You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Regular Expression Denial of Service (ReDoS) in ionicabizau/parse-url before 8.0.0.
It allows cause a denial of service when calling function parse-url
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Cross-Site Scripting via Improper Input Validation (parser differential) in parse-url before 8.0.0.
Through this vulnerability, an attacker is capable to execute malicious JS codes.
Vulnerable Library - nuxt-2.15.8.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/normalize-url/package.json
Found in HEAD commit: 1335c44b117868c7aef92f03ea2dba1ae1a31f76
Vulnerabilities
Details
CVE-2022-2900
Vulnerable Library - parse-url-6.0.5.tgz
An advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.5.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/parse-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 1335c44b117868c7aef92f03ea2dba1ae1a31f76
Found in base branch: main
Vulnerability Details
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.
Publish Date: 2022-09-14
URL: CVE-2022-2900
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-09-14
Fix Resolution: parse-url - 8.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-33587
Vulnerable Library - css-what-3.4.2.tgz
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/css-what/package.json
Dependency Hierarchy:
Found in HEAD commit: 1335c44b117868c7aef92f03ea2dba1ae1a31f76
Found in base branch: main
Vulnerability Details
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution: css-what - 5.0.1
Step up your Open Source Security Game with Mend here
CVE-2020-28469
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 1335c44b117868c7aef92f03ea2dba1ae1a31f76
Found in base branch: main
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with Mend here
WS-2022-0237
Vulnerable Library - parse-url-6.0.5.tgz
An advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.5.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/parse-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 1335c44b117868c7aef92f03ea2dba1ae1a31f76
Found in base branch: main
Vulnerability Details
Regular Expression Denial of Service (ReDoS) in ionicabizau/parse-url before 8.0.0.
It allows cause a denial of service when calling function parse-url
Publish Date: 2022-07-04
URL: WS-2022-0237
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-07-04
Fix Resolution: parse-url - 8.0.0
Step up your Open Source Security Game with Mend here
WS-2022-0238
Vulnerable Library - parse-url-6.0.5.tgz
An advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.5.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/parse-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 1335c44b117868c7aef92f03ea2dba1ae1a31f76
Found in base branch: main
Vulnerability Details
File Protocol Spoofing in parse-url before 8.0.0 can lead to attacks, such as XSS, Arbitrary Read/Write File, and Remote Code Execution.
Publish Date: 2022-06-30
URL: WS-2022-0238
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/52060edb-e426-431b-a0d0-e70407e44f18/
Release Date: 2022-06-30
Fix Resolution: parse-url - 8.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-33502
Vulnerable Libraries - normalize-url-1.9.1.tgz, normalize-url-3.3.0.tgz
normalize-url-1.9.1.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/normalize-url/package.json
Dependency Hierarchy:
normalize-url-3.3.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/normalize-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 1335c44b117868c7aef92f03ea2dba1ae1a31f76
Found in base branch: main
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1
Step up your Open Source Security Game with Mend here
CVE-2021-3803
Vulnerable Library - nth-check-1.0.2.tgz
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/nth-check/package.json
Dependency Hierarchy:
Found in HEAD commit: 1335c44b117868c7aef92f03ea2dba1ae1a31f76
Found in base branch: main
Vulnerability Details
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-17
Fix Resolution: nth-check - v2.0.1
Step up your Open Source Security Game with Mend here
CVE-2022-0624
Vulnerable Library - parse-path-4.0.4.tgz
Parse paths (local paths, urls: ssh/git/etc)
Library home page: https://registry.npmjs.org/parse-path/-/parse-path-4.0.4.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/parse-path/package.json
Dependency Hierarchy:
Found in HEAD commit: 1335c44b117868c7aef92f03ea2dba1ae1a31f76
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.
Publish Date: 2022-06-28
URL: CVE-2022-0624
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0624
Release Date: 2022-06-28
Fix Resolution: parse-path - 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-3224
Vulnerable Library - parse-url-6.0.5.tgz
An advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.5.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/parse-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 1335c44b117868c7aef92f03ea2dba1ae1a31f76
Found in base branch: main
Vulnerability Details
Misinterpretation of Input in GitHub repository ionicabizau/parse-url prior to 8.1.0.
Publish Date: 2022-09-15
URL: CVE-2022-3224
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3224
Release Date: 2022-09-15
Fix Resolution: parse-url - 8.1.0
Step up your Open Source Security Game with Mend here
WS-2022-0239
Vulnerable Library - parse-url-6.0.5.tgz
An advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.5.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/parse-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 1335c44b117868c7aef92f03ea2dba1ae1a31f76
Found in base branch: main
Vulnerability Details
Cross-Site Scripting via Improper Input Validation (parser differential) in parse-url before 8.0.0.
Through this vulnerability, an attacker is capable to execute malicious JS codes.
Publish Date: 2022-07-02
URL: WS-2022-0239
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5fa3115f-5c97-4928-874c-3cc6302e154e
Release Date: 2022-07-02
Fix Resolution: parse-url - 8.0.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: