karma-2.0.0.tgz: 50 vulnerabilities (highest severity is: 9.8)

[mend-bolt-for-github]

Vulnerable Library - karma-2.0.0.tgz

Spectacular Test Runner for JavaScript.

Library home page: https://registry.npmjs.org/karma/-/karma-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (karma version)	Remediation Possible**
CVE-2023-42282	Critical	9.8	ip-1.1.5.tgz	Transitive	3.0.0	❌
CVE-2022-2421	Critical	9.8	socket.io-parser-3.1.3.tgz	Transitive	5.0.8	❌
CVE-2021-42740	Critical	9.8	shell-quote-1.6.1.tgz	Transitive	2.0.2	❌
CVE-2021-23518	Critical	9.8	cached-path-relative-1.0.1.tgz	Transitive	2.0.2	❌
CVE-2020-7769	Critical	9.8	nodemailer-2.7.2.tgz	Transitive	3.0.0	❌
CVE-2019-10196	Critical	9.8	http-proxy-agent-1.0.0.tgz	Transitive	2.0.2	❌
CVE-2021-31597	Critical	9.4	xmlhttprequest-ssl-1.5.5.tgz	Transitive	5.0.8	❌
CVE-2024-29415	Critical	9.1	ip-1.1.5.tgz	Transitive	N/A*	❌
CVE-2018-3739	Critical	9.1	https-proxy-agent-1.0.0.tgz	Transitive	2.0.2	❌
CVE-2021-23400	High	8.8	nodemailer-2.7.2.tgz	Transitive	3.0.0	❌
WS-2020-0443	High	8.1	socket.io-2.0.4.tgz	Transitive	5.0.8	❌
CVE-2020-28502	High	8.1	xmlhttprequest-ssl-1.5.5.tgz	Transitive	5.0.8	❌
CVE-2021-43138	High	7.8	async-2.1.5.tgz	Transitive	2.0.2	❌
CVE-2020-13822	High	7.7	elliptic-6.4.0.tgz	Transitive	2.0.2	❌
WS-2020-0091	High	7.5	http-proxy-1.16.2.tgz	Transitive	2.0.2	❌
WS-2019-0310	High	7.5	https-proxy-agent-1.0.0.tgz	Transitive	2.0.2	❌
WS-2018-0650	High	7.5	useragent-2.3.0.tgz	Transitive	N/A*	❌
CVE-2024-4068	High	7.5	braces-0.1.5.tgz	Transitive	N/A*	❌
CVE-2023-46234	High	7.5	browserify-sign-4.0.4.tgz	Transitive	2.0.2	❌
CVE-2022-29167	High	7.5	hawk-6.0.2.tgz	Transitive	3.0.0	❌
CVE-2022-24999	High	7.5	detected in multiple dependencies	Transitive	2.0.2	❌
CVE-2022-0654	High	7.5	requestretry-1.13.0.tgz	Transitive	3.0.0	❌
CVE-2021-3749	High	7.5	axios-0.15.3.tgz	Transitive	3.0.0	❌
CVE-2021-29469	High	7.5	redis-2.8.0.tgz	Transitive	3.0.0	❌
CVE-2020-36049	High	7.5	socket.io-parser-3.1.3.tgz	Transitive	5.0.8	❌
CVE-2020-36048	High	7.5	engine.io-3.1.5.tgz	Transitive	5.0.8	❌
CVE-2019-10742	High	7.5	axios-0.15.3.tgz	Transitive	3.0.0	❌
CVE-2018-16472	High	7.5	cached-path-relative-1.0.1.tgz	Transitive	2.0.2	❌
CVE-2017-20165	High	7.5	debug-2.2.0.tgz	Transitive	2.0.2	❌
CVE-2017-16115	High	7.5	timespan-2.3.0.tgz	Transitive	N/A*	❌
CVE-2021-23358	High	7.2	underscore-1.7.0.tgz	Transitive	3.0.0	❌
CVE-2020-28498	Medium	6.8	elliptic-6.4.0.tgz	Transitive	2.0.2	❌
CVE-2024-28849	Medium	6.5	follow-redirects-1.0.0.tgz	Transitive	N/A*	❌
CVE-2023-45857	Medium	6.5	axios-0.15.3.tgz	Transitive	3.0.0	❌
CVE-2022-41940	Medium	6.5	engine.io-3.1.5.tgz	Transitive	5.0.8	❌
CVE-2022-0155	Medium	6.5	follow-redirects-1.0.0.tgz	Transitive	3.0.0	❌
CVE-2020-8244	Medium	6.5	bl-1.1.2.tgz	Transitive	3.0.0	❌
CVE-2023-28155	Medium	6.1	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2023-26159	Medium	6.1	follow-redirects-1.0.0.tgz	Transitive	3.0.0	❌
CVE-2022-0437	Medium	6.1	karma-2.0.0.tgz	Direct	6.3.14	❌
CVE-2021-23495	Medium	6.1	karma-2.0.0.tgz	Direct	6.3.16	❌
WS-2019-0427	Medium	5.9	elliptic-6.4.0.tgz	Transitive	2.0.2	❌
WS-2019-0424	Medium	5.9	elliptic-6.4.0.tgz	Transitive	2.0.2	❌
CVE-2022-0536	Medium	5.9	follow-redirects-1.0.0.tgz	Transitive	3.0.0	❌
CVE-2020-28168	Medium	5.9	axios-0.15.3.tgz	Transitive	3.0.0	❌
CVE-2022-21704	Medium	5.5	log4js-2.5.3.tgz	Transitive	5.0.8	❌
CVE-2017-20162	Medium	5.3	ms-0.7.1.tgz	Transitive	2.0.2	❌
WS-2018-0076	Medium	5.1	tunnel-agent-0.4.3.tgz	Transitive	3.0.0	❌
CVE-2020-28481	Medium	4.3	socket.io-2.0.4.tgz	Transitive	5.0.8	❌
CVE-2017-16137	Low	3.7	debug-2.2.0.tgz	Transitive	2.0.2	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2023-42282

Vulnerable Library - ip-1.1.5.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • log4js-2.5.3.tgz
    • nodemailer-2.7.2.tgz
      • socks-1.1.9.tgz
        • ❌ ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-78xj-cgh5-2h22

Release Date: 2024-02-08

Fix Resolution (ip): 1.1.9

Direct dependency fix Resolution (karma): 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-2421

Vulnerable Library - socket.io-parser-3.1.3.tgz

socket.io protocol parser

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • socket.io-2.0.4.tgz
    • ❌ socket.io-parser-3.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Publish Date: 2022-10-26

URL: CVE-2022-2421

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qm95-pgcg-qqfq

Release Date: 2022-10-26

Fix Resolution (socket.io-parser): 3.3.3

Direct dependency fix Resolution (karma): 5.0.8

Step up your Open Source Security Game with Mend here

CVE-2021-42740

Vulnerable Library - shell-quote-1.6.1.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • browserify-14.5.0.tgz
    • ❌ shell-quote-1.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (karma): 2.0.2

Step up your Open Source Security Game with Mend here

CVE-2021-23518

Vulnerable Library - cached-path-relative-1.0.1.tgz

Memoize the results of the path.relative function

Library home page: https://registry.npmjs.org/cached-path-relative/-/cached-path-relative-1.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • browserify-14.5.0.tgz
    • ❌ cached-path-relative-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as proto, the attribute of the object is accessed instead of a path. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573

Publish Date: 2022-01-21

URL: CVE-2021-23518

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23518

Release Date: 2022-01-21

Fix Resolution (cached-path-relative): 1.1.0

Direct dependency fix Resolution (karma): 2.0.2

Step up your Open Source Security Game with Mend here

CVE-2020-7769

Vulnerable Library - nodemailer-2.7.2.tgz

Easy as cake e-mail sending from your Node.js applications

Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-2.7.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • log4js-2.5.3.tgz
    • ❌ nodemailer-2.7.2.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

Publish Date: 2020-11-12

URL: CVE-2020-7769

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2020-7769

Release Date: 2020-11-12

Fix Resolution (nodemailer): 6.4.16

Direct dependency fix Resolution (karma): 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2019-10196

Vulnerable Library - http-proxy-agent-1.0.0.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTP

Library home page: https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • log4js-2.5.3.tgz
    • mailgun-js-0.7.15.tgz
      • proxy-agent-2.0.0.tgz
        • ❌ http-proxy-agent-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.

Publish Date: 2021-03-19

URL: CVE-2019-10196

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/607

Release Date: 2021-03-19

Fix Resolution (http-proxy-agent): 2.1.0

Direct dependency fix Resolution (karma): 2.0.2

Step up your Open Source Security Game with Mend here

CVE-2021-31597

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • socket.io-2.0.4.tgz
    • socket.io-client-2.0.4.tgz
      • engine.io-client-3.1.5.tgz
        • ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Publish Date: 2021-04-23

URL: CVE-2021-31597

CVSS 3 Score Details (9.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597

Release Date: 2021-04-23

Fix Resolution (xmlhttprequest-ssl): 1.6.1

Direct dependency fix Resolution (karma): 5.0.8

Step up your Open Source Security Game with Mend here

CVE-2024-29415

Vulnerable Library - ip-1.1.5.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • log4js-2.5.3.tgz
    • nodemailer-2.7.2.tgz
      • socks-1.1.9.tgz
        • ❌ ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

Publish Date: 2024-05-27

URL: CVE-2024-29415

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2018-3739

Vulnerable Library - https-proxy-agent-1.0.0.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • log4js-2.5.3.tgz
    • mailgun-js-0.7.15.tgz
      • proxy-agent-2.0.0.tgz
        • ❌ https-proxy-agent-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).

Publish Date: 2018-06-07

URL: CVE-2018-3739

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3739

Release Date: 2018-04-26

Fix Resolution (https-proxy-agent): 2.2.0

Direct dependency fix Resolution (karma): 2.0.2

Step up your Open Source Security Game with Mend here

CVE-2021-23400

Vulnerable Library - nodemailer-2.7.2.tgz

Easy as cake e-mail sending from your Node.js applications

Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-2.7.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • log4js-2.5.3.tgz
    • ❌ nodemailer-2.7.2.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

Publish Date: 2021-06-29

URL: CVE-2021-23400

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23400

Release Date: 2021-06-29

Fix Resolution (nodemailer): 6.6.1

Direct dependency fix Resolution (karma): 3.0.0

Step up your Open Source Security Game with Mend here

WS-2020-0443

Vulnerable Library - socket.io-2.0.4.tgz

node.js realtime framework server

Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • ❌ socket.io-2.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

In socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".

Publish Date: 2020-02-20

URL: WS-2020-0443

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/931197

Release Date: 2020-02-20

Fix Resolution (socket.io): 2.4.0

Direct dependency fix Resolution (karma): 5.0.8

Step up your Open Source Security Game with Mend here

CVE-2020-28502

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • socket.io-2.0.4.tgz
    • socket.io-client-2.0.4.tgz
      • engine.io-client-3.1.5.tgz
        • ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Publish Date: 2021-03-05

URL: CVE-2020-28502

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4j5-c7cj-74xg

Release Date: 2021-03-05

Fix Resolution (xmlhttprequest-ssl): 1.6.1

Direct dependency fix Resolution (karma): 5.0.8

Step up your Open Source Security Game with Mend here

CVE-2021-43138

Vulnerable Library - async-2.1.5.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • log4js-2.5.3.tgz
    • mailgun-js-0.7.15.tgz
      • ❌ async-2.1.5.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (karma): 2.0.2

Step up your Open Source Security Game with Mend here

CVE-2020-13822

Vulnerable Library - elliptic-6.4.0.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • browserify-14.5.0.tgz
    • crypto-browserify-3.12.0.tgz
      • browserify-sign-4.0.4.tgz
        • ❌ elliptic-6.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution (elliptic): 6.5.3

Direct dependency fix Resolution (karma): 2.0.2

Step up your Open Source Security Game with Mend here

WS-2020-0091

Vulnerable Library - http-proxy-1.16.2.tgz

HTTP proxying for the masses

Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.16.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • ❌ http-proxy-1.16.2.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

Publish Date: 2020-05-14

URL: WS-2020-0091

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1486

Release Date: 2020-05-14

Fix Resolution (http-proxy): 1.18.1

Direct dependency fix Resolution (karma): 2.0.2

Step up your Open Source Security Game with Mend here

WS-2019-0310

Vulnerable Library - https-proxy-agent-1.0.0.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • log4js-2.5.3.tgz
    • mailgun-js-0.7.15.tgz
      • proxy-agent-2.0.0.tgz
        • ❌ https-proxy-agent-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

"in 'https-proxy-agent', before v2.2.3, there is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.

