http-server-0.12.1.tgz: 7 vulnerabilities (highest severity is: 9.8) #426
Description
Vulnerable Library - http-server-0.12.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/optimist/node_modules/minimist/package.json,/node_modules/optimist/node_modules/minimist/package.json
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (http-server version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2021-44906 |  Critical |
9.8 | minimist-0.0.10.tgz | Transitive | 0.12.2 | ❌ |
| CVE-2021-43138 |  High |
7.8 | async-2.6.3.tgz | Transitive | 0.12.2 | ❌ |
| CVE-2019-10775 | High |
7.5 | ecstatic-3.3.2.tgz | Transitive | 0.13.0 | ❌ |
| WS-2020-0091 | High |
7.5 | http-proxy-1.18.0.tgz | Transitive | 0.12.2 | ❌ |
| CVE-2022-0155 |  Medium |
6.5 | follow-redirects-1.10.0.tgz | Transitive | 0.12.2 | ❌ |
| CVE-2022-0536 | Medium |
5.9 | follow-redirects-1.10.0.tgz | Transitive | 0.12.2 | ❌ |
| CVE-2020-7598 | Medium |
5.6 | minimist-0.0.10.tgz | Transitive | 0.12.2 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-44906
Vulnerable Library - minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /node_modules/optimist/node_modules/minimist/package.json,/node_modules/optimist/node_modules/minimist/package.json
Dependency Hierarchy:
- http-server-0.12.1.tgz (Root Library)
- optimist-0.6.1.tgz
- ❌ minimist-0.0.10.tgz (Vulnerable Library)
- optimist-0.6.1.tgz
Found in base branch: master
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (http-server): 0.12.2
Step up your Open Source Security Game with Mend here
CVE-2021-43138
Vulnerable Library - async-2.6.3.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/portscanner/node_modules/async/package.json,/node_modules/portscanner/node_modules/async/package.json
Dependency Hierarchy:
- http-server-0.12.1.tgz (Root Library)
- portfinder-1.0.25.tgz
- ❌ async-2.6.3.tgz (Vulnerable Library)
- portfinder-1.0.25.tgz
Found in base branch: master
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (http-server): 0.12.2
Step up your Open Source Security Game with Mend here
CVE-2019-10775
Vulnerable Library - ecstatic-3.3.2.tgz
A simple static file server middleware
Library home page: https://registry.npmjs.org/ecstatic/-/ecstatic-3.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ecstatic/package.json
Dependency Hierarchy:
- http-server-0.12.1.tgz (Root Library)
- ❌ ecstatic-3.3.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
ecstatic have a denial of service vulnerability. Successful exploitation could lead to crash of an application.
Publish Date: 2020-01-02
URL: CVE-2019-10775
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2020-01-08
Fix Resolution (ecstatic): 4.0.0
Direct dependency fix Resolution (http-server): 0.13.0
Step up your Open Source Security Game with Mend here
WS-2020-0091
Vulnerable Library - http-proxy-1.18.0.tgz
HTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/http-proxy/package.json,/frontend/node_modules/http-proxy/package.json
Dependency Hierarchy:
- http-server-0.12.1.tgz (Root Library)
- ❌ http-proxy-1.18.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-14
Fix Resolution (http-proxy): 1.18.1
Direct dependency fix Resolution (http-server): 0.12.2
Step up your Open Source Security Game with Mend here
CVE-2022-0155
Vulnerable Library - follow-redirects-1.10.0.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /frontend/node_modules/follow-redirects/package.json,/frontend/node_modules/follow-redirects/package.json
Dependency Hierarchy:
- http-server-0.12.1.tgz (Root Library)
- http-proxy-1.18.0.tgz
- ❌ follow-redirects-1.10.0.tgz (Vulnerable Library)
- http-proxy-1.18.0.tgz
Found in base branch: master
Vulnerability Details
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (http-server): 0.12.2
Step up your Open Source Security Game with Mend here
CVE-2022-0536
Vulnerable Library - follow-redirects-1.10.0.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /frontend/node_modules/follow-redirects/package.json,/frontend/node_modules/follow-redirects/package.json
Dependency Hierarchy:
- http-server-0.12.1.tgz (Root Library)
- http-proxy-1.18.0.tgz
- ❌ follow-redirects-1.10.0.tgz (Vulnerable Library)
- http-proxy-1.18.0.tgz
Found in base branch: master
Vulnerability Details
Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (http-server): 0.12.2
Step up your Open Source Security Game with Mend here
CVE-2020-7598
Vulnerable Library - minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /node_modules/optimist/node_modules/minimist/package.json,/node_modules/optimist/node_modules/minimist/package.json
Dependency Hierarchy:
- http-server-0.12.1.tgz (Root Library)
- optimist-0.6.1.tgz
- ❌ minimist-0.0.10.tgz (Vulnerable Library)
- optimist-0.6.1.tgz
Found in base branch: master
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (http-server): 0.12.2
Step up your Open Source Security Game with Mend here