http-server-0.12.1.tgz: 7 vulnerabilities (highest severity is: 9.8) #426
Labels
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
|
This issue has been automatically marked as |
|
This issue was closed because it has been stalled for 7 days with no activity. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/optimist/node_modules/minimist/package.json,/node_modules/optimist/node_modules/minimist/package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /node_modules/optimist/node_modules/minimist/package.json,/node_modules/optimist/node_modules/minimist/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (http-server): 0.12.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - async-2.6.3.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/portscanner/node_modules/async/package.json,/node_modules/portscanner/node_modules/async/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (http-server): 0.12.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - ecstatic-3.3.2.tgz
A simple static file server middleware
Library home page: https://registry.npmjs.org/ecstatic/-/ecstatic-3.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ecstatic/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
ecstatic have a denial of service vulnerability. Successful exploitation could lead to crash of an application.
Publish Date: 2020-01-02
URL: CVE-2019-10775
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-01-08
Fix Resolution (ecstatic): 4.0.0
Direct dependency fix Resolution (http-server): 0.13.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - http-proxy-1.18.0.tgz
HTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/http-proxy/package.json,/frontend/node_modules/http-proxy/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-14
Fix Resolution (http-proxy): 1.18.1
Direct dependency fix Resolution (http-server): 0.12.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - follow-redirects-1.10.0.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /frontend/node_modules/follow-redirects/package.json,/frontend/node_modules/follow-redirects/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (http-server): 0.12.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - follow-redirects-1.10.0.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /frontend/node_modules/follow-redirects/package.json,/frontend/node_modules/follow-redirects/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (http-server): 0.12.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /node_modules/optimist/node_modules/minimist/package.json,/node_modules/optimist/node_modules/minimist/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (http-server): 0.12.2
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: