Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix 7 vulnerable dependencies identified by Prisma Cloud #42

Closed
wants to merge 0 commits into from
Closed

Fix 7 vulnerable dependencies identified by Prisma Cloud #42

wants to merge 0 commits into from

Conversation

bridgeit-devops-bot
Copy link
Collaborator

Prisma Cloud has detected new vulnerabilities or dependencies in the scan performed on Thu, 04 Jan 2024 07:09:22 UTC

This PR includes the fixes for the vulnerabilities discovered below:

Severity Dependency File Package name CVE Risk Score Fix Status Description
critical packages/requirements.txt django CVE-2019-19844 9.8 fixed in 3.0.1, 2.2.9, 1.11.27 Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
critical packages/sub/.hidden/requirements.txt django CVE-2019-19844 9.8 fixed in 3.0.1, 2.2.9, 1.11.27 Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
critical packages/node/base/package-lock.json socket.io-parser CVE-2022-2421 9.8 fixed in 4.0.5 Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
critical packages/node/base/package-lock.json @xmldom/xmldom CVE-2022-39353 9.8 fixed in 0.9.0-beta.4, 0.8.4, 0.7.7 xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the documentElementor reject a document with a document that has more then 1 childNode.
critical packages/node/base/package-lock.json minimist CVE-2021-44906 9.8 fixed in 1.2.6 Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
critical packages/node/base/package-lock.json @babel/traverse CVE-2023-45133 9.3 fixed in 8.0.0-alpha.4, 7.23.2 Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/traverse@7.23.2 and @babel/traverse@8.0.0-alpha.4. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, `babel-plugin-polyfill-c
critical packages/node/base/package-lock.json webpack CVE-2023-28154 9.8 fixed in 5.76.0 Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
critical packages/node/base/package-lock.json xmldom CVE-2022-39353 9.8 fixed in 0.8.4, 0.7.7, 0.6.0 xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the documentElementor reject a document with a document that has more then 1 childNode.
critical packages/node/base/package-lock.json xmldom CVE-2022-37616 9.8 fixed in 0.8.3 A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."
critical packages/node/base/package-lock.json tough-cookie CVE-2023-26136 9.8 fixed in 4.1.3 Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
critical packages/node/base/package-lock.json vm2 CVE-2023-32314 10.0 fixed in 3.9.18 vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of Proxy. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.18 of vm2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
critical packages/node/base/package-lock.json vm2 CVE-2023-29199 10.0 fixed in 3.9.16 There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass handleException() and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.16 of vm2.
critical packages/node/base/package-lock.json vm2 CVE-2023-29017 9.8 fixed in 3.9.15 vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.
critical packages/node/base/package-lock.json vm2 CVE-2022-36067 10.0 fixed in 3.9.11 vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
critical packages/node/base/package-lock.json vm2 CVE-2022-25893 9.8 fixed in 3.9.10 The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.
critical packages/node/base/package-lock.json vm2 CVE-2021-23555 9.8 fixed in 3.9.6 The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.
critical packages/node/twistcli_test/package-lock.json xmldom CVE-2022-39353 9.8 fixed in 0.8.4, 0.7.7, 0.6.0 xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the documentElementor reject a document with a document that has more then 1 childNode.
critical packages/node/twistcli_test/package-lock.json xmldom CVE-2022-37616 9.8 fixed in 0.8.3 A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."
critical packages/sub/pom.xml org.apache.logging.log4j_log4j-core CVE-2021-44228 10.0 fixed in 2.15.0, 2.12.2 Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
critical packages/sub/pom.xml org.apache.logging.log4j_log4j-core CVE-2021-45046 9.0 fixed in 2.16.0, 2.12.2, 2.3.1 It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
critical packages/sub/pom.xml org.springframework_spring-core CVE-2022-22965 9.8 fixed in 5.3.18, 5.2.20 A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
high packages/requirements.txt django CVE-2016-7401 7.5 fixed in 1.9.10, 1.8.15 The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
high packages/sub/.hidden/requirements.txt django CVE-2016-7401 7.5 fixed in 1.9.10, 1.8.15 The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
high package-lock.json semver CVE-2022-25883 7.5 fixed in 7.5.2 Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r
