New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerabilities in Dependencies #2365
Comments
|
this is a pre-requisite to #1637 |
|
we can ignore the shelljs issue our usage of shelljs via git-rev-sync is safe - see https://github.com/kurttheviking/git-rev-sync-js/blob/master/index.js and look for invocations of shell via |
|
the |
we've take this one as far as we can! |
Steemit condenser has several Dependencies that are exposed to vulnerabilities. Some of these can be remedied by updating to the latest version.
Vulnerable Modules
Detailed Vulnearibilities
Command Injection: git-rev-sync@1.9.1
"shelljs is a portable Unix shell commands for Node.js. It is possible to invoke commands from shell.exec() from external sources, allowing an attacker to inject arbitrary commands.""
Remediation: Not fix available
Source: https://snyk.io/vuln/npm:shelljs:20140723
Directory Traversal: koa-static-cache@3.2.0
"Affected versions of the package are vulnerable to Directory Traversal. When in dynamic mode, a malicious user can traverse through the servers files, by entering %2E%2E/ into the url, allowing the attacker to obtain the contents of any file on the server's filesystem."
Remediation: Upgrade to koa-static-cache@4.1.1.
Source: https://snyk.io/vuln/npm:koa-static-cache:20170613
Prototype Override Protection Bypass: co-body@4.2.0 and purest@2.0.1
"In versions of the package affected by this vulnerability, it is possible to circumvent this protection and overwrite prototype properties and functions by prefixing the name of the parameter with [ or ]. e.g. qs.parse("]=toString") will return {toString = true}, as a result, calling toString() on the object will throw an exception."
Remediation: Upgrade to co-body@5.0.0 & Upgrade to purest@3.0.0.
Source: https://snyk.io/vuln/npm:qs:20170213
Regular Expression Denial of Service (DoS): sequelize-cli@2.8.0
"An attacker can provide a long value to the minimatch function, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack)."
Remediation: Upgrade to minimatch@0.2.14.
Source: https://snyk.io/vuln/npm:minimatch:20160620
Cross-site Scripting (XSS): medium-editor-insert-plugin@2.4.1
"jquery is JavaScript library for DOM operations.
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain ajax request is performed without the dataType option causing text/javascript responses to be executed."
Remediation: Upgrade jquery to version 3.0.0 or higher.
Source: https://snyk.io/vuln/npm:jquery:20150627
Remote Memory Exposure: purest@2.0.1
"request is a simplified http request client. A potential remote memory exposure vulnerability exists in request. If a request uses a multipart attachment and the body type option is number with value X, then X bytes of uninitialized memory will be sent in the body of the request."
Remediation: Upgrade to purest@3.0.0.
Source: https://snyk.io/vuln/npm:request:20160119
Timing Attack: purest@2.0.1
"http-signature is a reference implementation of Joyent's HTTP Signature scheme. Affected versions of the package are vulnerable to Timing Attacks due to time-variable comparison of signatures. il.
The library implemented a character to character comparison, similar to the built-in string comparison mechanism, ===, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the signature are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the signature one character at a time."
Remediation: Upgrade to purest@3.0.0.
Source: https://snyk.io/vuln/npm:http-signature:20150122
Uninitialized Memory Exposure: node-sass@4.7.2, twilio@2.11.1
"tunnel-agent is HTTP proxy tunneling agent. Affected versions of the package are vulnerable to Uninitialized Memory Exposure.
A possible memory disclosure vulnerability exists when a value of type number is used to set the proxy.auth option of a request request and results in a possible uninitialized memory exposures in the request body."
Remediation: Upgrade to twilio@3.0.0 & Upgrade to purest@3.0.0.
Source: https://snyk.io/vuln/npm:tunnel-agent:20170305
Regular Expression Denial of Service (ReDoS): url-loader@0.5.9
"mime is a comprehensive, compact MIME type module.
Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It uses regex the following regex /.*[./\]/ in its lookup, which can cause a slowdown of 2 seconds for 50k characters."
Remediation: Upgrade to url-loader@0.6.0.
Source: https://snyk.io/vuln/npm:mime:20170907
Regular Expression Denial of Service (ReDoS): twilio@2.11.1
"ms is a tiny millisecond conversion utility.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to an incomplete fix for previously reported vulnerability npm:ms:20151024. The fix limited the length of accepted input string to 10,000 characters, and turned to be insufficient making it possible to block the event loop for 0.3 seconds (on a typical laptop) with a specially crafted string passed to ms() function."
Remediation: Upgrade to twilio@3.5.0.
Source: https://snyk.io/vuln/npm:ms:20170412
Posted on Utopian.io - Rewarding Open Source Contributors
The text was updated successfully, but these errors were encountered: