Description
Vulnerable Library - sockjs-client-1.1.4.tgz
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (sockjs-client version) | Fix PR available |
|---|---|---|---|---|---|---|
| CVE-2018-3774 |  High |
9.8 | detected in multiple dependencies | Transitive | 1.2.0 | ❌ |
| CVE-2022-0691 | High |
9.8 | detected in multiple dependencies | Transitive | 1.2.0 | ❌ |
| CVE-2022-1650 | High |
9.3 | eventsource-0.1.6.tgz | Transitive | 1.2.0 | ❌ |
| CVE-2022-0686 | High |
9.1 | detected in multiple dependencies | Transitive | 1.2.0 | ❌ |
| CVE-2020-7662 | High |
7.5 | websocket-extensions-0.1.3.tgz | Transitive | 1.2.0 | ❌ |
| WS-2018-0588 | High |
7.4 | detected in multiple dependencies | Transitive | 1.2.0 | ❌ |
| CVE-2021-3664 |  Medium |
5.3 | detected in multiple dependencies | Transitive | 1.2.0 | ❌ |
| CVE-2022-0639 | Medium |
5.3 | detected in multiple dependencies | Transitive | 1.2.0 | ❌ |
| CVE-2022-0512 | Medium |
5.3 | detected in multiple dependencies | Transitive | 1.2.0 | ❌ |
| CVE-2021-27515 | Medium |
5.3 | detected in multiple dependencies | Transitive | 1.2.0 | ❌ |
| CVE-2020-8124 | Medium |
5.3 | detected in multiple dependencies | Transitive | 1.2.0 | ❌ |
Details
CVE-2018-3774
Vulnerable Libraries - url-parse-1.3.0.tgz, url-parse-1.0.5.tgz
url-parse-1.3.0.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.3.0.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- ❌ url-parse-1.3.0.tgz (Vulnerable Library)
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- eventsource-0.1.6.tgz
- original-1.0.0.tgz
- ❌ url-parse-1.0.5.tgz (Vulnerable Library)
- original-1.0.0.tgz
- eventsource-0.1.6.tgz
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
Publish Date: 2018-08-12
URL: CVE-2018-3774
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3774
Release Date: 2018-08-12
Fix Resolution (url-parse): 1.4.3
Direct dependency fix Resolution (sockjs-client): 1.2.0
Fix Resolution (url-parse): 1.4.3
Direct dependency fix Resolution (sockjs-client): 1.2.0
CVE-2022-0691
Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.3.0.tgz
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- eventsource-0.1.6.tgz
- original-1.0.0.tgz
- ❌ url-parse-1.0.5.tgz (Vulnerable Library)
- original-1.0.0.tgz
- eventsource-0.1.6.tgz
url-parse-1.3.0.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.3.0.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- ❌ url-parse-1.3.0.tgz (Vulnerable Library)
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): url-parse - 1.5.9
Direct dependency fix Resolution (sockjs-client): 1.2.0
Fix Resolution (url-parse): url-parse - 1.5.9
Direct dependency fix Resolution (sockjs-client): 1.2.0
CVE-2022-1650
Vulnerable Library - eventsource-0.1.6.tgz
W3C compliant EventSource client for Node.js
Library home page: https://registry.npmjs.org/eventsource/-/eventsource-0.1.6.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- ❌ eventsource-0.1.6.tgz (Vulnerable Library)
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.
Publish Date: 2022-05-12
URL: CVE-2022-1650
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): eventsource - 1.1.1,2.0.2
Direct dependency fix Resolution (sockjs-client): 1.2.0
CVE-2022-0686
Vulnerable Libraries - url-parse-1.3.0.tgz, url-parse-1.0.5.tgz
url-parse-1.3.0.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.3.0.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- ❌ url-parse-1.3.0.tgz (Vulnerable Library)
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- eventsource-0.1.6.tgz
- original-1.0.0.tgz
- ❌ url-parse-1.0.5.tgz (Vulnerable Library)
- original-1.0.0.tgz
- eventsource-0.1.6.tgz
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): url-parse - 1.5.8
Direct dependency fix Resolution (sockjs-client): 1.2.0
Fix Resolution (url-parse): url-parse - 1.5.8
Direct dependency fix Resolution (sockjs-client): 1.2.0
CVE-2020-7662
Vulnerable Library - websocket-extensions-0.1.3.tgz
Generic extension manager for WebSocket connections
Library home page: https://registry.npmjs.org/websocket-extensions/-/websocket-extensions-0.1.3.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- faye-websocket-0.11.1.tgz
- websocket-driver-0.7.0.tgz
- ❌ websocket-extensions-0.1.3.tgz (Vulnerable Library)
- websocket-driver-0.7.0.tgz
- faye-websocket-0.11.1.tgz
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
Publish Date: 2020-06-02
URL: CVE-2020-7662
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-g78m-2chm-r7qv
Release Date: 2020-06-02
Fix Resolution (websocket-extensions): websocket-extensions - 0.1.4
Direct dependency fix Resolution (sockjs-client): 1.2.0
WS-2018-0588
Vulnerable Libraries - querystringify-1.0.0.tgz, querystringify-0.0.4.tgz
querystringify-1.0.0.tgz
Querystringify - Small, simple but powerful query string parser.
Library home page: https://registry.npmjs.org/querystringify/-/querystringify-1.0.0.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- url-parse-1.3.0.tgz
- ❌ querystringify-1.0.0.tgz (Vulnerable Library)
- url-parse-1.3.0.tgz
querystringify-0.0.4.tgz
Querystringify - Small, simple but powerful query string parser.
Library home page: https://registry.npmjs.org/querystringify/-/querystringify-0.0.4.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- eventsource-0.1.6.tgz
- original-1.0.0.tgz
- url-parse-1.0.5.tgz
- ❌ querystringify-0.0.4.tgz (Vulnerable Library)
- url-parse-1.0.5.tgz
- original-1.0.0.tgz
- eventsource-0.1.6.tgz
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
A vulnerability was found in querystringify before 2.0.0. It's possible to override built-in properties of the resulting query string object if a malicious string is inserted in the query string.
Publish Date: 2018-04-19
URL: WS-2018-0588
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2018-04-19
Fix Resolution (querystringify): 2.0.0
Direct dependency fix Resolution (sockjs-client): 1.2.0
Fix Resolution (querystringify): 2.0.0
Direct dependency fix Resolution (sockjs-client): 1.2.0
CVE-2021-3664
Vulnerable Libraries - url-parse-1.3.0.tgz, url-parse-1.0.5.tgz
url-parse-1.3.0.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.3.0.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- ❌ url-parse-1.3.0.tgz (Vulnerable Library)
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- eventsource-0.1.6.tgz
- original-1.0.0.tgz
- ❌ url-parse-1.0.5.tgz (Vulnerable Library)
- original-1.0.0.tgz
- eventsource-0.1.6.tgz
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
url-parse is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2021-07-26
URL: CVE-2021-3664
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
Release Date: 2021-07-26
Fix Resolution (url-parse): url-parse - 1.5.2
Direct dependency fix Resolution (sockjs-client): 1.2.0
Fix Resolution (url-parse): url-parse - 1.5.2
Direct dependency fix Resolution (sockjs-client): 1.2.0
CVE-2022-0639
Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.3.0.tgz
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- eventsource-0.1.6.tgz
- original-1.0.0.tgz
- ❌ url-parse-1.0.5.tgz (Vulnerable Library)
- original-1.0.0.tgz
- eventsource-0.1.6.tgz
url-parse-1.3.0.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.3.0.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- ❌ url-parse-1.3.0.tgz (Vulnerable Library)
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
Publish Date: 2022-02-17
URL: CVE-2022-0639
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639
Release Date: 2022-02-17
Fix Resolution (url-parse): url-parse - 1.5.7
Direct dependency fix Resolution (sockjs-client): 1.2.0
Fix Resolution (url-parse): url-parse - 1.5.7
Direct dependency fix Resolution (sockjs-client): 1.2.0
CVE-2022-0512
Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.3.0.tgz
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- eventsource-0.1.6.tgz
- original-1.0.0.tgz
- ❌ url-parse-1.0.5.tgz (Vulnerable Library)
- original-1.0.0.tgz
- eventsource-0.1.6.tgz
url-parse-1.3.0.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.3.0.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- ❌ url-parse-1.3.0.tgz (Vulnerable Library)
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Publish Date: 2022-02-14
URL: CVE-2022-0512
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512
Release Date: 2022-02-14
Fix Resolution (url-parse): url-parse - 1.5.6
Direct dependency fix Resolution (sockjs-client): 1.2.0
Fix Resolution (url-parse): url-parse - 1.5.6
Direct dependency fix Resolution (sockjs-client): 1.2.0
CVE-2021-27515
Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.3.0.tgz
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- eventsource-0.1.6.tgz
- original-1.0.0.tgz
- ❌ url-parse-1.0.5.tgz (Vulnerable Library)
- original-1.0.0.tgz
- eventsource-0.1.6.tgz
url-parse-1.3.0.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.3.0.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- ❌ url-parse-1.3.0.tgz (Vulnerable Library)
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
Publish Date: 2021-02-22
URL: CVE-2021-27515
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515
Release Date: 2021-02-22
Fix Resolution (url-parse): 1.5.0
Direct dependency fix Resolution (sockjs-client): 1.2.0
Fix Resolution (url-parse): 1.5.0
Direct dependency fix Resolution (sockjs-client): 1.2.0
CVE-2020-8124
Vulnerable Libraries - url-parse-1.3.0.tgz, url-parse-1.0.5.tgz
url-parse-1.3.0.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.3.0.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- ❌ url-parse-1.3.0.tgz (Vulnerable Library)
url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Dependency Hierarchy:
- sockjs-client-1.1.4.tgz (Root Library)
- eventsource-0.1.6.tgz
- original-1.0.0.tgz
- ❌ url-parse-1.0.5.tgz (Vulnerable Library)
- original-1.0.0.tgz
- eventsource-0.1.6.tgz
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.
Publish Date: 2020-02-04
URL: CVE-2020-8124
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8124
Release Date: 2020-02-18
Fix Resolution (url-parse): url-parse - 1.4.5
Direct dependency fix Resolution (sockjs-client): 1.2.0
Fix Resolution (url-parse): url-parse - 1.4.5
Direct dependency fix Resolution (sockjs-client): 1.2.0