high package-lock.json http-cache-semantics CVE-2022-25881 7.5 fixed in 4.1.1 This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.\r\r
high packages/node/base/package-lock.json json5 CVE-2022-46175 8.8 fixed in 2.2.2, 1.0.2 JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 ver
high packages/node/base/package-lock.json socket.io-parser CVE-2023-32695 7.5 fixed in 4.2.3, 3.4.3 socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.
high packages/node/base/package-lock.json word-wrap CVE-2023-26115 7.5 fixed in 1.2.4 All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.\r\r
high packages/node/base/package-lock.json protobufjs CVE-2022-25878 7.5 fixed in 6.11.3 The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files
high packages/node/base/package-lock.json semver-regex CVE-2021-3795 7.5 fixed in 4.0.1, 3.1.3 semver-regex is vulnerable to Inefficient Regular Expression Complexity
high packages/node/base/package-lock.json adm-zip PRISMA-2021-0034 0.0 fixed in 0.5.3 adm-zip package versions before 0.5.3 are vulnerable to Directory Traversal. It could extract files outside the target folder. origin: cthackers/adm-zip@119dcad
high packages/node/base/package-lock.json async CVE-2021-43138 7.8 fixed in 2.6.4, 3.2.2 In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
high packages/node/base/package-lock.json validator CVE-2021-3765 7.5 fixed in 13.7.0 validator.js is vulnerable to Inefficient Regular Expression Complexity
high packages/node/base/package-lock.json http-cache-semantics CVE-2022-25881 7.5 fixed in 4.1.1 This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.\r\r
high packages/node/base/package-lock.json shelljs CVE-2022-0144 7.1 fixed in 0.8.5 shelljs is vulnerable to Improper Privilege Management
high packages/node/base/package-lock.json qs CVE-2022-24999 7.5 fixed in 6.10.3 qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
high packages/node/base/package-lock.json marked CVE-2022-21681 7.5 fixed in 4.0.10 Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
high packages/node/base/package-lock.json marked CVE-2022-21680 7.5 fixed in 4.0.10 Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
high packages/node/base/package-lock.json node-forge CVE-2022-24772 7.5 fixed in 1.3.0 Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
high packages/node/base/package-lock.json node-forge CVE-2022-24771 7.5 fixed in 1.3.0 Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
high packages/node/base/package-lock.json semver CVE-2022-25883 7.5 fixed in 7.5.2 Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r
high packages/node/base/package-lock.json unset-value PRISMA-2022-0049 7.5 fixed in 2.0.1 unset-value package versions before 2.0.1 are vulnerable to Prototype Pollution. unset() function in index.js files allows for access to object prototype properties. An attacker can exploit this to override the behavior of object prototypes, resulting in a possible Denial of Service (DoS), Remote Code Execution (RCE), or other unexpected behavior.
high packages/node/base/package-lock.json minimatch CVE-2022-3517 7.5 fixed in 3.0.5 A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
high packages/node/base/package-lock.json decode-uri-component CVE-2022-38900 7.5 fixed in 0.2.1 decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
high packages/node/base/package-lock.json engine.io CVE-2022-21676 7.5 fixed in 6.1.1, 5.2.1, 4.1.2 Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package starting from version 4.0.0, including those who uses depending packages like socket.io. Versions prior to 4.0.0 are not impacted. A fix has been released for each major branch, namely 4.1.2 for the 4.x.x branch, 5.2.1 for the 5.x.x branch, and 6.1.1 for the 6.x.x branch. There is no known workaround except upgrading to a safe version.
high packages/node/base/package-lock.json terser CVE-2022-25858 7.5 fixed in 5.14.2, 4.8.1 The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
high packages/node/base/package-lock.json loader-utils CVE-2022-37599 7.5 fixed in 3.2.1, 2.0.4, 1.4.2 A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
high packages/node/base/package-lock.json loader-utils CVE-2022-37603 7.5 fixed in 3.2.1, 2.0.4, 1.4.2 A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
high packages/node/base/package-lock.json ua-parser-js CVE-2022-25927 7.5 fixed in 1.0.33, 0.7.33 Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.\r\r
high packages/node/base/package-lock.json jszip CVE-2022-48285 7.3 fixed in 3.8.0 loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.
high packages/pom.xml org.apache.commons_commons-compress CVE-2019-12402 7.5 fixed in 1.19 The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
high packages/pom.xml org.apache.commons_commons-compress CVE-2021-35515 7.5 fixed in 1.21 When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
high packages/pom.xml org.apache.commons_commons-compress CVE-2021-35516 7.5 fixed in 1.21 When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
high packages/pom.xml org.apache.commons_commons-compress CVE-2021-35517 7.5 fixed in 1.21 When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
high packages/pom.xml org.apache.commons_commons-compress CVE-2021-36090 7.5 fixed in 1.21 When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
high packages/sub/pom.xml com.fasterxml.jackson.core_jackson-databind CVE-2022-42004 7.5 fixed in 2.13.4 In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
high packages/sub/pom.xml com.fasterxml.jackson.core_jackson-databind CVE-2020-36518 7.5 fixed in 2.12.6.1, 2.13.2.1 jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
high packages/sub/pom.xml com.fasterxml.jackson.core_jackson-databind CVE-2021-46877 7.5 fixed in 2.13.1, 2.12.6 jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
high packages/sub/pom.xml com.fasterxml.jackson.core_jackson-databind CVE-2022-42003 7.5 fixed in 2.13.4.1, 2.12.7.1 In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
high packages/sub/pom.xml org.apache.logging.log4j_log4j-core CVE-2021-45105 7.5 fixed in 2.17.0, 2.12.3, 2.3.1 Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
high packages/sub/pom.xml org.apache.commons_commons-compress CVE-2021-35515 7.5 fixed in 1.21 When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
high packages/sub/pom.xml org.apache.commons_commons-compress CVE-2021-35516 7.5 fixed in 1.21 When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
high packages/sub/pom.xml org.apache.commons_commons-compress CVE-2021-35517 7.5 fixed in 1.21 When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
high packages/sub/pom.xml org.apache.commons_commons-compress CVE-2021-36090 7.5 fixed in 1.21 When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
high packages/sub/pom.xml org.springframework_spring-core CVE-2023-20860 7.5 fixed in 6.0.7, 5.3.26 Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
high packages/sub/pom.xml org.springframework_spring-core CVE-2021-22118 7.8 fixed in 5.3.7, 5.2.15 In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
medium packages/requirements.txt django CVE-2016-6186 6.1 fixed in 1.9.8, 1.8.14 Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
medium packages/requirements.txt django CVE-2021-33203 4.9 fixed in 3.2.4, 3.1.12, 2.2.24 Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
medium packages/requirements.txt django CVE-2015-0222 5.0 fixed in 1.7.3, 1.6.10, 1.4.18 ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.
medium packages/requirements.txt django CVE-2015-0221 5.0 fixed in 1.7.3, 1.6.10, 1.4.18 The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
medium packages/requirements.txt django CVE-2015-0220 4.3 fixed in 1.7.3, 1.6.10, 1.4.18 The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.
medium packages/requirements.txt django CVE-2015-0219 5.0 fixed in 1.7.3, 1.6.10, 1.4.18 Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
medium packages/requirements.txt django CVE-2015-2241 4.3 fixed in 1.8, 1.7.6 Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @Property.
medium packages/requirements.txt django CVE-2015-2317 4.3 fixed in 1.8.1, 1.7.7, 1.6.11,... The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
medium packages/requirements.txt django CVE-2015-8213 5.0 fixed in 1.8.7, 1.7.11, 1.7.x The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
medium packages/requirements.txt django CVE-2015-5144 4.3 fixed in 1.8.3, 1.7.10, 1.7.9,... Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
medium packages/sub/.hidden/requirements.txt django CVE-2016-6186 6.1 fixed in 1.9.8, 1.8.14 Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
medium packages/sub/.hidden/requirements.txt django CVE-2021-33203 4.9 fixed in 3.2.4, 3.1.12, 2.2.24 Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
medium packages/sub/.hidden/requirements.txt django CVE-2015-0222 5.0 fixed in 1.7.3, 1.6.10, 1.4.18 ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.
medium packages/sub/.hidden/requirements.txt django CVE-2015-0221 5.0 fixed in 1.7.3, 1.6.10, 1.4.18 The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
medium packages/sub/.hidden/requirements.txt django CVE-2015-0220 4.3 fixed in 1.7.3, 1.6.10, 1.4.18 The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.
medium packages/sub/.hidden/requirements.txt django CVE-2015-0219 5.0 fixed in 1.7.3, 1.6.10, 1.4.18 Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
medium packages/sub/.hidden/requirements.txt django CVE-2015-2241 4.3 fixed in 1.8, 1.7.6 Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @Property.
