View Code? Open in Web Editor
NEW
TIBCO LABS™ Initiative, the power of the future today. This is a program designed to provide customers and partners with a mechanism for actively participating in TIBCO’s history of innovation.
Home Page: https://tibcosoftware.github.io/TIBCO-LABS/
License: BSD 3-Clause "New" or "Revised" License
tibco-labs's Introduction
tibco-labs's People
Contributors
tibco-labs's Issues
CVE-2019-20149 - Medium Severity Vulnerability
Vulnerable Libraries - kind-of-4.0.0.tgz , kind-of-6.0.2.tgz , kind-of-3.2.2.tgz , kind-of-5.1.0.tgz
kind-of-4.0.0.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-4.0.0.tgz
Path to dependency file: /tmp/ws-scm/TIBCO-LABS/docs-src/package.json
Path to vulnerable library: /tmp/ws-scm/TIBCO-LABS/docs-src/node_modules/has-values/node_modules/kind-of/package.json
Dependency Hierarchy:
postcss-cli-5.0.1.tgz (Root Library)
chokidar-2.1.8.tgz
braces-2.3.2.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
cache-base-1.0.1.tgz
has-value-1.0.0.tgz
has-values-1.0.0.tgz
❌ kind-of-4.0.0.tgz (Vulnerable Library)
kind-of-6.0.2.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /tmp/ws-scm/TIBCO-LABS/docs-src/package.json
Path to vulnerable library: /tmp/ws-scm/TIBCO-LABS/docs-src/node_modules/kind-of/package.json
Dependency Hierarchy:
postcss-cli-5.0.1.tgz (Root Library)
chokidar-2.1.8.tgz
anymatch-2.0.0.tgz
micromatch-3.1.10.tgz
❌ kind-of-6.0.2.tgz (Vulnerable Library)
kind-of-3.2.2.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz
Path to dependency file: /tmp/ws-scm/TIBCO-LABS/docs-src/package.json
Path to vulnerable library: /tmp/ws-scm/TIBCO-LABS/docs-src/node_modules/is-data-descriptor/node_modules/kind-of/package.json
Dependency Hierarchy:
postcss-cli-5.0.1.tgz (Root Library)
chokidar-2.1.8.tgz
braces-2.3.2.tgz
snapdragon-node-2.1.1.tgz
snapdragon-util-3.0.1.tgz
❌ kind-of-3.2.2.tgz (Vulnerable Library)
kind-of-5.1.0.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-5.1.0.tgz
Path to dependency file: /tmp/ws-scm/TIBCO-LABS/docs-src/package.json
Path to vulnerable library: /tmp/ws-scm/TIBCO-LABS/docs-src/node_modules/is-descriptor/node_modules/kind-of/package.json
Dependency Hierarchy:
postcss-cli-5.0.1.tgz (Root Library)
chokidar-2.1.8.tgz
braces-2.3.2.tgz
snapdragon-0.8.2.tgz
define-property-0.2.5.tgz
is-descriptor-0.1.6.tgz
❌ kind-of-5.1.0.tgz (Vulnerable Library)
Found in HEAD commit: a21f13ebfdc5c8ba013e59acded13d019482f0f7
Vulnerability Details
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
CVE-2020-11022 - Medium Severity Vulnerability
Vulnerable Library - jquery-3.3.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/TIBCO-LABS/docs-src/themes/tibcolabs/layouts/partials/head.html
Path to vulnerable library: /TIBCO-LABS/docs-src/themes/tibcolabs/layouts/partials/head.html
Dependency Hierarchy:
❌ jquery-3.3.1.min.js (Vulnerable Library)
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
CVE-2020-11023 - Medium Severity Vulnerability
Vulnerable Library - jquery-3.3.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js
Path to dependency file: TIBCO-LABS/docs/search/index.html
Path to vulnerable library: TIBCO-LABS/docs/search/index.html
Dependency Hierarchy:
❌ jquery-3.3.1.min.js (Vulnerable Library)
Found in HEAD commit: 3b25cddb9efb24ea89ff68c88684fe178b2917c0
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0
CVE-2020-7608 - Medium Severity Vulnerability
Vulnerable Library - yargs-parser-9.0.2.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-9.0.2.tgz
Path to dependency file: /tmp/ws-scm/TIBCO-LABS/docs-src/package.json
Path to vulnerable library: /tmp/ws-scm/TIBCO-LABS/docs-src/node_modules/yargs-parser/package.json
Dependency Hierarchy:
postcss-cli-5.0.1.tgz (Root Library)
yargs-11.1.1.tgz
❌ yargs-parser-9.0.2.tgz (Vulnerable Library)
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto " payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.0 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: N/A
Attack Complexity: N/A
Privileges Required: N/A
User Interaction: N/A
Scope: N/A
Impact Metrics:
Confidentiality Impact: N/A
Integrity Impact: N/A
Availability Impact: N/A
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608
Release Date: 2020-03-16
Fix Resolution: v18.1.1;13.1.2;15.0.1
CVE-2019-11358 - Medium Severity Vulnerability
Vulnerable Library - jquery-3.3.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/TIBCO-LABS/docs-src/themes/tibcolabs/layouts/partials/head.html
Path to vulnerable library: /TIBCO-LABS/docs-src/themes/tibcolabs/layouts/partials/head.html
Dependency Hierarchy:
❌ jquery-3.3.1.min.js (Vulnerable Library)
Found in HEAD commit: a21f13ebfdc5c8ba013e59acded13d019482f0f7
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
WS-2019-0381 - Medium Severity Vulnerability
Vulnerable Library - kind-of-6.0.2.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /tmp/ws-scm/TIBCO-LABS/docs-src/package.json
Path to vulnerable library: /tmp/ws-scm/TIBCO-LABS/docs-src/node_modules/kind-of/package.json
Dependency Hierarchy:
postcss-cli-5.0.1.tgz (Root Library)
chokidar-2.1.8.tgz
anymatch-2.0.0.tgz
micromatch-3.1.10.tgz
❌ kind-of-6.0.2.tgz (Vulnerable Library)
Vulnerability Details
Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.
Publish Date: 2020-03-18
URL: WS-2019-0381
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: jonschlinkert/kind-of@975c13a
Release Date: 2020-03-18
Fix Resolution: kind-of - 6.0.3
WS-2020-0068 - High Severity Vulnerability
Vulnerable Library - yargs-parser-9.0.2.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-9.0.2.tgz
Path to dependency file: /tmp/ws-scm/TIBCO-LABS/docs-src/package.json
Path to vulnerable library: /tmp/ws-scm/TIBCO-LABS/docs-src/node_modules/yargs-parser/package.json
Dependency Hierarchy:
postcss-cli-5.0.1.tgz (Root Library)
yargs-11.1.1.tgz
❌ yargs-parser-9.0.2.tgz (Vulnerable Library)
Vulnerability Details
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto .bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Publish Date: 2020-05-01
URL: WS-2020-0068
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Adjacent
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/package/yargs-parser
Release Date: 2020-05-04
Fix Resolution: https://www.npmjs.com/package/yargs-parser/v/18.1.2,https://www.npmjs.com/package/yargs-parser/v/15.0.1
WS-2020-0070 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /tmp/ws-scm/TIBCO-LABS/docs-src/package.json
Path to vulnerable library: /tmp/ws-scm/TIBCO-LABS/docs-src/node_modules/lodash/package.json
Dependency Hierarchy:
postcss-cli-5.0.1.tgz (Root Library)
postcss-reporter-5.0.0.tgz
❌ lodash-4.17.15.tgz (Vulnerable Library)
Vulnerability Details
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
CVE-2020-7598 - High Severity Vulnerability
Vulnerable Libraries - minimist-1.2.0.tgz , minimist-0.0.8.tgz
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /tmp/ws-scm/TIBCO-LABS/docs-src/package.json
Path to vulnerable library: /tmp/ws-scm/TIBCO-LABS/docs-src/node_modules/chokidar/node_modules/fsevents/node_modules/rc/node_modules/minimist/package.json
Dependency Hierarchy:
postcss-cli-5.0.1.tgz (Root Library)
postcss-load-config-1.2.0.tgz
cosmiconfig-2.2.2.tgz
❌ minimist-1.2.0.tgz (Vulnerable Library)
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /tmp/ws-scm/TIBCO-LABS/docs-src/package.json
Path to vulnerable library: /tmp/ws-scm/TIBCO-LABS/docs-src/node_modules/chokidar/node_modules/fsevents/node_modules/minimist/package.json
Dependency Hierarchy:
postcss-cli-5.0.1.tgz (Root Library)
chokidar-2.1.8.tgz
fsevents-1.2.11.tgz
node-pre-gyp-0.14.0.tgz
mkdirp-0.5.1.tgz
❌ minimist-0.0.8.tgz (Vulnerable Library)
Found in HEAD commit: 2314d68b79e162da37e073d17bbcd466055b3ea6
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto " payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.2
CVE-2019-8331 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-4.1.3.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/js/bootstrap.min.js
Path to dependency file: /tmp/ws-scm/TIBCO-LABS/docs/about/index.html
Path to vulnerable library: /TIBCO-LABS/docs/about/index.html
Dependency Hierarchy:
❌ bootstrap-4.1.3.min.js (Vulnerable Library)
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1