Publish Date: 2019-10-07

URL: WS-2019-0310

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1184

Release Date: 2019-10-07

Fix Resolution (https-proxy-agent): 2.2.3

Direct dependency fix Resolution (karma): 2.0.2

Step up your Open Source Security Game with Mend here

WS-2018-0650

Vulnerable Library - useragent-2.3.0.tgz

Fastest, most accurate & effecient user agent string parser, uses Browserscope's research for parsing

Library home page: https://registry.npmjs.org/useragent/-/useragent-2.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • ❌ useragent-2.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in useragent through 2.3.0.

Publish Date: 2018-02-27

URL: WS-2018-0650

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0650

Release Date: 2018-02-27

Fix Resolution: NorDroN.AngularTemplate - 0.1.6;dotnetng.template - 1.0.0.4;JetBrains.Rider.Frontend5 - 213.0.20211008.154703-eap03;MIDIator.WebClient - 1.0.105

Step up your Open Source Security Game with Mend here

CVE-2024-4068

Vulnerable Library - braces-0.1.5.tgz

Fastest brace expansion lib. Typically used with file paths, but can be used with any string. Expands comma-separated values (e.g. `foo/{a,b,c}/bar`) and alphabetical or numerical ranges (e.g. `{1..9}`)

Library home page: https://registry.npmjs.org/braces/-/braces-0.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • expand-braces-0.1.2.tgz
    • ❌ braces-0.1.5.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-14

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-14

Fix Resolution: braces - 3.0.3

Step up your Open Source Security Game with Mend here

CVE-2023-46234

Vulnerable Library - browserify-sign-4.0.4.tgz

adds node crypto signing for browsers

Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • browserify-14.5.0.tgz
    • crypto-browserify-3.12.0.tgz
      • ❌ browserify-sign-4.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.

Publish Date: 2023-10-26

URL: CVE-2023-46234

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x9w5-v3q2-3rhw

Release Date: 2023-10-26

Fix Resolution (browserify-sign): 4.2.2

Direct dependency fix Resolution (karma): 2.0.2

Step up your Open Source Security Game with Mend here

CVE-2022-29167

Vulnerable Library - hawk-6.0.2.tgz

HTTP Hawk Authentication Scheme

Library home page: https://registry.npmjs.org/hawk/-/hawk-6.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • log4js-2.5.3.tgz
    • hipchat-notifier-1.1.0.tgz
      • request-2.83.0.tgz
        • ❌ hawk-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. parseHost() was patched in 9.0.1 to use built-in URL class to parse hostname instead. Hawk.authenticate() accepts options argument. If that contains host and port, those would be used instead of a call to utils.parseHost().

Publish Date: 2022-05-05

URL: CVE-2022-29167

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-44pw-h2cw-w3vq

Release Date: 2022-05-05

Fix Resolution (hawk): 9.0.1

Direct dependency fix Resolution (karma): 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-24999

Vulnerable Libraries - qs-6.5.1.tgz, qs-6.2.3.tgz

qs-6.5.1.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • log4js-2.5.3.tgz
    • hipchat-notifier-1.1.0.tgz
      • request-2.83.0.tgz
        • ❌ qs-6.5.1.tgz (Vulnerable Library)

qs-6.2.3.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • log4js-2.5.3.tgz
    • loggly-1.1.1.tgz
      • request-2.75.0.tgz
        • ❌ qs-6.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7

Found in base branch: dev

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (karma): 2.0.2

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (karma): 2.0.2

Step up your Open Source Security Game with Mend here