Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bulk vulnerability fix - Lockfile fix #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bulk vulnerability fix - Lockfile fix #1

wants to merge 1 commit into from

Conversation

debricked[bot]
Copy link

@debricked debricked bot commented Jul 1, 2021

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2020–7774
CVE–2020–28168
  • Description

    Server-Side Request Forgery (SSRF)

    The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

    NVD

    Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

    GitHub

    Server-Side Request Forgery in Axios

    Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

  • CVSS details - 5.9

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity High
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality High
    Integrity None
    Availability None
  • References

        Pony Mail!
        Requests that follow a redirect are not passing via the proxy · Issue #3369 · axios/axios · GitHub
        Pony Mail!
        Pony Mail!
        Server-Side Request Forgery in Axios · CVE-2020-28168 · GitHub Advisory Database · GitHub
        NVD - CVE-2020-28168

CVE–2021–23343
  • Description

    NVD

    All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        ReDoS in path-parse · Issue #8 · jbgutierrez/path-parse · GitHub
        Pony Mail!

CVE–2021–23362
CVE–2021–32640
  • Description

    Uncontrolled Resource Consumption

    The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

    NVD

    ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

    GitHub

    ReDoS in Sec-Websocket-Protocol header

    Impact

    A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

    Proof of concept

    for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

    Patches

    The vulnerability was fixed in ws@7.4.6 (websockets/ws@00c425e) and backported to ws@6.2.2 (websockets/ws@78c676d) and ws@5.2.3 (websockets/ws@76d47c1).

    Workarounds

    In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

    Credits

    The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

  • CVSS details - 5.3

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability Low
  • References

        ReDoS in Sec-Websocket-Protocol header · Advisory · websockets/ws · GitHub
        [security] Fix ReDoS vulnerability · websockets/ws@00c425e · GitHub

CVE–2021–33502
  • Description

    NVD

    The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

    GitHub

    ReDoS in normalize-url

    The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        Release v6.0.1 · sindresorhus/normalize-url · GitHub

CVE–2020–15366
  • Description

    Improper Input Validation

    The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

    NVD

    An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

  • CVSS details - 5.6

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity High
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality Low
    Integrity Low
    Availability Low
  • References

        Release v6.12.3 · ajv-validator/ajv · GitHub
        Tags · ajv-validator/ajv · GitHub
        HackerOne

CVE–2020–28469
  • Description

    Uncontrolled Resource Consumption

    The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

    NVD

    This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

    GitHub

    Regular expression denial of service

    This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        fix: eliminate ReDoS by Trott · Pull Request #36 · gulpjs/glob-parent · GitHub
        MISC
        Release v5.1.2 · gulpjs/glob-parent · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked

 

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
0 participants