medium packages/sub/.hidden/requirements.txt django CVE-2015-2317 4.3 fixed in 1.8.1, 1.7.7, 1.6.11,... The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
medium packages/sub/.hidden/requirements.txt django CVE-2015-8213 5.0 fixed in 1.8.7, 1.7.11, 1.7.x The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
medium packages/sub/.hidden/requirements.txt django CVE-2015-5144 4.3 fixed in 1.8.3, 1.7.10, 1.7.9,... Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
medium package-lock.json got CVE-2022-33987 5.3 fixed in 12.1.0 The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
medium packages/node/base/package-lock.json log4js CVE-2022-21704 5.5 fixed in 6.4.0 log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.
medium packages/node/base/package-lock.json file-type CVE-2022-36313 5.5 fixed in 17.1.3, 16.5.4 An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.
medium packages/node/base/package-lock.json karma CVE-2021-23495 6.1 fixed in 6.3.16 The package karma before 6.3.16 are vulnerable to Open Redirect due to missing validation of the return_url query parameter.
medium packages/node/base/package-lock.json karma CVE-2022-0437 6.1 fixed in 6.3.14 Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.
medium packages/node/base/package-lock.json istanbul-reports PRISMA-2022-0005 5.3 fixed in 3.1.3 istanbul-reports package versions before 3.1.3 are vulnerable to Reverse Tabnabbing. Tabnabbing - "it's the capacity to act on parent page's content or location from a newly opened page via the backlink exposed by the opener javascript object instance." This vulnerability usually manifests when either The "target" attribute is used to specify the target location in an anchor tag to open 3rd party URL/resource(s) without including the attribute rel="noopener,noreferrer " in the anchor tag.
medium packages/node/base/package-lock.json nanoid CVE-2021-23566 5.5 fixed in 3.1.31 The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
medium packages/node/base/package-lock.json follow-redirects CVE-2022-0155 6.5 fixed in 1.14.7 follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
medium packages/node/base/package-lock.json follow-redirects CVE-2022-0536 5.9 fixed in 1.14.8 Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.
medium packages/node/base/package-lock.json validator PRISMA-2021-0063 5.3 fixed in 13.6.0 validator package versions before 13.6.0 are vulnerable to ReDOS (Regular Expression Denial of Service) via isEmail and isHSL. The vulnerability can happen when checking if the crafted string is an email.
moderate packages/node/base/package-lock.json shelljs GHSA-64g7-mvw6-v9qj 4.0 fixed in 0.8.5 ### Impact Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user. Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted. ### Patches Patched in shelljs 0.8.5 ### Workarounds Recommended action is to upgrade to 0.8.5. ### References https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/ ### For more information If you have any questions or comments about this advisory: * Ask at shelljs/shelljs#1058 * Open an issue at https://github.com/shelljs/shelljs/issues/new
medium packages/node/base/package-lock.json marked PRISMA-2021-0013 0.0 fixed in 1.1.1 marked package prior to 1.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS). The regex within src/rules.js file have multiple unused capture groups which could lead to a denial of service attack if user input is reachable. Origin: markedjs/marked@bd4f8c4
moderate packages/node/base/package-lock.json node-forge CVE-2022-0122 6.1 fixed in 1.0.0 forge is vulnerable to URL Redirection to Untrusted Site
moderate packages/node/base/package-lock.json node-forge CVE-2022-24773 5.3 fixed in 1.3.0 Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
medium packages/node/base/package-lock.json node-fetch CVE-2022-0235 6.1 fixed in 3.1.1, 2.6.7 node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
medium packages/node/base/package-lock.json xmldom CVE-2021-32796 5.3 fixed in 0.7.0 xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
moderate packages/node/base/package-lock.json xml2js CVE-2023-0842 5.3 fixed in 0.5.0 xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
medium packages/node/base/package-lock.json decode-uri-component CVE-2022-38778 6.5 fixed in 0.2.1 A flaw (CVE-2022-38900) was discovered in one of Kibana’s third party dependencies, that could allow an authenticated user to perform a request that crashes the Kibana server process.
medium packages/node/base/package-lock.json engine.io CVE-2023-31125 6.5 fixed in 6.4.2 Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who use depending packages like socket.io. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.
