marked-0.2.3.js: 12 vulnerabilities (highest severity is: 7.5) - autoclosed #31
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Micro-Learning Topic: Vulnerable library (Detected by phrase)Matched on "Vulnerable Library"Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process. Try this challenge in Secure Code WarriorMicro-Learning Topic: Cross-site scripting (Detected by phrase)Matched on "XSS"Reflected cross-site scripting vulnerabilities occur when unescaped input is displayed in the resulting page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context. Try this challenge in Secure Code WarriorMicro-Learning Topic: Regular expression denial of service (Detected by phrase)Matched on "regular expression denial of service"Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability. Try this challenge in Secure Code WarriorMicro-Learning Topic: Denial of service (Detected by phrase)Matched on "denial of service"The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service Try this challenge in Secure Code Warrior |
mend-bolt-for-github
bot
changed the title
|
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory. |
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Vulnerabilities
Details
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8854
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8854
Release Date: 2017-01-23
Fix Resolution: 0.3.4
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
The affected versions (through 0.3.5) in marked package are vulnerable to Cross-Site Scripting (XSS) Due To Sanitization Bypass Using HTML Entities
Publish Date: 2018-03-23
URL: WS-2018-0031
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: markedjs/marked#592
Release Date: 2018-03-23
Fix Resolution: 0.3.6
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
Versions 0.3.7 and earlier of marked suuport unescaping of only lowercase, which may lead to XSS.
Publish Date: 2017-12-23
URL: WS-2019-0026
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: markedjs/marked@6d1901f
Release Date: 2017-12-23
Fix Resolution: 0.3.9
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
Versions 0.3.7 and earlier of marked When mangling is disabled via option mangle don't escape target href are vulnerable to XSS, which allows an attacker to inject arbitrary code.
Publish Date: 2017-12-23
URL: WS-2019-0025
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: markedjs/marked@cb72584
Release Date: 2017-12-23
Fix Resolution: 0.3.9
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (
sanitize: true) to inject ajavascript:URL. This flaw exists because&#xNNanything;gets parsed to what it could and leaves the rest behind, resulting in justanything;being left.Publish Date: 2018-05-31
URL: CVE-2016-10531
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10531
Release Date: 2018-05-31
Fix Resolution: 0.3.6
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.
Publish Date: 2020-01-06
URL: CVE-2014-3743
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3743
Release Date: 2020-01-06
Fix Resolution: marked - 0.3.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.
Publish Date: 2018-01-02
URL: CVE-2017-1000427
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000427
Release Date: 2018-01-02
Fix Resolution: 0.3.7
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.
Publish Date: 2020-07-02
URL: WS-2020-0163
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/markedjs/marked/releases/tag/v1.1.1
Release Date: 2020-07-02
Fix Resolution: marked - 1.1.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
marked before 0.7.0 vulnerable to Redos attack by he _label subrule that may significantly degrade parsing performance of malformed input.
Publish Date: 2019-07-04
URL: WS-2019-0209
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1076
Release Date: 2019-07-04
Fix Resolution: 0.7.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
Versions 0.3.17 and earlier of marked has Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack.
Publish Date: 2018-02-26
URL: WS-2019-0027
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: markedjs/marked@b15e42b
Release Date: 2018-02-26
Fix Resolution: 0.3.18
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.
Publish Date: 2018-04-16
URL: WS-2018-0628
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/markedjs/marked/releases/tag/0.4.0
Release Date: 2018-04-16
Fix Resolution: marked - 0.4.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.
Publish Date: 2015-01-27
URL: CVE-2015-1370
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-1370
Release Date: 2015-01-27
Fix Resolution: polymer-core-elements - 0.5.5;z4a-dotnet-scaffold - 1.0.0.3;marked - 0.3.0,0.3.3;marked - 0.3.3
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: