You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Vulnerable Library - mocha-3.4.1.tgz
simple, flexible, fun test framework
Library home page: https://registry.npmjs.org/mocha/-/mocha-3.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mocha/package.json
Found in HEAD commit: 3995e691aa890e3b3b34aeb87bbf509717e0c319
Vulnerabilities
Details
CVE-2017-16042
Vulnerable Library - growl-1.9.2.tgz
Growl unobtrusive notifications
Library home page: https://registry.npmjs.org/growl/-/growl-1.9.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/growl/package.json
Dependency Hierarchy:
Found in HEAD commit: 3995e691aa890e3b3b34aeb87bbf509717e0c319
Found in base branch: main
Vulnerability Details
Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.
Publish Date: 2018-06-04
URL: CVE-2017-16042
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16042
Release Date: 2018-06-04
Fix Resolution (growl): 1.10.2
Direct dependency fix Resolution (mocha): 4.0.0
⛑️ Automatic Remediation is available for this issue
WS-2018-0590
Vulnerable Library - diff-3.2.0.tgz
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-3.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/diff/package.json
Dependency Hierarchy:
Found in HEAD commit: 3995e691aa890e3b3b34aeb87bbf509717e0c319
Found in base branch: main
Vulnerability Details
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Publish Date: 2018-03-05
URL: WS-2018-0590
CVSS 2 Score Details (7.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: kpdecker/jsdiff@2aec429
Release Date: 2018-03-05
Fix Resolution (diff): 3.5.0
Direct dependency fix Resolution (mocha): 5.0.3
⛑️ Automatic Remediation is available for this issue
CVE-2020-7598
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mocha/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: 3995e691aa890e3b3b34aeb87bbf509717e0c319
Found in base branch: main
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (mocha): 6.2.3
⛑️ Automatic Remediation is available for this issue
WS-2019-0425
Vulnerable Library - mocha-3.4.1.tgz
simple, flexible, fun test framework
Library home page: https://registry.npmjs.org/mocha/-/mocha-3.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mocha/package.json
Dependency Hierarchy:
Found in HEAD commit: 3995e691aa890e3b3b34aeb87bbf509717e0c319
Found in base branch: main
Vulnerability Details
Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.
Publish Date: 2019-01-24
URL: WS-2019-0425
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: v6.0.0
Release Date: 2019-01-24
Fix Resolution: 6.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2017-16137
Vulnerable Library - debug-2.6.0.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mocha/node_modules/debug/package.json
Dependency Hierarchy:
Found in HEAD commit: 3995e691aa890e3b3b34aeb87bbf509717e0c319
Found in base branch: main
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-06-07
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (mocha): 4.0.0
⛑️ Automatic Remediation is available for this issue
WS-2017-0247
Vulnerable Library - ms-0.7.2.tgz
Tiny milisecond conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mocha/node_modules/ms/package.json
Dependency Hierarchy:
Found in HEAD commit: 3995e691aa890e3b3b34aeb87bbf509717e0c319
Found in base branch: main
Vulnerability Details
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-04-12
URL: WS-2017-0247
CVSS 2 Score Details (3.4)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: vercel/ms#89
Release Date: 2017-04-12
Fix Resolution (ms): 2.0.0
Direct dependency fix Resolution (mocha): 3.5.0
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
The text was updated successfully, but these errors were encountered: