New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Yarn Audit Report #1066
Comments
Interestingly the only one that GitHub itself warns of is |
Down to 3 issues as of the latest commit e726089 – two of which are |
I was mistaken, |
Glad to see this fixed 👍 |
closes outline#1066
Generated using:
7 unique from 192 known vulnerabilities | 27645 dependencies
high Prototype Pollution
Module: set-value
Installed version: 2.0.0
Published: 6/20/2019, 8:05:11 PM
Reported by: Jon Schlinkert
CWE-471
CVE-2019-10747
Vulnerable: <2.0.1 || >=3.0.0 <3.0.1
Patched: >=2.0.1 <3.0.0 || >=3.0.1
CVSS: 5
Overview
Versions of
set-value
prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. Theset
function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.Remediation
If you are using
set-value
3.x, upgrade to version 3.0.1 or later. If you are usingset-value
2.x, upgrade to version 2.0.1 or later.References
More about this vulnerability
high Prototype Pollution
Module: set-value
Installed version: 0.4.3
Published: 6/20/2019, 8:05:11 PM
Reported by: Jon Schlinkert
CWE-471
CVE-2019-10747
Vulnerable: <2.0.1 || >=3.0.0 <3.0.1
Patched: >=2.0.1 <3.0.0 || >=3.0.1
CVSS: 5
Overview
Versions of
set-value
prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. Theset
function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.Remediation
If you are using
set-value
3.x, upgrade to version 3.0.1 or later. If you are usingset-value
2.x, upgrade to version 2.0.1 or later.References
More about this vulnerability
high SQL Injection
Module: sequelize
Installed version: 5.8.12
Published: 9/6/2019, 1:56:35 AM
Reported by: Unknown
CWE-89
CVE-2019-10752
Vulnerable: <4.44.3 || >=5.0.0 <5.15.1
Patched: >=4.44.3 <5.0.0 || >=5.15.1
CVSS: 6
Overview
Affected versions of
sequelize
are vulnerable to SQL Injection. The functionsequelize.json()
incorrectly formatted sub paths for JSON queries, which allows attackers to inject SQL statements and execute arbitrary SQL queries if user input is passed to the query. Exploitation example:return User.findAll({ where: this.sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1) });
Remediation
If you are using
sequelize
5.x, upgrade to version 5.15.1 or later. If you are usingsequelize
4.x, upgrade to version 4.44.3 or later.References
Reasons this module exists
sequelize
More about this vulnerability
high Prototype Pollution
Module: handlebars
Installed version: 4.1.2
Published: 9/16/2019, 8:44:43 PM
Reported by: itszn
CWE-471
Vulnerable: <4.3.0
Patched: >=4.3.0
CVSS: 6
Overview
Versions of
handlebars
prior to are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects'__proto__
and__defineGetter__
properties, which may allow an attacker to execute arbitrary code through crafted payloads.Remediation
Upgrade to version 4.3.0 or later.
Reasons this module exists
jest-cli>istanbul-api>istanbul-reports>handlebars
More about this vulnerability
moderate Configuration Override
Module: helmet-csp
Installed version: 2.7.1
Published: 9/21/2019, 4:33:16 AM
Reported by: William Durand
CWE-16
Vulnerable: >=1.2.2 <2.9.1
Patched: >=2.9.1
CVSS: 6
Overview
Versions of
helmet-csp
before to 2.9.1 are vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes thedefault-src
CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting.Remediation
Upgrade to version 2.9.1 or later. Setting the
browserSniff
configuration tofalse
in vulnerable versions also mitigates the issue.Reasons this module exists
koa-helmet>helmet>helmet-csp
More about this vulnerability
low Regular Expression Denial of Service
Module: clean-css
Installed version: 3.4.28
Published: 2/16/2019, 3:10:03 AM
Reported by: Santosh Rao
CWE-185
Vulnerable: <4.1.11
Patched: >=4.1.11
CVSS: 4
Overview
Version of
clean-css
prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.Remediation
Upgrade to version 4.1.11 or higher.
References
Reasons this module exists
html-webpack-plugin>html-minifier>clean-css
More about this vulnerability
low Regular Expression Denial of Service
Module: braces
Installed version: 1.8.5
Published: 2/16/2019, 3:14:30 AM
Reported by: Santosh Rao
CWE-185
Vulnerable: <2.3.1
Patched: >=2.3.1
CVSS: 4
Overview
Versions of
braces
prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.Remediation
Upgrade to version 2.3.1 or higher.
References
More about this vulnerability
Report generated at 10/16/2019, 3:15:55 PM.
The text was updated successfully, but these errors were encountered: