1 |
|
2 | <html lang="en">
|
3 | <head>
|
4 | <meta charset="utf-8" />
|
5 | <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover" />
|
6 |
|
7 | <link
|
8 | rel="stylesheet"
|
9 | href="https://cdn.jsdelivr.net/npm/bootswatch@5.2/dist/materia/bootstrap.min.css"
|
10 | crossorigin="anonymous"
|
11 | />
|
12 |
|
13 | <title>Yarn Audit Report</title>
|
14 | <meta name="description" content="45 overall vulnerabilities found." />
|
15 |
|
16 | <style>
|
17 | label {
|
18 | position: relative;
|
19 |
|
20 | display: block;
|
21 | padding-left: 30px;
|
22 | margin-left: -10px;
|
23 |
|
24 | cursor: pointer;
|
25 | }
|
26 |
|
27 | label:before {
|
28 | position: absolute;
|
29 | top: 50%;
|
30 | left: 10px;
|
31 |
|
32 | width: 0;
|
33 | height: 0;
|
34 |
|
35 | border-left: 8px solid currentColor;
|
36 | border-top: 8px solid transparent;
|
37 | border-bottom: 8px solid transparent;
|
38 | margin-top: -8px;
|
39 |
|
40 | content: '';
|
41 | }
|
42 |
|
43 | .card-text p:last-child {
|
44 | margin-bottom: 0;
|
45 | }
|
46 |
|
47 | input[type='checkbox'] {
|
48 | display: none;
|
49 | }
|
50 |
|
51 | input[type='checkbox']:checked + h3 label:before {
|
52 | border-left: 8px solid transparent;
|
53 | border-top: 8px solid black;
|
54 | border-right: 8px solid transparent;
|
55 |
|
56 | margin-left: -4px;
|
57 | margin-top: -4px;
|
58 | }
|
59 |
|
60 | .collapsible-wrapper {
|
61 | max-height: 0;
|
62 | padding: 0;
|
63 | padding-left: 30px;
|
64 | overflow-y: auto;
|
65 |
|
66 | transition: max-height 0.15s ease;
|
67 | }
|
68 |
|
69 | input[type='checkbox']:checked + h3 + .collapsible-wrapper {
|
70 | max-height: 500px;
|
71 | padding: var(--bs-alert-padding-y) var(--bs-alert-padding-x);
|
72 | }
|
73 |
|
74 | h1,
|
75 | .h1 {
|
76 | font-size: calc(2.03125rem * 20 / 16);
|
77 | }
|
78 | h2,
|
79 | .h2 {
|
80 | font-size: calc(1.625rem * 20 / 16);
|
81 | }
|
82 | h3,
|
83 | .h3 {
|
84 | font-size: calc(1.421875rem * 20 / 16);
|
85 | }
|
86 | h4,
|
87 | .h4 {
|
88 | font-size: calc(1.21875rem * 20 / 16);
|
89 | }
|
90 | h5,
|
91 | .h5 {
|
92 | font-size: calc(1.015625rem * 20 / 16);
|
93 | }
|
94 | h6,
|
95 | .h6 {
|
96 | font-size: calc(0.8125rem * 20 / 16);
|
97 | }
|
98 | @media (min-width: 1200px) {
|
99 | h1,
|
100 | .h1 {
|
101 | font-size: calc(2.03125rem * 20 / 16);
|
102 | }
|
103 | h2,
|
104 | .h2 {
|
105 | font-size: calc(1.625rem * 20 / 16);
|
106 | }
|
107 | h3,
|
108 | .h3 {
|
109 | font-size: calc(1.421875rem * 20 / 16);
|
110 | }
|
111 | h4,
|
112 | .h4 {
|
113 | font-size: calc(1.21875rem * 20 / 16);
|
114 | }
|
115 | h5,
|
116 | .h5 {
|
117 | font-size: calc(1.015625rem * 20 / 16);
|
118 | }
|
119 | h6,
|
120 | .h6 {
|
121 | font-size: calc(0.8125rem * 20 / 16);
|
122 | }
|
123 | }
|
124 | .alert,
|
125 | .alert .h1,
|
126 | .alert .h2,
|
127 | .alert .h3,
|
128 | .alert .h4,
|
129 | .alert .h5,
|
130 | .alert .h6,
|
131 | .alert h1,
|
132 | .alert h2,
|
133 | .alert h3,
|
134 | .alert h4,
|
135 | .alert h5,
|
136 | .alert h6 {
|
137 | color: var(--bs-body-color);
|
138 | }
|
139 | </style>
|
140 | </head>
|
141 |
|
142 | <body>
|
143 | <div class="container">
|
144 | <div class="row my-3">
|
145 | <div class="col-md text-center">
|
146 | <h1 class="h2">Yarn Audit Report</h1>
|
147 |
|
148 | <h3 class="h5">
|
149 | 12 unique from 45 overall vulnerabilities | 29,350 dependencies
|
150 | </h3>
|
151 | </div>
|
152 | </div>
|
153 | <div class="row">
|
154 |
|
155 | <div class="col-md-12">
|
156 | <div class="card mb-3">
|
157 | <div class="card-body p-4">
|
158 | <h1 class="card-title h3 d-flex align-items-center gap-2">
|
159 | <span class="badge text-capitalize bg-warning">
|
160 | high
|
161 | </span>
|
162 | Regular Expression Denial of Service
|
163 | </h1>
|
164 | <div class="row">
|
165 | <div class="col-md-6">
|
166 | <ul>
|
167 | <li>
|
168 | Module:
|
169 | <a
|
170 | href="https://npmjs.com/package/tough-cookie"
|
171 | target="_blank"
|
172 | rel="noopener noreferrer"
|
173 | >
|
174 | tough-cookie
|
175 | </a>
|
176 | </li>
|
177 |
|
178 | <li>Installed version: 2.2.2</li>
|
179 |
|
180 | <li>Vulnerable: <2.3.3</li>
|
181 | <li>Patched: >=2.3.3</li>
|
182 | </ul>
|
183 | </div>
|
184 | <div class="col-md-6">
|
185 | <ul>
|
186 | <li>Published: September 8, 2017 at 8:07:02 PM GMT+2</li>
|
187 |
|
188 | <li>Reported by: Cristian-Alexandru Staicu</li>
|
189 |
|
190 | <li>CVSS: 5</li>
|
191 |
|
192 | <li>CWE-400</li>
|
193 |
|
194 | <li>CVE-2017-15010</li>
|
195 |
|
196 | </ul>
|
197 | </div>
|
198 | </div>
|
199 | <h3>Overview</h3>
|
200 | <div class="card-text alert alert-secondary overflow-auto mb-3">
|
201 | <p>Affected versions of <code>tough-cookie</code> are susceptible to a regular expression denial of service.</p>
|
202 | <p>The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.</p>
|
203 | <p>If node was compiled using the <code>-DHTTP_MAX_HEADER_SIZE</code> however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.</p>
|
204 |
|
205 | </div>
|
206 |
|
207 |
|
208 | <h3>Remediation</h3>
|
209 | <div class="card-text mb-3"><p>Update to version 2.3.3 or later.</p>
|
210 | </div>
|
211 |
|
212 | <input id="vulnerability-references-0" type="checkbox" />
|
213 | <h3>
|
214 | <label for="vulnerability-references-0">References</label>
|
215 | </h3>
|
216 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
217 | <p><a href="https://github.com/salesforce/tough-cookie/issues/92">Issue #92</a></p>
|
218 |
|
219 | </div>
|
220 |
|
221 | <input id="vulnerability-reasons-0" type="checkbox" />
|
222 | <h3>
|
223 | <label for="vulnerability-reasons-0"
|
224 | >Reasons this module exists</label
|
225 | >
|
226 | </h3>
|
227 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
228 |
|
229 | <div class="card-text">
|
230 | <code class="text-body">gulp-uncss>uncss>request>tough-cookie</code>
|
231 | </div>
|
232 |
|
233 | </div>
|
234 |
|
235 |
|
236 | <div class="d-flex justify-content-end">
|
237 | <a
|
238 | href="https://npmjs.com/advisories/525"
|
239 | class="btn btn-md btn-primary"
|
240 | target="_blank"
|
241 | rel="noopener noreferrer"
|
242 | >
|
243 | More about this vulnerability
|
244 | </a>
|
245 | </div>
|
246 | </div>
|
247 | </div>
|
248 | </div>
|
249 |
|
250 | <div class="col-md-12">
|
251 | <div class="card mb-3">
|
252 | <div class="card-body p-4">
|
253 | <h1 class="card-title h3 d-flex align-items-center gap-2">
|
254 | <span class="badge text-capitalize bg-info">
|
255 | moderate
|
256 | </span>
|
257 | Memory Exposure
|
258 | </h1>
|
259 | <div class="row">
|
260 | <div class="col-md-6">
|
261 | <ul>
|
262 | <li>
|
263 | Module:
|
264 | <a
|
265 | href="https://npmjs.com/package/tunnel-agent"
|
266 | target="_blank"
|
267 | rel="noopener noreferrer"
|
268 | >
|
269 | tunnel-agent
|
270 | </a>
|
271 | </li>
|
272 |
|
273 | <li>Installed version: 0.4.3</li>
|
274 |
|
275 | <li>Vulnerable: <0.6.0</li>
|
276 | <li>Patched: >=0.6.0</li>
|
277 | </ul>
|
278 | </div>
|
279 | <div class="col-md-6">
|
280 | <ul>
|
281 | <li>Published: April 24, 2018 at 10:30:16 PM GMT+2</li>
|
282 |
|
283 | <li>Reported by: Сковорода Никита Андреевич</li>
|
284 |
|
285 | <li>CVSS: 3</li>
|
286 |
|
287 | <li>CWE-20</li>
|
288 |
|
289 | </ul>
|
290 | </div>
|
291 | </div>
|
292 | <h3>Overview</h3>
|
293 | <div class="card-text alert alert-secondary overflow-auto mb-3">
|
294 | <p>Versions of <code>tunnel-agent</code> before 0.6.0 are vulnerable to memory exposure.</p>
|
295 | <p>This is exploitable if user supplied input is provided to the auth value and is a number.</p>
|
296 | <p>Proof-of-concept:</p>
|
297 | <pre><code class="language-js">require('request')({
|
298 | method: 'GET',
|
299 | uri: 'http://www.example.com',
|
300 | tunnel: true,
|
301 | proxy:{
|
302 | protocol: 'http:',
|
303 | host:'127.0.0.1',
|
304 | port:8080,
|
305 | auth:USERSUPPLIEDINPUT // number
|
306 | }
|
307 | });
|
308 | </code></pre>
|
309 |
|
310 | </div>
|
311 |
|
312 |
|
313 | <h3>Remediation</h3>
|
314 | <div class="card-text mb-3"><p>Update to version 0.6.0 or later.</p>
|
315 | </div>
|
316 |
|
317 | <input id="vulnerability-references-1" type="checkbox" />
|
318 | <h3>
|
319 | <label for="vulnerability-references-1">References</label>
|
320 | </h3>
|
321 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
322 | <ul>
|
323 | <li><a href="https://github.com/request/tunnel-agent/commit/9ca95ec7219daface8a6fc2674000653de0922c0">GitHub Commit #9ca95ec</a></li>
|
324 | <li><a href="https://gist.github.com/ChALkeR/fd6b2c445834244e7d440a043f9d2ff4">Proof of Concept</a></li>
|
325 | </ul>
|
326 |
|
327 | </div>
|
328 |
|
329 | <input id="vulnerability-reasons-1" type="checkbox" />
|
330 | <h3>
|
331 | <label for="vulnerability-reasons-1"
|
332 | >Reasons this module exists</label
|
333 | >
|
334 | </h3>
|
335 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
336 |
|
337 | <div class="card-text">
|
338 | <code class="text-body">gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-build>download>caw>tunnel-agent</code>
|
339 | </div>
|
340 |
|
341 | <div class="card-text">
|
342 | <code class="text-body">gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-wrapper>download>caw>tunnel-agent</code>
|
343 | </div>
|
344 |
|
345 | <div class="card-text">
|
346 | <code class="text-body">gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-build>download>caw>tunnel-agent</code>
|
347 | </div>
|
348 |
|
349 | <div class="card-text">
|
350 | <code class="text-body">gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-wrapper>download>caw>tunnel-agent</code>
|
351 | </div>
|
352 |
|
353 | <div class="card-text">
|
354 | <code class="text-body">gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-build>download>caw>tunnel-agent</code>
|
355 | </div>
|
356 |
|
357 | <div class="card-text">
|
358 | <code class="text-body">gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-wrapper>download>caw>tunnel-agent</code>
|
359 | </div>
|
360 |
|
361 | <div class="card-text">
|
362 | <code class="text-body">gulp-uncss>uncss>request>tunnel-agent</code>
|
363 | </div>
|
364 |
|
365 | </div>
|
366 |
|
367 |
|
368 | <div class="d-flex justify-content-end">
|
369 | <a
|
370 | href="https://npmjs.com/advisories/598"
|
371 | class="btn btn-md btn-primary"
|
372 | target="_blank"
|
373 | rel="noopener noreferrer"
|
374 | >
|
375 | More about this vulnerability
|
376 | </a>
|
377 | </div>
|
378 | </div>
|
379 | </div>
|
380 | </div>
|
381 |
|
382 | <div class="col-md-12">
|
383 | <div class="card mb-3">
|
384 | <div class="card-body p-4">
|
385 | <h1 class="card-title h3 d-flex align-items-center gap-2">
|
386 | <span class="badge text-capitalize bg-info">
|
387 | moderate
|
388 | </span>
|
389 | Prototype Pollution
|
390 | </h1>
|
391 | <div class="row">
|
392 | <div class="col-md-6">
|
393 | <ul>
|
394 | <li>
|
395 | Module:
|
396 | <a
|
397 | href="https://npmjs.com/package/lodash"
|
398 | target="_blank"
|
399 | rel="noopener noreferrer"
|
400 | >
|
401 | lodash
|
402 | </a>
|
403 | </li>
|
404 |
|
405 | <li>Installed version: 3.10.1</li>
|
406 |
|
407 | <li>Vulnerable: <4.17.11</li>
|
408 | <li>Patched: >=4.17.11</li>
|
409 | </ul>
|
410 | </div>
|
411 | <div class="col-md-6">
|
412 | <ul>
|
413 | <li>Published: February 13, 2019 at 5:16:53 PM GMT+1</li>
|
414 |
|
415 | <li>Reported by: asgerf</li>
|
416 |
|
417 | <li>CVSS: 3</li>
|
418 |
|
419 | <li>CWE-471</li>
|
420 |
|
421 | <li>CVE-2018-16487</li>
|
422 |
|
423 | </ul>
|
424 | </div>
|
425 | </div>
|
426 | <h3>Overview</h3>
|
427 | <div class="card-text alert alert-secondary overflow-auto mb-3">
|
428 | <p>Versions of <code>lodash</code> before 4.17.5 are vulnerable to prototype pollution. </p>
|
429 | <p>The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of <code>Object</code> via <code>{constructor: {prototype: {...}}}</code> causing the addition or modification of an existing property that will exist on all objects.</p>
|
430 |
|
431 | </div>
|
432 |
|
433 |
|
434 | <h3>Remediation</h3>
|
435 | <div class="card-text mb-3"><p>Update to version 4.17.11 or later.</p>
|
436 | </div>
|
437 |
|
438 | <input id="vulnerability-references-2" type="checkbox" />
|
439 | <h3>
|
440 | <label for="vulnerability-references-2">References</label>
|
441 | </h3>
|
442 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
443 | <ul>
|
444 | <li><a href="https://hackerone.com/reports/380873">HackerOne Report</a></li>
|
445 | </ul>
|
446 |
|
447 | </div>
|
448 |
|
449 | <input id="vulnerability-reasons-2" type="checkbox" />
|
450 | <h3>
|
451 | <label for="vulnerability-reasons-2"
|
452 | >Reasons this module exists</label
|
453 | >
|
454 | </h3>
|
455 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
456 |
|
457 | <div class="card-text">
|
458 | <code class="text-body">favicons-webpack-plugin>favicons>cheerio>lodash</code>
|
459 | </div>
|
460 |
|
461 | </div>
|
462 |
|
463 |
|
464 | <div class="d-flex justify-content-end">
|
465 | <a
|
466 | href="https://npmjs.com/advisories/782"
|
467 | class="btn btn-md btn-primary"
|
468 | target="_blank"
|
469 | rel="noopener noreferrer"
|
470 | >
|
471 | More about this vulnerability
|
472 | </a>
|
473 | </div>
|
474 | </div>
|
475 | </div>
|
476 | </div>
|
477 |
|
478 | <div class="col-md-12">
|
479 | <div class="card mb-3">
|
480 | <div class="card-body p-4">
|
481 | <h1 class="card-title h3 d-flex align-items-center gap-2">
|
482 | <span class="badge text-capitalize bg-info">
|
483 | moderate
|
484 | </span>
|
485 | Prototype Pollution
|
486 | </h1>
|
487 | <div class="row">
|
488 | <div class="col-md-6">
|
489 | <ul>
|
490 | <li>
|
491 | Module:
|
492 | <a
|
493 | href="https://npmjs.com/package/lodash"
|
494 | target="_blank"
|
495 | rel="noopener noreferrer"
|
496 | >
|
497 | lodash
|
498 | </a>
|
499 | </li>
|
500 |
|
501 | <li>Installed version: 2.4.2</li>
|
502 |
|
503 | <li>Vulnerable: <4.17.11</li>
|
504 | <li>Patched: >=4.17.11</li>
|
505 | </ul>
|
506 | </div>
|
507 | <div class="col-md-6">
|
508 | <ul>
|
509 | <li>Published: February 13, 2019 at 5:16:53 PM GMT+1</li>
|
510 |
|
511 | <li>Reported by: asgerf</li>
|
512 |
|
513 | <li>CVSS: 3</li>
|
514 |
|
515 | <li>CWE-471</li>
|
516 |
|
517 | <li>CVE-2018-16487</li>
|
518 |
|
519 | </ul>
|
520 | </div>
|
521 | </div>
|
522 | <h3>Overview</h3>
|
523 | <div class="card-text alert alert-secondary overflow-auto mb-3">
|
524 | <p>Versions of <code>lodash</code> before 4.17.5 are vulnerable to prototype pollution. </p>
|
525 | <p>The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of <code>Object</code> via <code>{constructor: {prototype: {...}}}</code> causing the addition or modification of an existing property that will exist on all objects.</p>
|
526 |
|
527 | </div>
|
528 |
|
529 |
|
530 | <h3>Remediation</h3>
|
531 | <div class="card-text mb-3"><p>Update to version 4.17.11 or later.</p>
|
532 | </div>
|
533 |
|
534 | <input id="vulnerability-references-3" type="checkbox" />
|
535 | <h3>
|
536 | <label for="vulnerability-references-3">References</label>
|
537 | </h3>
|
538 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
539 | <ul>
|
540 | <li><a href="https://hackerone.com/reports/380873">HackerOne Report</a></li>
|
541 | </ul>
|
542 |
|
543 | </div>
|
544 |
|
545 | <input id="vulnerability-reasons-3" type="checkbox" />
|
546 | <h3>
|
547 | <label for="vulnerability-reasons-3"
|
548 | >Reasons this module exists</label
|
549 | >
|
550 | </h3>
|
551 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
552 |
|
553 | <div class="card-text">
|
554 | <code class="text-body">favicons-webpack-plugin>favicons>merge-defaults>lodash</code>
|
555 | </div>
|
556 |
|
557 | </div>
|
558 |
|
559 |
|
560 | <div class="d-flex justify-content-end">
|
561 | <a
|
562 | href="https://npmjs.com/advisories/782"
|
563 | class="btn btn-md btn-primary"
|
564 | target="_blank"
|
565 | rel="noopener noreferrer"
|
566 | >
|
567 | More about this vulnerability
|
568 | </a>
|
569 | </div>
|
570 | </div>
|
571 | </div>
|
572 | </div>
|
573 |
|
574 | <div class="col-md-12">
|
575 | <div class="card mb-3">
|
576 | <div class="card-body p-4">
|
577 | <h1 class="card-title h3 d-flex align-items-center gap-2">
|
578 | <span class="badge text-capitalize bg-info">
|
579 | moderate
|
580 | </span>
|
581 | Prototype Pollution
|
582 | </h1>
|
583 | <div class="row">
|
584 | <div class="col-md-6">
|
585 | <ul>
|
586 | <li>
|
587 | Module:
|
588 | <a
|
589 | href="https://npmjs.com/package/lodash"
|
590 | target="_blank"
|
591 | rel="noopener noreferrer"
|
592 | >
|
593 | lodash
|
594 | </a>
|
595 | </li>
|
596 |
|
597 | <li>Installed version: 4.0.1</li>
|
598 |
|
599 | <li>Vulnerable: <4.17.11</li>
|
600 | <li>Patched: >=4.17.11</li>
|
601 | </ul>
|
602 | </div>
|
603 | <div class="col-md-6">
|
604 | <ul>
|
605 | <li>Published: February 13, 2019 at 5:16:53 PM GMT+1</li>
|
606 |
|
607 | <li>Reported by: asgerf</li>
|
608 |
|
609 | <li>CVSS: 3</li>
|
610 |
|
611 | <li>CWE-471</li>
|
612 |
|
613 | <li>CVE-2018-16487</li>
|
614 |
|
615 | </ul>
|
616 | </div>
|
617 | </div>
|
618 | <h3>Overview</h3>
|
619 | <div class="card-text alert alert-secondary overflow-auto mb-3">
|
620 | <p>Versions of <code>lodash</code> before 4.17.5 are vulnerable to prototype pollution. </p>
|
621 | <p>The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of <code>Object</code> via <code>{constructor: {prototype: {...}}}</code> causing the addition or modification of an existing property that will exist on all objects.</p>
|
622 |
|
623 | </div>
|
624 |
|
625 |
|
626 | <h3>Remediation</h3>
|
627 | <div class="card-text mb-3"><p>Update to version 4.17.11 or later.</p>
|
628 | </div>
|
629 |
|
630 | <input id="vulnerability-references-4" type="checkbox" />
|
631 | <h3>
|
632 | <label for="vulnerability-references-4">References</label>
|
633 | </h3>
|
634 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
635 | <ul>
|
636 | <li><a href="https://hackerone.com/reports/380873">HackerOne Report</a></li>
|
637 | </ul>
|
638 |
|
639 | </div>
|
640 |
|
641 | <input id="vulnerability-reasons-4" type="checkbox" />
|
642 | <h3>
|
643 | <label for="vulnerability-reasons-4"
|
644 | >Reasons this module exists</label
|
645 | >
|
646 | </h3>
|
647 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
648 |
|
649 | <div class="card-text">
|
650 | <code class="text-body">gulp-uncss>uncss>lodash</code>
|
651 | </div>
|
652 |
|
653 | </div>
|
654 |
|
655 |
|
656 | <div class="d-flex justify-content-end">
|
657 | <a
|
658 | href="https://npmjs.com/advisories/782"
|
659 | class="btn btn-md btn-primary"
|
660 | target="_blank"
|
661 | rel="noopener noreferrer"
|
662 | >
|
663 | More about this vulnerability
|
664 | </a>
|
665 | </div>
|
666 | </div>
|
667 | </div>
|
668 | </div>
|
669 |
|
670 | <div class="col-md-12">
|
671 | <div class="card mb-3">
|
672 | <div class="card-body p-4">
|
673 | <h1 class="card-title h3 d-flex align-items-center gap-2">
|
674 | <span class="badge text-capitalize bg-info">
|
675 | moderate
|
676 | </span>
|
677 | Prototype Pollution
|
678 | </h1>
|
679 | <div class="row">
|
680 | <div class="col-md-6">
|
681 | <ul>
|
682 | <li>
|
683 | Module:
|
684 | <a
|
685 | href="https://npmjs.com/package/hoek"
|
686 | target="_blank"
|
687 | rel="noopener noreferrer"
|
688 | >
|
689 | hoek
|
690 | </a>
|
691 | </li>
|
692 |
|
693 | <li>Installed version: 2.16.3</li>
|
694 |
|
695 | <li>Vulnerable: <= 4.2.0 || >= 5.0.0 < 5.0.3</li>
|
696 | <li>Patched: > 4.2.0 < 5.0.0 || >= 5.0.3</li>
|
697 | </ul>
|
698 | </div>
|
699 | <div class="col-md-6">
|
700 | <ul>
|
701 | <li>Published: April 20, 2018 at 11:25:58 PM GMT+2</li>
|
702 |
|
703 | <li>Reported by: HoLyVieR</li>
|
704 |
|
705 | <li>CVSS: 5</li>
|
706 |
|
707 | <li>CWE-471</li>
|
708 |
|
709 | </ul>
|
710 | </div>
|
711 | </div>
|
712 | <h3>Overview</h3>
|
713 | <div class="card-text alert alert-secondary overflow-auto mb-3">
|
714 | <p>Versions of <code>hoek</code> prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.</p>
|
715 | <p>The <code>merge</code> function, and the <code>applyToDefaults</code> and <code>applyToDefaultsWithShallow</code> functions which leverage <code>merge</code> behind the scenes, are vulnerable to a prototype pollution attack when provided an <em>unvalidated</em> payload created from a JSON string containing the <code>__proto__</code> property.</p>
|
716 | <p>This can be demonstrated like so:</p>
|
717 | <pre><code class="language-javascript">var Hoek = require('hoek');
|
718 | var malicious_payload = '{"__proto__":{"oops":"It works !"}}';
|
719 |
|
720 | var a = {};
|
721 | console.log("Before : " + a.oops);
|
722 | Hoek.merge({}, JSON.parse(malicious_payload));
|
723 | console.log("After : " + a.oops);
|
724 | </code></pre>
|
725 | <p>This type of attack can be used to overwrite existing properties causing a potential denial of service.</p>
|
726 |
|
727 | </div>
|
728 |
|
729 |
|
730 | <h3>Remediation</h3>
|
731 | <div class="card-text mb-3"><p>Update to version 4.2.1, 5.0.3 or later.</p>
|
732 | </div>
|
733 |
|
734 | <input id="vulnerability-reasons-5" type="checkbox" />
|
735 | <h3>
|
736 | <label for="vulnerability-reasons-5"
|
737 | >Reasons this module exists</label
|
738 | >
|
739 | </h3>
|
740 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
741 |
|
742 | <div class="card-text">
|
743 | <code class="text-body">gulp-cli>wreck>boom>hoek</code>
|
744 | </div>
|
745 |
|
746 | <div class="card-text">
|
747 | <code class="text-body">gulp-cli>wreck>hoek</code>
|
748 | </div>
|
749 |
|
750 | <div class="card-text">
|
751 | <code class="text-body">gulp-uncss>uncss>request>hawk>boom>hoek</code>
|
752 | </div>
|
753 |
|
754 | <div class="card-text">
|
755 | <code class="text-body">gulp-uncss>uncss>request>hawk>cryptiles>boom>hoek</code>
|
756 | </div>
|
757 |
|
758 | <div class="card-text">
|
759 | <code class="text-body">gulp-uncss>uncss>request>hawk>hoek</code>
|
760 | </div>
|
761 |
|
762 | <div class="card-text">
|
763 | <code class="text-body">gulp-uncss>uncss>request>hawk>sntp>hoek</code>
|
764 | </div>
|
765 |
|
766 | </div>
|
767 |
|
768 |
|
769 | <div class="d-flex justify-content-end">
|
770 | <a
|
771 | href="https://npmjs.com/advisories/566"
|
772 | class="btn btn-md btn-primary"
|
773 | target="_blank"
|
774 | rel="noopener noreferrer"
|
775 | >
|
776 | More about this vulnerability
|
777 | </a>
|
778 | </div>
|
779 | </div>
|
780 | </div>
|
781 | </div>
|
782 |
|
783 | <div class="col-md-12">
|
784 | <div class="card mb-3">
|
785 | <div class="card-body p-4">
|
786 | <h1 class="card-title h3 d-flex align-items-center gap-2">
|
787 | <span class="badge text-capitalize bg-info">
|
788 | moderate
|
789 | </span>
|
790 | ReDoS via long string of semicolons
|
791 | </h1>
|
792 | <div class="row">
|
793 | <div class="col-md-6">
|
794 | <ul>
|
795 | <li>
|
796 | Module:
|
797 | <a
|
798 | href="https://npmjs.com/package/tough-cookie"
|
799 | target="_blank"
|
800 | rel="noopener noreferrer"
|
801 | >
|
802 | tough-cookie
|
803 | </a>
|
804 | </li>
|
805 |
|
806 | <li>Installed version: 2.2.2</li>
|
807 |
|
808 | <li>Vulnerable: >=0.9.7 <=2.2.2</li>
|
809 | <li>Patched: >=2.3.0</li>
|
810 | </ul>
|
811 | </div>
|
812 | <div class="col-md-6">
|
813 | <ul>
|
814 | <li>Published: July 22, 2016 at 9:43:01 PM GMT+2</li>
|
815 |
|
816 | <li>Reported by: David Kirchner</li>
|
817 |
|
818 | <li>CVSS: 7</li>
|
819 |
|
820 | <li>CWE-400</li>
|
821 |
|
822 | <li>CVE-2016-1000232</li>
|
823 |
|
824 | </ul>
|
825 | </div>
|
826 | </div>
|
827 | <h3>Overview</h3>
|
828 | <div class="card-text alert alert-secondary overflow-auto mb-3">
|
829 | <p>Affected versions of <code>tough-cookie</code> may be vulnerable to regular expression denial of service when long strings of semicolons exist in the <code>Set-Cookie</code> header.</p>
|
830 |
|
831 | </div>
|
832 |
|
833 |
|
834 | <h3>Remediation</h3>
|
835 | <div class="card-text mb-3"><p>Update to version 2.3.0 or later.</p>
|
836 | </div>
|
837 |
|
838 | <input id="vulnerability-reasons-6" type="checkbox" />
|
839 | <h3>
|
840 | <label for="vulnerability-reasons-6"
|
841 | >Reasons this module exists</label
|
842 | >
|
843 | </h3>
|
844 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
845 |
|
846 | <div class="card-text">
|
847 | <code class="text-body">gulp-uncss>uncss>request>tough-cookie</code>
|
848 | </div>
|
849 |
|
850 | </div>
|
851 |
|
852 |
|
853 | <div class="d-flex justify-content-end">
|
854 | <a
|
855 | href="https://npmjs.com/advisories/130"
|
856 | class="btn btn-md btn-primary"
|
857 | target="_blank"
|
858 | rel="noopener noreferrer"
|
859 | >
|
860 | More about this vulnerability
|
861 | </a>
|
862 | </div>
|
863 | </div>
|
864 | </div>
|
865 | </div>
|
866 |
|
867 | <div class="col-md-12">
|
868 | <div class="card mb-3">
|
869 | <div class="card-body p-4">
|
870 | <h1 class="card-title h3 d-flex align-items-center gap-2">
|
871 | <span class="badge text-capitalize bg-primary">
|
872 | low
|
873 | </span>
|
874 | Regular Expression Denial of Service
|
875 | </h1>
|
876 | <div class="row">
|
877 | <div class="col-md-6">
|
878 | <ul>
|
879 | <li>
|
880 | Module:
|
881 | <a
|
882 | href="https://npmjs.com/package/braces"
|
883 | target="_blank"
|
884 | rel="noopener noreferrer"
|
885 | >
|
886 | braces
|
887 | </a>
|
888 | </li>
|
889 |
|
890 | <li>Installed version: 1.8.5</li>
|
891 |
|
892 | <li>Vulnerable: <2.3.1</li>
|
893 | <li>Patched: >=2.3.1</li>
|
894 | </ul>
|
895 | </div>
|
896 | <div class="col-md-6">
|
897 | <ul>
|
898 | <li>Published: February 15, 2019 at 10:44:30 PM GMT+1</li>
|
899 |
|
900 | <li>Reported by: Santosh Rao</li>
|
901 |
|
902 | <li>CVSS: 4</li>
|
903 |
|
904 | <li>CWE-185</li>
|
905 |
|
906 | </ul>
|
907 | </div>
|
908 | </div>
|
909 | <h3>Overview</h3>
|
910 | <div class="card-text alert alert-secondary overflow-auto mb-3">
|
911 | <p>Version of <code>braces</code> prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.</p>
|
912 |
|
913 | </div>
|
914 |
|
915 |
|
916 | <h3>Remediation</h3>
|
917 | <div class="card-text mb-3"><p>Upgrade to version 2.3.1 or higher.</p>
|
918 | </div>
|
919 |
|
920 | <input id="vulnerability-references-7" type="checkbox" />
|
921 | <h3>
|
922 | <label for="vulnerability-references-7">References</label>
|
923 | </h3>
|
924 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
925 | <ul>
|
926 | <li><a href="https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451">GitHub Commit</a></li>
|
927 | </ul>
|
928 |
|
929 | </div>
|
930 |
|
931 | <input id="vulnerability-reasons-7" type="checkbox" />
|
932 | <h3>
|
933 | <label for="vulnerability-reasons-7"
|
934 | >Reasons this module exists</label
|
935 | >
|
936 | </h3>
|
937 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
938 |
|
939 | <div class="card-text">
|
940 | <code class="text-body">browser-sync>micromatch>braces</code>
|
941 | </div>
|
942 |
|
943 | <div class="card-text">
|
944 | <code class="text-body">favicons-webpack-plugin>webpack>watchpack>chokidar>anymatch>micromatch>braces</code>
|
945 | </div>
|
946 |
|
947 | <div class="card-text">
|
948 | <code class="text-body">gulp-cli>matchdep>micromatch>braces</code>
|
949 | </div>
|
950 |
|
951 | <div class="card-text">
|
952 | <code class="text-body">gulp-imagemin>imagemin>vinyl-fs>glob-stream>micromatch>braces</code>
|
953 | </div>
|
954 |
|
955 | <div class="card-text">
|
956 | <code class="text-body">gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-build>decompress>vinyl-fs>glob-stream>micromatch>braces</code>
|
957 | </div>
|
958 |
|
959 | <div class="card-text">
|
960 | <code class="text-body">gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-build>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces</code>
|
961 | </div>
|
962 |
|
963 | <div class="card-text">
|
964 | <code class="text-body">gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-build>download>vinyl-fs>glob-stream>micromatch>braces</code>
|
965 | </div>
|
966 |
|
967 | <div class="card-text">
|
968 | <code class="text-body">gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-wrapper>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces</code>
|
969 | </div>
|
970 |
|
971 | <div class="card-text">
|
972 | <code class="text-body">gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-wrapper>download>vinyl-fs>glob-stream>micromatch>braces</code>
|
973 | </div>
|
974 |
|
975 | <div class="card-text">
|
976 | <code class="text-body">gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-build>decompress>vinyl-fs>glob-stream>micromatch>braces</code>
|
977 | </div>
|
978 |
|
979 | <div class="card-text">
|
980 | <code class="text-body">gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-build>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces</code>
|
981 | </div>
|
982 |
|
983 | <div class="card-text">
|
984 | <code class="text-body">gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-build>download>vinyl-fs>glob-stream>micromatch>braces</code>
|
985 | </div>
|
986 |
|
987 | <div class="card-text">
|
988 | <code class="text-body">gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-wrapper>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces</code>
|
989 | </div>
|
990 |
|
991 | <div class="card-text">
|
992 | <code class="text-body">gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-wrapper>download>vinyl-fs>glob-stream>micromatch>braces</code>
|
993 | </div>
|
994 |
|
995 | <div class="card-text">
|
996 | <code class="text-body">gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-build>decompress>vinyl-fs>glob-stream>micromatch>braces</code>
|
997 | </div>
|
998 |
|
999 | <div class="card-text">
|
1000 | <code class="text-body">gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-build>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces</code>
|
1001 | </div>
|
1002 |
|
1003 | <div class="card-text">
|
1004 | <code class="text-body">gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-build>download>vinyl-fs>glob-stream>micromatch>braces</code>
|
1005 | </div>
|
1006 |
|
1007 | <div class="card-text">
|
1008 | <code class="text-body">gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-wrapper>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces</code>
|
1009 | </div>
|
1010 |
|
1011 | <div class="card-text">
|
1012 | <code class="text-body">gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-wrapper>download>vinyl-fs>glob-stream>micromatch>braces</code>
|
1013 | </div>
|
1014 |
|
1015 | <div class="card-text">
|
1016 | <code class="text-body">gulp-load-plugins>findup-sync>micromatch>braces</code>
|
1017 | </div>
|
1018 |
|
1019 | <div class="card-text">
|
1020 | <code class="text-body">gulp-load-plugins>micromatch>braces</code>
|
1021 | </div>
|
1022 |
|
1023 | <div class="card-text">
|
1024 | <code class="text-body">panini>vinyl-fs>glob-stream>micromatch>braces</code>
|
1025 | </div>
|
1026 |
|
1027 | <div class="card-text">
|
1028 | <code class="text-body">webpack-stream>webpack>watchpack>chokidar>anymatch>micromatch>braces</code>
|
1029 | </div>
|
1030 |
|
1031 | </div>
|
1032 |
|
1033 |
|
1034 | <div class="d-flex justify-content-end">
|
1035 | <a
|
1036 | href="https://npmjs.com/advisories/786"
|
1037 | class="btn btn-md btn-primary"
|
1038 | target="_blank"
|
1039 | rel="noopener noreferrer"
|
1040 | >
|
1041 | More about this vulnerability
|
1042 | </a>
|
1043 | </div>
|
1044 | </div>
|
1045 | </div>
|
1046 | </div>
|
1047 |
|
1048 | <div class="col-md-12">
|
1049 | <div class="card mb-3">
|
1050 | <div class="card-body p-4">
|
1051 | <h1 class="card-title h3 d-flex align-items-center gap-2">
|
1052 | <span class="badge text-capitalize bg-primary">
|
1053 | low
|
1054 | </span>
|
1055 | Prototype Pollution
|
1056 | </h1>
|
1057 | <div class="row">
|
1058 | <div class="col-md-6">
|
1059 | <ul>
|
1060 | <li>
|
1061 | Module:
|
1062 | <a
|
1063 | href="https://npmjs.com/package/lodash"
|
1064 | target="_blank"
|
1065 | rel="noopener noreferrer"
|
1066 | >
|
1067 | lodash
|
1068 | </a>
|
1069 | </li>
|
1070 |
|
1071 | <li>Installed version: 3.10.1</li>
|
1072 |
|
1073 | <li>Vulnerable: <4.17.5</li>
|
1074 | <li>Patched: >=4.17.5</li>
|
1075 | </ul>
|
1076 | </div>
|
1077 | <div class="col-md-6">
|
1078 | <ul>
|
1079 | <li>Published: April 24, 2018 at 4:27:02 PM GMT+2</li>
|
1080 |
|
1081 | <li>Reported by: Olivier Arteau (HoLyVieR)</li>
|
1082 |
|
1083 | <li>CVSS: 1</li>
|
1084 |
|
1085 | <li>CWE-471</li>
|
1086 |
|
1087 | <li>CVE-2018-3721</li>
|
1088 |
|
1089 | </ul>
|
1090 | </div>
|
1091 | </div>
|
1092 | <h3>Overview</h3>
|
1093 | <div class="card-text alert alert-secondary overflow-auto mb-3">
|
1094 | <p>Versions of <code>lodash</code> before 4.17.5 are vulnerable to prototype pollution. </p>
|
1095 | <p>The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of <code>Object</code> via <code>__proto__</code> causing the addition or modification of an existing property that will exist on all objects.</p>
|
1096 |
|
1097 | </div>
|
1098 |
|
1099 |
|
1100 | <h3>Remediation</h3>
|
1101 | <div class="card-text mb-3"><p>Update to version 4.17.5 or later.</p>
|
1102 | </div>
|
1103 |
|
1104 | <input id="vulnerability-references-8" type="checkbox" />
|
1105 | <h3>
|
1106 | <label for="vulnerability-references-8">References</label>
|
1107 | </h3>
|
1108 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
1109 | <ul>
|
1110 | <li><a href="https://hackerone.com/reports/310443">HackerOne Report</a></li>
|
1111 | </ul>
|
1112 |
|
1113 | </div>
|
1114 |
|
1115 | <input id="vulnerability-reasons-8" type="checkbox" />
|
1116 | <h3>
|
1117 | <label for="vulnerability-reasons-8"
|
1118 | >Reasons this module exists</label
|
1119 | >
|
1120 | </h3>
|
1121 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
1122 |
|
1123 | <div class="card-text">
|
1124 | <code class="text-body">favicons-webpack-plugin>favicons>cheerio>lodash</code>
|
1125 | </div>
|
1126 |
|
1127 | </div>
|
1128 |
|
1129 |
|
1130 | <div class="d-flex justify-content-end">
|
1131 | <a
|
1132 | href="https://npmjs.com/advisories/577"
|
1133 | class="btn btn-md btn-primary"
|
1134 | target="_blank"
|
1135 | rel="noopener noreferrer"
|
1136 | >
|
1137 | More about this vulnerability
|
1138 | </a>
|
1139 | </div>
|
1140 | </div>
|
1141 | </div>
|
1142 | </div>
|
1143 |
|
1144 | <div class="col-md-12">
|
1145 | <div class="card mb-3">
|
1146 | <div class="card-body p-4">
|
1147 | <h1 class="card-title h3 d-flex align-items-center gap-2">
|
1148 | <span class="badge text-capitalize bg-primary">
|
1149 | low
|
1150 | </span>
|
1151 | Prototype Pollution
|
1152 | </h1>
|
1153 | <div class="row">
|
1154 | <div class="col-md-6">
|
1155 | <ul>
|
1156 | <li>
|
1157 | Module:
|
1158 | <a
|
1159 | href="https://npmjs.com/package/lodash"
|
1160 | target="_blank"
|
1161 | rel="noopener noreferrer"
|
1162 | >
|
1163 | lodash
|
1164 | </a>
|
1165 | </li>
|
1166 |
|
1167 | <li>Installed version: 2.4.2</li>
|
1168 |
|
1169 | <li>Vulnerable: <4.17.5</li>
|
1170 | <li>Patched: >=4.17.5</li>
|
1171 | </ul>
|
1172 | </div>
|
1173 | <div class="col-md-6">
|
1174 | <ul>
|
1175 | <li>Published: April 24, 2018 at 4:27:02 PM GMT+2</li>
|
1176 |
|
1177 | <li>Reported by: Olivier Arteau (HoLyVieR)</li>
|
1178 |
|
1179 | <li>CVSS: 1</li>
|
1180 |
|
1181 | <li>CWE-471</li>
|
1182 |
|
1183 | <li>CVE-2018-3721</li>
|
1184 |
|
1185 | </ul>
|
1186 | </div>
|
1187 | </div>
|
1188 | <h3>Overview</h3>
|
1189 | <div class="card-text alert alert-secondary overflow-auto mb-3">
|
1190 | <p>Versions of <code>lodash</code> before 4.17.5 are vulnerable to prototype pollution. </p>
|
1191 | <p>The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of <code>Object</code> via <code>__proto__</code> causing the addition or modification of an existing property that will exist on all objects.</p>
|
1192 |
|
1193 | </div>
|
1194 |
|
1195 |
|
1196 | <h3>Remediation</h3>
|
1197 | <div class="card-text mb-3"><p>Update to version 4.17.5 or later.</p>
|
1198 | </div>
|
1199 |
|
1200 | <input id="vulnerability-references-9" type="checkbox" />
|
1201 | <h3>
|
1202 | <label for="vulnerability-references-9">References</label>
|
1203 | </h3>
|
1204 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
1205 | <ul>
|
1206 | <li><a href="https://hackerone.com/reports/310443">HackerOne Report</a></li>
|
1207 | </ul>
|
1208 |
|
1209 | </div>
|
1210 |
|
1211 | <input id="vulnerability-reasons-9" type="checkbox" />
|
1212 | <h3>
|
1213 | <label for="vulnerability-reasons-9"
|
1214 | >Reasons this module exists</label
|
1215 | >
|
1216 | </h3>
|
1217 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
1218 |
|
1219 | <div class="card-text">
|
1220 | <code class="text-body">favicons-webpack-plugin>favicons>merge-defaults>lodash</code>
|
1221 | </div>
|
1222 |
|
1223 | </div>
|
1224 |
|
1225 |
|
1226 | <div class="d-flex justify-content-end">
|
1227 | <a
|
1228 | href="https://npmjs.com/advisories/577"
|
1229 | class="btn btn-md btn-primary"
|
1230 | target="_blank"
|
1231 | rel="noopener noreferrer"
|
1232 | >
|
1233 | More about this vulnerability
|
1234 | </a>
|
1235 | </div>
|
1236 | </div>
|
1237 | </div>
|
1238 | </div>
|
1239 |
|
1240 | <div class="col-md-12">
|
1241 | <div class="card mb-3">
|
1242 | <div class="card-body p-4">
|
1243 | <h1 class="card-title h3 d-flex align-items-center gap-2">
|
1244 | <span class="badge text-capitalize bg-primary">
|
1245 | low
|
1246 | </span>
|
1247 | Prototype Pollution
|
1248 | </h1>
|
1249 | <div class="row">
|
1250 | <div class="col-md-6">
|
1251 | <ul>
|
1252 | <li>
|
1253 | Module:
|
1254 | <a
|
1255 | href="https://npmjs.com/package/lodash"
|
1256 | target="_blank"
|
1257 | rel="noopener noreferrer"
|
1258 | >
|
1259 | lodash
|
1260 | </a>
|
1261 | </li>
|
1262 |
|
1263 | <li>Installed version: 4.0.1</li>
|
1264 |
|
1265 | <li>Vulnerable: <4.17.5</li>
|
1266 | <li>Patched: >=4.17.5</li>
|
1267 | </ul>
|
1268 | </div>
|
1269 | <div class="col-md-6">
|
1270 | <ul>
|
1271 | <li>Published: April 24, 2018 at 4:27:02 PM GMT+2</li>
|
1272 |
|
1273 | <li>Reported by: Olivier Arteau (HoLyVieR)</li>
|
1274 |
|
1275 | <li>CVSS: 1</li>
|
1276 |
|
1277 | <li>CWE-471</li>
|
1278 |
|
1279 | <li>CVE-2018-3721</li>
|
1280 |
|
1281 | </ul>
|
1282 | </div>
|
1283 | </div>
|
1284 | <h3>Overview</h3>
|
1285 | <div class="card-text alert alert-secondary overflow-auto mb-3">
|
1286 | <p>Versions of <code>lodash</code> before 4.17.5 are vulnerable to prototype pollution. </p>
|
1287 | <p>The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of <code>Object</code> via <code>__proto__</code> causing the addition or modification of an existing property that will exist on all objects.</p>
|
1288 |
|
1289 | </div>
|
1290 |
|
1291 |
|
1292 | <h3>Remediation</h3>
|
1293 | <div class="card-text mb-3"><p>Update to version 4.17.5 or later.</p>
|
1294 | </div>
|
1295 |
|
1296 | <input id="vulnerability-references-10" type="checkbox" />
|
1297 | <h3>
|
1298 | <label for="vulnerability-references-10">References</label>
|
1299 | </h3>
|
1300 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
1301 | <ul>
|
1302 | <li><a href="https://hackerone.com/reports/310443">HackerOne Report</a></li>
|
1303 | </ul>
|
1304 |
|
1305 | </div>
|
1306 |
|
1307 | <input id="vulnerability-reasons-10" type="checkbox" />
|
1308 | <h3>
|
1309 | <label for="vulnerability-reasons-10"
|
1310 | >Reasons this module exists</label
|
1311 | >
|
1312 | </h3>
|
1313 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
1314 |
|
1315 | <div class="card-text">
|
1316 | <code class="text-body">gulp-uncss>uncss>lodash</code>
|
1317 | </div>
|
1318 |
|
1319 | </div>
|
1320 |
|
1321 |
|
1322 | <div class="d-flex justify-content-end">
|
1323 | <a
|
1324 | href="https://npmjs.com/advisories/577"
|
1325 | class="btn btn-md btn-primary"
|
1326 | target="_blank"
|
1327 | rel="noopener noreferrer"
|
1328 | >
|
1329 | More about this vulnerability
|
1330 | </a>
|
1331 | </div>
|
1332 | </div>
|
1333 | </div>
|
1334 | </div>
|
1335 |
|
1336 | <div class="col-md-12">
|
1337 | <div class="card mb-3">
|
1338 | <div class="card-body p-4">
|
1339 | <h1 class="card-title h3 d-flex align-items-center gap-2">
|
1340 | <span class="badge text-capitalize bg-primary">
|
1341 | low
|
1342 | </span>
|
1343 | Regular Expression Denial of Service
|
1344 | </h1>
|
1345 | <div class="row">
|
1346 | <div class="col-md-6">
|
1347 | <ul>
|
1348 | <li>
|
1349 | Module:
|
1350 | <a
|
1351 | href="https://npmjs.com/package/debug"
|
1352 | target="_blank"
|
1353 | rel="noopener noreferrer"
|
1354 | >
|
1355 | debug
|
1356 | </a>
|
1357 | </li>
|
1358 |
|
1359 | <li>Installed version: 2.2.0</li>
|
1360 |
|
1361 | <li>Vulnerable: <= 2.6.8 || >= 3.0.0 <= 3.0.1</li>
|
1362 | <li>Patched: >= 2.6.9 < 3.0.0 || >= 3.1.0</li>
|
1363 | </ul>
|
1364 | </div>
|
1365 | <div class="col-md-6">
|
1366 | <ul>
|
1367 | <li>Published: September 25, 2017 at 8:55:55 PM GMT+2</li>
|
1368 |
|
1369 | <li>Reported by: Cristian-Alexandru Staicu</li>
|
1370 |
|
1371 | <li>CVSS: 5</li>
|
1372 |
|
1373 | <li>CWE-400</li>
|
1374 |
|
1375 | <li>CVE-2017-16137</li>
|
1376 |
|
1377 | </ul>
|
1378 | </div>
|
1379 | </div>
|
1380 | <h3>Overview</h3>
|
1381 | <div class="card-text alert alert-secondary overflow-auto mb-3">
|
1382 | <p>Affected versions of <code>debug</code> are vulnerable to regular expression denial of service when untrusted user input is passed into the <code>o</code> formatter. </p>
|
1383 | <p>As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.</p>
|
1384 |
|
1385 | </div>
|
1386 |
|
1387 |
|
1388 | <h3>Remediation</h3>
|
1389 | <div class="card-text mb-3"><p>Version 2.x.x: Update to version 2.6.9 or later.
|
1390 | Version 3.x.x: Update to version 3.1.0 or later.</p>
|
1391 | </div>
|
1392 |
|
1393 | <input id="vulnerability-references-11" type="checkbox" />
|
1394 | <h3>
|
1395 | <label for="vulnerability-references-11">References</label>
|
1396 | </h3>
|
1397 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
1398 | <ul>
|
1399 | <li><a href="https://github.com/visionmedia/debug/issues/501">Issue #501</a></li>
|
1400 | <li><a href="https://github.com/visionmedia/debug/pull/504">PR #504</a></li>
|
1401 | </ul>
|
1402 |
|
1403 | </div>
|
1404 |
|
1405 | <input id="vulnerability-reasons-11" type="checkbox" />
|
1406 | <h3>
|
1407 | <label for="vulnerability-reasons-11"
|
1408 | >Reasons this module exists</label
|
1409 | >
|
1410 | </h3>
|
1411 | <div class="card-text alert alert-secondary collapsible-wrapper">
|
1412 |
|
1413 | <div class="card-text">
|
1414 | <code class="text-body">favicons-webpack-plugin>favicons>node-rest-client>debug</code>
|
1415 | </div>
|
1416 |
|
1417 | </div>
|
1418 |
|
1419 |
|
1420 | <div class="d-flex justify-content-end">
|
1421 | <a
|
1422 | href="https://npmjs.com/advisories/534"
|
1423 | class="btn btn-md btn-primary"
|
1424 | target="_blank"
|
1425 | rel="noopener noreferrer"
|
1426 | >
|
1427 | More about this vulnerability
|
1428 | </a>
|
1429 | </div>
|
1430 | </div>
|
1431 | </div>
|
1432 | </div>
|
1433 |
|
1434 |
|
1435 | <h6 class="col-md-12 mb-3 pb=3 text-end">Report generated at July 30, 2023 at 4:21:16 PM GMT+2</h6>
|
1436 | </div>
|
1437 | </div>
|
1438 | </body>
|
1439 | </html>
|