-forge-0.6.38.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.6.38.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xml-encryption/node_modules/node-forge/package.json

Dependency Hierarchy:

• xml-encryption-0.9.0.tgz (Root Library)
  • ❌ node-forge-0.6.38.tgz (Vulnerable Library)

Found in HEAD commit: 73b34e5ab4dd4df4269ecbd89db52f145f10d284

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24773

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (xml-encryption): 2.0.0

Vulnerable Library - ejs-0.8.8.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-0.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ejs/package.json

Dependency Hierarchy:

• xml-encryption-0.9.0.tgz (Root Library)
  • ❌ ejs-0.8.8.tgz (Vulnerable Library)

Found in HEAD commit: 73b34e5ab4dd4df4269ecbd89db52f145f10d284

Found in base branch: master

Vulnerability Details

nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function

Publish Date: 2017-11-17

URL: CVE-2017-1000228

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000228

Release Date: 2017-11-17

Fix Resolution (ejs): 2.5.3

Direct dependency fix Resolution (xml-encryption): 0.11.0

Vulnerable Library - xmldom-0.5.0.tgz

A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Library home page: https://registry.npmjs.org/xmldom/-/xmldom-0.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xml-crypto/node_modules/xmldom/package.json

Dependency Hierarchy:

• xml-crypto-2.1.0.tgz (Root Library)
  • ❌ xmldom-0.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 73b34e5ab4dd4df4269ecbd89db52f145f10d284

Found in base branch: master

Vulnerability Details

xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

Publish Date: 2021-07-27

URL: CVE-2021-32796

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5fg8-2547-mr8q

Release Date: 2021-07-27

Fix Resolution: xmldom - 0.7.0

Vulnerable Library - node-forge-0.6.38.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.6.38.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xml-encryption/node_modules/node-forge/package.json

Dependency Hierarchy:

• xml-encryption-0.9.0.tgz (Root Library)
  • ❌ node-forge-0.6.38.tgz (Vulnerable Library)

Found in HEAD commit: 73b34e5ab4dd4df4269ecbd89db52f145f10d284

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (xml-encryption): 2.0.0

Vulnerable Library - async-0.2.10.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-0.2.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json

Dependency Hierarchy:

• xml-encryption-0.9.0.tgz (Root Library)
  • ❌ async-0.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 73b34e5ab4dd4df4269ecbd89db52f145f10d284

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (xml-encryption): 0.12.0

Vulnerable Libraries - xmldom-0.7.5.tgz, xmldom-0.7.0.tgz

Found in base branch: main

Vulnerability Details

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the documentElementor reject a document with a document that has more then 1 childNode.

Publish Date: 2022-11-02

URL: CVE-2022-39353

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-crh6-fp67-6883

Release Date: 2022-11-02

Fix Resolution: @xmldom/xmldom - 0.7.7,0.8.4

Vulnerable Library - xmlbuilder-8.2.2.tgz

An XML builder for node.js

Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-8.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xmlbuilder/package.json

Dependency Hierarchy:

• ❌ xmlbuilder-8.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 73b34e5ab4dd4df4269ecbd89db52f145f10d284

Found in base branch: master

Vulnerability Details

The package xmlbuilder-js before 9.0.5 is vulnerable to denial of service due to a regular expression issue.

Publish Date: 2018-02-08

URL: WS-2018-0625

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: oozcitak/xmlbuilder-js@bbf929a

Release Date: 2018-02-08

Fix Resolution: 9.0.5

Vulnerable Libraries - xmldom-0.7.0.tgz, xmldom-0.7.5.tgz

Found in base branch: main

Vulnerability Details

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."

Publish Date: 2022-10-11

URL: CVE-2022-37616

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37616

Release Date: 2022-10-11

Fix Resolution: @xmldom/xmldom - 0.8.3

Vulnerable Library - node-forge-0.6.38.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.6.38.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xml-encryption/node_modules/node-forge/package.json

Dependency Hierarchy:

• xml-encryption-0.9.0.tgz (Root Library)
  • ❌ node-forge-0.6.38.tgz (Vulnerable Library)

Found in HEAD commit: 73b34e5ab4dd4df4269ecbd89db52f145f10d284

Found in base branch: master

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md

Release Date: 2020-09-01

Fix Resolution (node-forge): 0.10.0

Direct dependency fix Resolution (xml-encryption): 1.2.1

Vulnerable Library - moment-2.29.2.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.29.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

• ❌ moment-2.29.2.tgz (Vulnerable Library)

Found in HEAD commit: 73b34e5ab4dd4df4269ecbd89db52f145f10d284

Found in base branch: master

Vulnerability Details

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Publish Date: 2022-07-06

URL: CVE-2022-31129

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-wc69-rhjr-hc9g

Release Date: 2022-07-06

Fix Resolution: moment - 2.29.4

Vulnerable Library - node-forge-0.6.38.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.6.38.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xml-encryption/node_modules/node-forge/package.json

Dependency Hierarchy:

• xml-encryption-0.9.0.tgz (Root Library)
  • ❌ node-forge-0.6.38.tgz (Vulnerable Library)

Found in HEAD commit: 73b34e5ab4dd4df4269ecbd89db52f145f10d284

Found in base branch: master

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (xml-encryption): 2.0.0

Vulnerable Library - node-forge-0.6.38.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.6.38.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xml-encryption/node_modules/node-forge/package.json

Dependency Hierarchy:

• xml-encryption-0.9.0.tgz (Root Library)
  • ❌ node-forge-0.6.38.tgz (Vulnerable Library)

Found in HEAD commit: 73b34e5ab4dd4df4269ecbd89db52f145f10d284

Found in base branch: master

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (xml-encryption): 2.0.0

Vulnerable Library - node-forge-0.6.38.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.6.38.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xml-encryption/node_modules/node-forge/package.json

Dependency Hierarchy:

• xml-encryption-0.9.0.tgz (Root Library)
  • ❌ node-forge-0.6.38.tgz (Vulnerable Library)

Found in HEAD commit: 73b34e5ab4dd4df4269ecbd89db52f145f10d284

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (xml-encryption): 2.0.0

Vulnerable Library - xmldom-0.1.31.tgz

A W3C Standard XML DOM(Level2 CORE) implementation and parser(DOMParser/XMLSerializer).

Library home page: https://registry.npmjs.org/xmldom/-/xmldom-0.1.31.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xml-encryption/node_modules/xmldom/package.json

Dependency Hierarchy:

• xml-encryption-0.9.0.tgz (Root Library)
  • ❌ xmldom-0.1.31.tgz (Vulnerable Library)

Found in HEAD commit: 73b34e5ab4dd4df4269ecbd89db52f145f10d284

Found in base branch: master

Vulnerability Details

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

Publish Date: 2021-03-12

URL: CVE-2021-21366

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-h6q6-9hqw-rwfv

Release Date: 2021-03-12

Fix Resolution (xmldom): 0.5.0

Direct dependency fix Resolution (xml-encryption): 1.2.3