-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
karma-2.0.0.tgz: 50 vulnerabilities (highest severity is: 9.8) #13
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
label
Feb 22, 2022
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 31 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 33 vulnerabilities (highest severity is: 9.8)
Mar 4, 2022
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 33 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 34 vulnerabilities (highest severity is: 9.8)
Apr 13, 2022
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 34 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 35 vulnerabilities (highest severity is: 9.8)
Apr 15, 2022
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 35 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 36 vulnerabilities (highest severity is: 9.8)
May 7, 2022
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 36 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 37 vulnerabilities (highest severity is: 9.8)
Jun 28, 2022
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 37 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 38 vulnerabilities (highest severity is: 9.8)
Nov 24, 2022
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 38 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 39 vulnerabilities (highest severity is: 9.8)
Jan 6, 2023
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 39 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 40 vulnerabilities (highest severity is: 9.8)
Jan 7, 2023
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 40 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 41 vulnerabilities (highest severity is: 9.8)
Mar 8, 2023
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 41 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 42 vulnerabilities (highest severity is: 9.8)
Mar 17, 2023
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 42 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 44 vulnerabilities (highest severity is: 9.8)
Dec 7, 2023
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 44 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 45 vulnerabilities (highest severity is: 9.8)
Dec 15, 2023
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 45 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 47 vulnerabilities (highest severity is: 9.8)
Mar 14, 2024
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 47 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 46 vulnerabilities (highest severity is: 9.8)
Mar 22, 2024
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 46 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 47 vulnerabilities (highest severity is: 9.8)
Mar 30, 2024
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 47 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 48 vulnerabilities (highest severity is: 9.8)
Mar 31, 2024
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 48 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 49 vulnerabilities (highest severity is: 9.8)
May 14, 2024
mend-bolt-for-github
bot
changed the title
karma-2.0.0.tgz: 49 vulnerabilities (highest severity is: 9.8)
karma-2.0.0.tgz: 50 vulnerabilities (highest severity is: 9.8)
May 30, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
0 participants
Vulnerable Library - karma-2.0.0.tgz
Spectacular Test Runner for JavaScript.
Library home page: https://registry.npmjs.org/karma/-/karma-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-42282
Vulnerable Library - ip-1.1.5.tgz
[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: 2024-02-08
URL: CVE-2023-42282
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-78xj-cgh5-2h22
Release Date: 2024-02-08
Fix Resolution (ip): 1.1.9
Direct dependency fix Resolution (karma): 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-2421
Vulnerable Library - socket.io-parser-3.1.3.tgz
socket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
Publish Date: 2022-10-26
URL: CVE-2022-2421
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-qm95-pgcg-qqfq
Release Date: 2022-10-26
Fix Resolution (socket.io-parser): 3.3.3
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
CVE-2021-42740
Vulnerable Library - shell-quote-1.6.1.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (karma): 2.0.2
Step up your Open Source Security Game with Mend here
CVE-2021-23518
Vulnerable Library - cached-path-relative-1.0.1.tgz
Memoize the results of the path.relative function
Library home page: https://registry.npmjs.org/cached-path-relative/-/cached-path-relative-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as proto, the attribute of the object is accessed instead of a path. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
Publish Date: 2022-01-21
URL: CVE-2021-23518
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23518
Release Date: 2022-01-21
Fix Resolution (cached-path-relative): 1.1.0
Direct dependency fix Resolution (karma): 2.0.2
Step up your Open Source Security Game with Mend here
CVE-2020-7769
Vulnerable Library - nodemailer-2.7.2.tgz
Easy as cake e-mail sending from your Node.js applications
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-2.7.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
Publish Date: 2020-11-12
URL: CVE-2020-7769
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2020-7769
Release Date: 2020-11-12
Fix Resolution (nodemailer): 6.4.16
Direct dependency fix Resolution (karma): 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2019-10196
Vulnerable Library - http-proxy-agent-1.0.0.tgz
An HTTP(s) proxy `http.Agent` implementation for HTTP
Library home page: https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.
Publish Date: 2021-03-19
URL: CVE-2019-10196
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/607
Release Date: 2021-03-19
Fix Resolution (http-proxy-agent): 2.1.0
Direct dependency fix Resolution (karma): 2.0.2
Step up your Open Source Security Game with Mend here
CVE-2021-31597
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
CVSS 3 Score Details (9.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
CVE-2024-29415
Vulnerable Library - ip-1.1.5.tgz
[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Publish Date: 2024-05-27
URL: CVE-2024-29415
CVSS 3 Score Details (9.1)
Base Score Metrics:
Step up your Open Source Security Game with Mend here
CVE-2018-3739
Vulnerable Library - https-proxy-agent-1.0.0.tgz
An HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).