medium packages/node/base/package-lock.json got CVE-2022-33987 5.3 fixed in 12.1.0 The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
moderate packages/node/base/package-lock.json @actions/core CVE-2022-35954 5.0 fixed in 1.9.1 The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to @actions/core v1.9.1. If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.
medium packages/node/base/package-lock.json vm2 CVE-2023-32313 5.3 fixed in 3.9.18 vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node inspect method and edit options for console.log. As a result a threat actor can edit options for the console.log command. This vulnerability was patched in the release of version 3.9.18 of vm2. Users are advised to upgrade. Users unable to upgrade may make the inspect method readonly with vm.readonly(inspect) after creating a vm.
medium packages/node/base/package-lock.json postcss CVE-2023-44270 5.3 fixed in 8.4.31 An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
moderate packages/node/base/package-lock.json json-ptr CVE-2021-23509 5.6 fixed in 3.0.0 This affects the package json-ptr before 3.0.0. A type confusion vulnerability can lead to a bypass of CVE-2020-7766 when the user-provided keys used in the pointer parameter are arrays.
medium packages/node/twistcli_test/package-lock.json xmldom CVE-2021-32796 5.3 fixed in 0.7.0 xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
medium packages/pom.xml org.apache.commons_commons-compress CVE-2018-11771 5.5 fixed in 1.18 When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
medium packages/pom.xml org.apache.commons_commons-compress CVE-2018-1324 5.5 fixed in 1.16 A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
medium packages/sub/pom.xml com.fasterxml.jackson.core_jackson-databind CVE-2023-35116 4.7 fixed in 2.16.0 jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
medium packages/sub/pom.xml org.apache.logging.log4j_log4j-core CVE-2021-44832 6.6 fixed in 2.17.1, 2.12.4, 2.3.2 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
medium packages/sub/pom.xml org.springframework_spring-core CVE-2023-20863 6.5 fixed in 6.0.8, 5.3.27, 5.2.24 In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
medium packages/sub/pom.xml org.springframework_spring-core CVE-2023-20861 6.5 fixed in 6.0.7, 5.3.26, 5.2.23 In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
medium packages/sub/pom.xml org.springframework_spring-core CVE-2021-22060 4.3 fixed in 5.3.14, 5.2.19 In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.
medium packages/sub/pom.xml org.springframework_spring-core CVE-2021-22096 4.3 fixed in 5.3.11, 5.2.18 In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
medium packages/sub/pom.xml org.springframework_spring-core CVE-2022-22971 6.5 fixed in 5.3.20, 5.2.22 In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.
medium packages/sub/pom.xml org.springframework_spring-core CVE-2022-22970 5.3 fixed in 5.3.20, 5.2.22 In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
medium packages/sub/pom.xml org.springframework_spring-core CVE-2022-22968 5.3 fixed in 5.3.19, 5.2.0 In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
medium packages/sub/pom.xml org.springframework_spring-core CVE-2022-22950 6.5 fixed in 5.3.17, 5.2.20 n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
low packages/node/base/package-lock.json semver-regex CVE-2021-43307 7.5 fixed in 4.0.3, 3.1.4 An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
low packages/node/base/package-lock.json node-forge GHSA-gf8q-jrpm-jvxq 1.0 fixed in 1.0.0 ### Impact The regex used for the forge.util.parseUrl API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior. ### Patches forge.util.parseUrl and other very old related URL APIs were removed in 1.0.0 in favor of letting applications use the more modern WHATWG URL Standard API. ### Workarounds Ensure code does not directly or indirectly call forge.util.parseUrl with untrusted input. ### References - https://www.huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae/ ### For more information If you have any questions or comments about this advisory: * Open an issue in forge * Email us at support@digitalbazaar.com
low packages/node/base/package-lock.json node-forge GHSA-5rrq-pxf6-6jx5 1.0 fixed in 1.0.0 ### Impact The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way. ### Patches The forge.debug API and related functions were removed in 1.0.0. ### Workarounds Don't use the forge.debug API directly or indirectly with untrusted input. ### References - https://www.huntr.dev/bounties/1-npm-node-forge/ ### For more information If you have any questions or comments about this advisory: * Open an issue in forge. * Email us at support@digitalbazaar.com.

prisma-cloud-devsecops[bot]
prisma-cloud-devsecops bot reviewed Jan 4, 2024
View reviewed changes
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prisma Cloud has found errors in this PR ⬇️

packages/requirements.txt Outdated
@@ -1,2 +1,2 @@
django==1.2
django == 3.2.4
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

django 3.2.4 / requirements.txt

Total vulnerabilities: 19

Critical: 5 High: 12 Medium: 2 Low: 0
Vulnerability IDSeverityCVSSFixed inStatus
CVE-2021-35042 CRITICAL CRITICAL 9.8 3.2.5 Open
CVE-2022-28346 CRITICAL CRITICAL 9.8 3.2.13 Open
CVE-2022-28347 CRITICAL CRITICAL 9.8 3.2.13 Open
CVE-2022-34265 CRITICAL CRITICAL 9.8 3.2.14 Open
CVE-2023-31047 CRITICAL CRITICAL 9.8 3.2.19 Open
CVE-2023-41164 HIGH HIGH 7.5 3.2.21 Open
CVE-2023-43665 HIGH HIGH 7.5 3.2.22 Open
CVE-2023-46695 HIGH HIGH 7.5 3.2.23 Open
CVE-2021-45116 HIGH HIGH 7.5 3.2.11 Open
CVE-2021-45115 HIGH HIGH 7.5 3.2.11 Open
CVE-2021-44420 HIGH HIGH 7.3 3.2.10 Open
CVE-2022-23833 HIGH HIGH 7.5 3.2.12 Open
CVE-2022-36359 HIGH HIGH 8.8 3.2.15 Open
CVE-2022-41323 HIGH HIGH 7.5 3.2.16 Open
CVE-2023-23969 HIGH HIGH 7.5 3.2.17 Open
CVE-2023-24580 HIGH HIGH 7.5 3.2.18 Open
CVE-2023-36053 HIGH HIGH 7.5 3.2.20 Open
CVE-2021-45452 MEDIUM MEDIUM 5.3 3.2.11 Open
CVE-2022-22818 MEDIUM MEDIUM 6.1 3.2.12 Open

packages/sub/.hidden/requirements.txt Outdated
@@ -1,2 +1,2 @@
django==1.2
django == 3.2.4
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

django 3.2.4 / requirements.txt

Total vulnerabilities: 19

Critical: 5 High: 12 Medium: 2 Low: 0
Vulnerability IDSeverityCVSSFixed inStatus
CVE-2021-35042 CRITICAL CRITICAL 9.8 3.2.5 Open
CVE-2022-28346 CRITICAL CRITICAL 9.8 3.2.13 Open
CVE-2022-28347 CRITICAL CRITICAL 9.8 3.2.13 Open
CVE-2022-34265 CRITICAL CRITICAL 9.8 3.2.14 Open
CVE-2023-31047 CRITICAL CRITICAL 9.8 3.2.19 Open
CVE-2023-41164 HIGH HIGH 7.5 3.2.21 Open
CVE-2023-43665 HIGH HIGH 7.5 3.2.22 Open
CVE-2023-46695 HIGH HIGH 7.5 3.2.23 Open
CVE-2021-45116 HIGH HIGH 7.5 3.2.11 Open
CVE-2021-45115 HIGH HIGH 7.5 3.2.11 Open
CVE-2021-44420 HIGH HIGH 7.3 3.2.10 Open
CVE-2022-23833 HIGH HIGH 7.5 3.2.12 Open
CVE-2022-36359 HIGH HIGH 8.8 3.2.15 Open
CVE-2022-41323 HIGH HIGH 7.5 3.2.16 Open
CVE-2023-23969 HIGH HIGH 7.5 3.2.17 Open
CVE-2023-24580 HIGH HIGH 7.5 3.2.18 Open
CVE-2023-36053 HIGH HIGH 7.5 3.2.20 Open
CVE-2021-45452 MEDIUM MEDIUM 5.3 3.2.11 Open
CVE-2022-22818 MEDIUM MEDIUM 6.1 3.2.12 Open

packages/sub/pom.xml Outdated
@@ -40,12 +40,12 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.20</version>
<version>1.21</version>
</dependency>
<dependency>
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

org.springframework:spring-core 6.0.8 / pom.xml

Total vulnerabilities: 2

Critical: 1 High: 1 Medium: 0 Low: 0
Vulnerability IDSeverityCVSSFixed inStatus
CVE-2023-44794 CRITICAL CRITICAL 9.8 - Open
CVE-2023-34053 HIGH HIGH 7.5 6.0.14 Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prisma-cloud-devsecops prisma-cloud-devsecops[bot] prisma-cloud-devsecops left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@bridgeit-devops-bot