Publish Date: 2018-06-07
URL: CVE-2018-3739
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3739
Release Date: 2018-04-26
Fix Resolution (https-proxy-agent): 2.2.0
Direct dependency fix Resolution (karma): 2.0.2
Step up your Open Source Security Game with Mend here
CVE-2021-23400
Vulnerable Library - nodemailer-2.7.2.tgz
Easy as cake e-mail sending from your Node.js applications
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-2.7.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
Publish Date: 2021-06-29
URL: CVE-2021-23400
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23400
Release Date: 2021-06-29
Fix Resolution (nodemailer): 6.6.1
Direct dependency fix Resolution (karma): 3.0.0
Step up your Open Source Security Game with Mend here
WS-2020-0443
Vulnerable Library - socket.io-2.0.4.tgz
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
In socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".
Publish Date: 2020-02-20
URL: WS-2020-0443
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/931197
Release Date: 2020-02-20
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
CVE-2020-28502
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
CVE-2021-43138
Vulnerable Library - async-2.1.5.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (karma): 2.0.2
Step up your Open Source Security Game with Mend here
CVE-2020-13822
Vulnerable Library - elliptic-6.4.0.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (karma): 2.0.2
Step up your Open Source Security Game with Mend here
WS-2020-0091
Vulnerable Library - http-proxy-1.16.2.tgz
HTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.16.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-14
Fix Resolution (http-proxy): 1.18.1
Direct dependency fix Resolution (karma): 2.0.2
Step up your Open Source Security Game with Mend here
WS-2019-0310
Vulnerable Library - https-proxy-agent-1.0.0.tgz
An HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
"in 'https-proxy-agent', before v2.2.3, there is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.
Publish Date: 2019-10-07
URL: WS-2019-0310
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1184
Release Date: 2019-10-07
Fix Resolution (https-proxy-agent): 2.2.3
Direct dependency fix Resolution (karma): 2.0.2
Step up your Open Source Security Game with Mend here
WS-2018-0650
Vulnerable Library - useragent-2.3.0.tgz
Fastest, most accurate & effecient user agent string parser, uses Browserscope's research for parsing
Library home page: https://registry.npmjs.org/useragent/-/useragent-2.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in useragent through 2.3.0.
Publish Date: 2018-02-27
URL: WS-2018-0650
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0650
Release Date: 2018-02-27
Fix Resolution: NorDroN.AngularTemplate - 0.1.6;dotnetng.template - 1.0.0.4;JetBrains.Rider.Frontend5 - 213.0.20211008.154703-eap03;MIDIator.WebClient - 1.0.105
Step up your Open Source Security Game with Mend here
CVE-2024-4068
Vulnerable Library - braces-0.1.5.tgz
Fastest brace expansion lib. Typically used with file paths, but can be used with any string. Expands comma-separated values (e.g. `foo/{a,b,c}/bar`) and alphabetical or numerical ranges (e.g. `{1..9}`)
Library home page: https://registry.npmjs.org/braces/-/braces-0.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
The NPM package
braces
, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. Inlib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4068
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
CVE-2023-46234
Vulnerable Library - browserify-sign-4.0.4.tgz
adds node crypto signing for browsers
Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in
dsaVerify
function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.Publish Date: 2023-10-26
URL: CVE-2023-46234
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-x9w5-v3q2-3rhw
Release Date: 2023-10-26
Fix Resolution (browserify-sign): 4.2.2
Direct dependency fix Resolution (karma): 2.0.2
Step up your Open Source Security Game with Mend here
CVE-2022-29167
Vulnerable Library - hawk-6.0.2.tgz
HTTP Hawk Authentication Scheme
Library home page: https://registry.npmjs.org/hawk/-/hawk-6.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse
Host
HTTP header (Hawk.utils.parseHost()
), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially.parseHost()
was patched in9.0.1
to use built-inURL
class to parse hostname instead.Hawk.authenticate()
acceptsoptions
argument. If that containshost
andport
, those would be used instead of a call toutils.parseHost()
.Publish Date: 2022-05-05
URL: CVE-2022-29167
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-44pw-h2cw-w3vq
Release Date: 2022-05-05
Fix Resolution (hawk): 9.0.1
Direct dependency fix Resolution (karma): 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-24999
Vulnerable Libraries - qs-6.5.1.tgz, qs-6.2.3.tgz
qs-6.5.1.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
qs-6.2.3.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.5.3
Direct dependency fix Resolution (karma): 2.0.2
Fix Resolution (qs): 6.5.3
Direct dependency fix Resolution (karma): 2.0.2
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: