Bulk vulnerability fix - Lockfile fix #2

debricked · 2021-08-09T10:39:29Z

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2021–23343

Description

NVD

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    ReDoS in path-parse · Issue #8 · jbgutierrez/path-parse · GitHub
    Pony Mail!
    fixed regexes to avoid ReDoS attacks by jeffrey-pinyan-ithreat · Pull Request #10 · jbgutierrez/path-parse · GitHub

debricked–149688

Description

GitHub

Regular Expression Denial of Service in braces

Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Recommendation

Upgrade to version 2.3.1 or higher.
CVSS details

No information
References

Regular Expression Denial of Service in braces · GHSA-g95f-p29q-9xw4 · GitHub Advisory Database · GitHub
optimize regex · micromatch/braces@abdafb0 · GitHub

CVE–2017–16028

Description

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

GitHub

Cryptographically Weak PRNG in randomatic

Affected versions of randomatic generate random values using a cryptographically weak psuedo-random number generator. This may result in predictable values instead of random values as intended.

Recommendation

Update to version 3.0.0 or later.

NVD

react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).
CVSS details - 5.3

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality Low

Integrity None

Availability None
References

    nodesecurity.io -&nbspnodesecurity Resources and Information.
    react-native-meteor-oauth/meteor-oauth.js at a7eb738b74c469f5db20296b44b7cae4e2337435 · tableflip/react-native-meteor-oauth · GitHub
    use cryptographically secure random function · jonschlinkert/randomatic@4a52695 · GitHub
    NVD - CVE-2017-16028
    Cryptographically Weak PRNG in randomatic · CVE-2017-16028 · GitHub Advisory Database · GitHub

CVE–2018–16492

Description

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

GitHub

Prototype Pollution in extend

Versions of extend prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The extend() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.

Recommendation

If you're using extend 3.x upgrade to 3.0.2 or later.
If you're using extend 2.x upgrade to 2.0.2 or later.

NVD

A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.
CVSS details - 9.8

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High
References

    HackerOne
    Prototype Pollution in extend · CVE-2018-16492 · GitHub Advisory Database · GitHub
    NVD - CVE-2018-16492

CVE–2017–15010

Description

Uncontrolled Resource Consumption

The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

GitHub

Regular Expression Denial of Service in tough-cookie

Affected versions of tough-cookie are susceptible to a regular expression denial of service.

The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.

If node was compiled using the -DHTTP_MAX_HEADER_SIZE however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.

Recommendation

Update to version 2.3.3 or later.

NVD

A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    Node.js 'tough-cookie' Module CVE-2017-15010 Denial of Service Vulnerability
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    nodesecurity.io -&nbspnodesecurity Resources and Information.
    Vulnerable Regular Expression · Issue #92 · salesforce/tough-cookie · GitHub
    [SECURITY] Fedora 30 Update: nodejs-tough-cookie-2.3.4-1.fc30 - package-announce - Fedora Mailing-Lists
    Regular Expression Denial of Service in tough-cookie · CVE-2017-15010 · GitHub Advisory Database · GitHub
    NVD - CVE-2017-15010

CVE–2019–13173

Description

Improper Link Resolution Before File Access ('Link Following')

The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

GitHub

Arbitrary File Overwrite in fstream

Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Recommendation

Upgrade to version 1.0.12 or later.

NVD

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity High

Availability None
References

    Clobber a Link if it's in the way of a File · npm/fstream@6a77d2f · GitHub
    npm
    [security-announce] openSUSE-SU-2019:1846-1: important: Security update for nodejs10 - openSUSE Security Announce - openSUSE Mailing Lists
    [security-announce] openSUSE-SU-2019:1907-1: important: Security update for nodejs8 - openSUSE Security Announce - openSUSE Mailing Lists
    USN-4123-1: npm/fstream vulnerability | Ubuntu security notices | Ubuntu
    NVD - CVE-2019-13173
    Arbitrary File Overwrite in fstream · CVE-2019-13173 · GitHub Advisory Database · GitHub

CVE–2020–7733

Description

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

GitHub

Regular Expression Denial of Service in ua-parser-js

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

NVD

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    Fix potential ReDoS vulnerability · faisalman/ua-parser-js@233d3ba · GitHub
    NVD - CVE-2020-7733
    GitHub - faisalman/ua-parser-js: UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.
    Regular Expression Denial of Service in ua-parser-js · CVE-2020-7733 · GitHub Advisory Database · GitHub
    GitHub - faisalman/ua-parser-js: UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.

CVE–2020–7793

Description

Uncontrolled Resource Consumption

The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

NVD

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    Fix ReDoS vulnerabilities reported by Snyk · faisalman/ua-parser-js@6d1f26d · GitHub
    GitHub - faisalman/ua-parser-js: UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.
    GitHub - faisalman/ua-parser-js: UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.

CVE–2021–27292

Description

GitHub

Regular Expression Denial of Service (ReDoS) in ua-parser-js

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

NVD

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    cve-2021-27292 · GitHub
    Fix several exponential/cubic complexity regexes found by Ben Caller/… · pygments/pygments@2e7e8c4 · GitHub
    Fix potential ReDoS vulnerability as reported by Doyensec · faisalman/ua-parser-js@809439e · GitHub
    Regular Expression Denial of Service (ReDoS) in ua-parser-js · CVE-2021-27292 · GitHub Advisory Database · GitHub
    NVD - CVE-2021-27292

CVE–2017–16099

Description

Uncontrolled Resource Consumption

The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

GitHub

Regular Expression Denial of Service in no-case

Affected versions of no-case are vulnerable to a regular expression denial of service when parsing untrusted user input.

Recommendation

Update to version 2.3.2 or later.

NVD

The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    nodesecurity.io -&nbspnodesecurity Resources and Information.
    THIRD PARTY
    Regular Expression Denial of Service in no-case · CVE-2017-16099 · GitHub Advisory Database · GitHub
    NVD - CVE-2017-16099

CVE–2021–23369

Description

GitHub

Remote code execution in handlebars when compiling templates

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

NVD

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
CVSS details - 9.8

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High
References

    CVE-2021-23369 Node.js Vulnerability in NetApp Products | NetApp Product Security
    fix: check prototype property access in strict-mode (#1736) · handlebars-lang/handlebars.js@b6d3de7 · GitHub
    fix: escape property names in compat mode (#1736) · handlebars-lang/handlebars.js@f058970 · GitHub
    NVD - CVE-2021-23369
    Remote code execution in handlebars when compiling templates · CVE-2021-23369 · GitHub Advisory Database · GitHub

CVE–2021–23383

Description

NVD

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
CVSS details - 9.8

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High
References

fix: escape property names in compat mode (#1736) · handlebars-lang/handlebars.js@f058970 · GitHub
CVE-2021-23383 Node.js Vulnerability in NetApp Products | NetApp Product Security

debricked–160898

Description

GitHub

Regular Expression Denial of Service

A Regular Expression vulnerability was found in nwmatcher before 1.4.4. The fix replacing multiple repeated instances of the "\s*" pattern.
CVSS details

No information
References

Regular Expression Denial of Service · GHSA-6394-6h9h-cfjg · GitHub Advisory Database · GitHub
changed instances of \s* with \s? in regular expressions to reduce th… · dperini/nwmatcher@9dcc2b0 · GitHub

CVE–2018–3737

Description

Incorrect Regular Expression

The software specifies a regular expression in a way that causes data to be improperly matched or compared.

GitHub

Regular Expression Denial of Service in sshpk

Versions of sshpk before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

Recommendation

Update to version 1.13.2, 1.14.1 or later.

NVD

sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    HackerOne
    Regular Expression Denial of Service in sshpk · CVE-2018-3737 · GitHub Advisory Database · GitHub
    NVD - CVE-2018-3737

CVE–2018–16469

Description

Improper Input Validation

The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

GitHub

Prototype Pollution in merge

Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype.

Recommendation

Update to version 1.2.1 or later.

NVD

The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    HackerOne
    Prototype Pollution in merge · CVE-2018-16469 · GitHub Advisory Database · GitHub
    NVD - CVE-2018-16469

CVE–2018–6342

Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

GitHub
Remote Code Execution in react-dev-utils

react-dev-utils on Windows is vulnerable to remote code execution.

Recommendation

Update to one of the follow versions, depending on the release line that you are using.
- 1.0.4
- 2.0.2
- 3.1.2
- 4.2.2
- 5.0.2
- 6.0.0-next.a671462c
NVD

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.
CVSS details - 9.8

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High
References

    Use file name whitelist to prevent RCE by acdlite · Pull Request #4866 · facebook/create-react-app · GitHub
    Release v1.1.5 · facebook/create-react-app · GitHub
    Remote Code Execution in react-dev-utils · CVE-2018-6342 · GitHub Advisory Database · GitHub
    NVD - CVE-2018-6342

CVE–2018–3774

Description

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

GitHub

Open Redirect in url-parse

Versions of url-parse before 1.4.3 returns the wrong hostname which could lead to Open Redirect, Server Side Request Forgery (SSRF), or Bypass Authentication Protocol vulnerabilities.

Recommendation

Update to version 1.4.3 or later.

NVD

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
CVSS details - 10

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Changed

Confidentiality High

Integrity High

Availability High
References

    [security] Sanitize paths, hosts before parsing. · unshiftio/url-parse@53b1794 · GitHub
    [security] Added missing SECURITY.md · unshiftio/url-parse@d7b582e · GitHub
    HackerOne
    NVD - CVE-2018-3774
    Open Redirect in url-parse · CVE-2018-3774 · GitHub Advisory Database · GitHub

CVE–2020–8124

Description

Improper Input Validation

The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

NVD

Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.
CVSS details - 5.3

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity Low

Availability None
References

NVD - CVE-2020-8124
HackerOne

CVE–2021–27515

Description

GitHub

Path traversal in url-parse

url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

NVD

url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
CVSS details - 5.3

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity Low

Availability None
References

    [security] More backslash fixes (#197) · unshiftio/url-parse@d1e7e88 · GitHub
    Comparing 1.4.7...1.5.0 · unshiftio/url-parse · GitHub
    [security] More backslash fixes by 3rd-Eden · Pull Request #197 · unshiftio/url-parse · GitHub
    MISC
    NVD - CVE-2021-27515
    Path traversal in url-parse · CVE-2021-27515 · GitHub Advisory Database · GitHub

debricked–160897

Description

GitHub

Prototype Pollution

A vulnerability was found in querystringify before 2.0.0. It's possible to override built-in properties of the resulting query string object if a malicious string is inserted in the query string.
CVSS details

No information
References

Prototype Pollution · GHSA-hxcm-v35h-mg2x · GitHub Advisory Database · GitHub
[security] Prevent overriding of build-in properties by default by 3rd-Eden · Pull Request #19 · unshiftio/querystringify · GitHub

CVE–2020–7662

Description

GitHub
Regular Expression Denial of Service in websocket-extensions (NPM package)

Impact

The ReDoS flaw allows an attacker to exhaust the server's capacity to process
incoming requests by sending a WebSocket handshake request containing a header
of the following form:
```
 Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ...
```
That is, a header containing an unclosed string parameter value whose content is
a repeating two-byte sequence of a backslash and some other character. The
parser takes exponential time to reject this header as invalid, and this will
block the processing of any other work on the same thread. Thus if you are
running a single-threaded server, such a request can render your service
completely unavailable.

Patches

Users should upgrade to version 0.1.4.

Workarounds

There are no known work-arounds other than disabling any public-facing
WebSocket functionality you are operating.

References
- https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions/
NVD

websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    ReDoS vulnerability in websocket-extensions – The If Works
    Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser · faye/websocket-extensions-node@29496f6 · GitHub
    ReDoS vulnerability in Sec-WebSocket-Extensions parser · Advisory · faye/websocket-extensions-node · GitHub
    Regular Expression Denial of Service in websocket-extensions (NPM package) · CVE-2020-7662 · GitHub Advisory Database · GitHub
    NVD - CVE-2020-7662
    Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser · faye/websocket-extensions-ruby@aa156a4 · GitHub

CVE–2020–26291

Description

Improper Input Validation

The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

GitHub

Hostname spoofing via backslashes in URL

Impact

If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect.

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Example URL: https://expected-example.com\@observed-example.com
Escaped string: https://expected-example.com\\@observed-example.com (JavaScript strings must escape backslash)

Affected versions incorrectly return observed-example.com. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.

Patches

Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.

References

https://github.com/medialize/URI.js/releases/tag/v1.19.4 (complete fix for this bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.3 (partial fix for this bypass)
PR #233 (initial fix for backslash handling)

For more information

If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js

Reporter credit

Alesandro Ortiz

NVD

URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL https://expected-example.com\@observed-example.com will incorrectly return observed-example.com if using an affected version. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]
CVSS details - 6.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User interaction None

Scope Unchanged

Confidentiality None

Integrity High

Availability None
References

    fix(parse): treat backslash as forwardslash in authority (#403) · medialize/URI.js@b02bf03 · GitHub
    Release 1.19.4 (December 23rd 2020) · medialize/URI.js · GitHub
    Hostname spoofing via backslashes in URL · Advisory · medialize/URI.js · GitHub
    urijs - npm
    NVD - CVE-2020-26291
    Hostname spoofing via backslashes in URL · CVE-2020-26291 · GitHub Advisory Database · GitHub
    GitHub - garycourt/uri-js: An RFC 3986 compliant, scheme extendable URI parsing/validating/normalizing/resolving library for JavaScript
    GitHub - ericf/urljs: [DEPRECATED] An API for working with URLs in JavaScript

CVE–2021–27516

Description

GitHub

Hostname spoofing via backslashes in URL

Impact

If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash (\) character as part of the scheme delimiter, e.g. scheme:/\hostname. If the hostname is used in security decisions, the decision may be incorrect.

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Example URL: https:/\expected-example.com/path
Escaped string: https:/\\expected-example.com/path (JavaScript strings must escape backslash)

Affected versions incorrectly return no hostname. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.

Patches

Version 1.19.6 is patched against all known payload variants.

References

https://github.com/medialize/URI.js/releases/tag/v1.19.6 (fix for this particular bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.4 (fix for related bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.3 (fix for related bypass)
PR #233 (initial fix for backslash handling)

For more information

If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js

Reporter credit

Yaniv Nizry from the CxSCA AppSec team at Checkmarx

NVD

URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality High

Integrity None

Availability None
References

    fix(parse): treat backslash as forwardslash in scheme delimiter · medialize/URI.js@a1ad8bc · GitHub
    Release 1.19.6 (February 13th 2021) · medialize/URI.js · GitHub
    MISC
    NVD - CVE-2021-27516
    Hostname spoofing via backslashes in URL · Advisory · medialize/URI.js · GitHub
    Hostname spoofing via backslashes in URL · CVE-2021-27516 · GitHub Advisory Database · GitHub

CVE–2020–28498

Description

Use of a Broken or Risky Cryptographic Algorithm

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

GitHub

Use of a Broken or Risky Cryptographic Algorithm

The npm package elliptic before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

NVD

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
CVSS details - 6.8

CVSS3 metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

User interaction None

Scope Changed

Confidentiality High

Integrity None

Availability None
References

    blog/secp256k1_twist_attacks.md at master · christianlundkvist/blog · GitHub
    ec: validate that a point before deriving keys · indutny/elliptic@441b742 · GitHub
    Use of a Broken or Risky Cryptographic Algorithm · CVE-2020-28498 · GitHub Advisory Database · GitHub
    Private by kdenhartog · Pull Request #244 · indutny/elliptic · GitHub
    NVD - CVE-2020-28498

CVE–2021–23386

Description

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

GitHub

Potential memory exposure in dns-packet

This affects the package dns-packet before versions 1.3.2 and 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

NVD

This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
CVSS details - 6.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User interaction None

Scope Unchanged

Confidentiality High

Integrity None

Availability None
References

    HackerOne
    do trim on encodingLength as well · mafintosh/dns-packet@25f15dd · GitHub
    NVD - CVE-2021-23386
    Potential memory exposure in dns-packet · CVE-2021-23386 · GitHub Advisory Database · GitHub

CVE–2017–16119

Description

Uncontrolled Resource Consumption

The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

GitHub

Regular Expression Denial of Service in fresh

Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.

Recommendation

Update to version 0.5.2 or later.

NVD

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    nodesecurity.io -&nbspnodesecurity Resources and Information.
    NVD - CVE-2017-16119
    Regular Expression Denial of Service in fresh · CVE-2017-16119 · GitHub Advisory Database · GitHub

CVE–2017–16118

Description

Uncontrolled Resource Consumption

The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

GitHub

Regular Expression Denial of Service in forwarded

Affected versions of forwarded are vulnerable to regular expression denial of service when parsing specially crafted user input.

Recommendation

Update to version 0.1.2 or later

NVD

The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    Bugtraq
    nodesecurity.io -&nbspnodesecurity Resources and Information.
    NVD - CVE-2017-16118
    Regular Expression Denial of Service in forwarded · CVE-2017-16118 · GitHub Advisory Database · GitHub

CVE–2020–7720

Description

Improper Input Validation

The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

GitHub

Prototype Pollution in node-forge

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

NVD

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
CVSS details - 7.3

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality Low

Integrity Low

Availability Low
References

    forge/CHANGELOG.md at master · digitalbazaar/forge · GitHub
    NVD - CVE-2020-7720
    Prototype Pollution in node-forge · CVE-2020-7720 · GitHub Advisory Database · GitHub
    GitHub - digitalbazaar/forge: A native implementation of TLS in Javascript and tools to write crypto-based and network-heavy webapps

CVE–2021–33502

Description

GitHub

ReDoS in normalize-url

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

NVD

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    Release v6.0.1 · sindresorhus/normalize-url · GitHub
    NVD - CVE-2021-33502
    ReDoS in normalize-url · CVE-2021-33502 · GitHub Advisory Database · GitHub

CVE–2021–26707

Description

GitHub

Prototype pollution in Merge-deep

The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

NVD

The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.
CVSS details - 9.8

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High
References

    add isValidKey function to ensure only valid keys are merged · jonschlinkert/merge-deep@11e5dd5 · GitHub
    merge-deep - npm
    GHSL-2020-160: Prototype pollution in Merge-deep | GitHub Security Lab
    merge-deep/.verb.md at 628ff47c9d824ccf21adf9a2b7cc6b74632e11a1 · jonschlinkert/merge-deep · GitHub
    NVD - CVE-2021-26707
    Sign in to GitHub · GitHub
    Prototype pollution in Merge-deep · CVE-2021-26707 · GitHub Advisory Database · GitHub
    merge-deep/LICENSE at 628ff47c9d824ccf21adf9a2b7cc6b74632e11a1 · jonschlinkert/merge-deep · GitHub
    GitHub - jonschlinkert/merge-deep: Recursively merge values in a JavaScript object.

CVE–2020–13822

Description

Integer Overflow or Wraparound

The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

GitHub

Signature Malleabillity in elliptic

The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

NVD

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
CVSS details - 7.7

CVSS3 metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability Low
References

    Lack of encoding checks allows a certain degree of signature malleability in ECDSA signatures · Issue #226 · indutny/elliptic · GitHub
    Malleability-Attack: Why It Matters | by Herman Schoenfeld | Medium
    elliptic - npm
    How Not to Use ECDSA – Learning Words
    NVD - CVE-2020-13822
    GitHub - indutny/elliptic: Fast Elliptic Curve Cryptography in plain javascript
    Signature Malleabillity in elliptic · CVE-2020-13822 · GitHub Advisory Database · GitHub

debricked–149740

Description

GitHub

Denial of Service in http-proxy

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

Recommendation

Upgrade to version 1.18.1 or later
CVSS details

No information
References

Denial of Service in http-proxy · GHSA-6x33-pw7p-hmpq · GitHub Advisory Database · GitHub
Skip sending the proxyReq event when the expect header is present by jsmylnycky · Pull Request #1447 · http-party/node-http-proxy · GitHub

debricked–149739

Description

GitHub

Prototype Pollution in yargs-parser

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Recommendation

Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
CVSS details

No information
References

fix: proto will now be replaced with proto in parse (#258) · yargs/yargs-parser@63810ca · GitHub
Prototype Pollution in yargs-parser · CVE-2020-7608 · GitHub Advisory Database · GitHub

debricked–149694

Description

GitHub

Denial of Service in js-yaml

Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Recommendation

Upgrade to version 3.13.0.
CVSS details

No information
References

Denial of Service in js-yaml · GHSA-2pr6-76vf-7546 · GitHub Advisory Database · GitHub
Using complex arrays as map keys may hang the process · Issue #475 · nodeca/js-yaml · GitHub

debricked–149699

Description

GitHub

Code Injection in js-yaml

Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.

An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}

Recommendation

Upgrade to version 3.13.1.
CVSS details

No information
References

Fix possible code execution in (already unsafe) load() by rlidwka · Pull Request #480 · nodeca/js-yaml · GitHub
Code Injection in js-yaml · GHSA-8j8c-7jfh-h6hx · GitHub Advisory Database · GitHub

debricked–149662

Description

GitHub

Denial of Service in mem

Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.

Recommendation

Upgrade to version 4.0.0 or later.
CVSS details

No information
References

Denial of Service in mem · GHSA-4xcv-9jjx-gfj3 · GitHub Advisory Database · GitHub
Automatically release memory when an item expires - fixes #14 (#19) · sindresorhus/mem@da4e439 · GitHub

CVE–2018–6341

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

GitHub
Cross-Site Scripting in react-dom

Affected versions of react-dom are vulnerable to Cross-Site Scripting (XSS). The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim's browser. To be affected by this vulnerability, the application needs to:
- be a server-side React app
- be rendered to HTML using ReactDOMServer
- include an attribute name from user input in an HTML tag
Recommendation

If you are using react-dom 16.0.x, upgrade to 16.0.1 or later.
If you are using react-dom 16.1.x, upgrade to 16.1.2 or later.
If you are using react-dom 16.2.x, upgrade to 16.2.1 or later.
If you are using react-dom 16.3.x, upgrade to 16.3.3 or later.
If you are using react-dom 16.4.x, upgrade to 16.4.2 or later.
NVD

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.
CVSS details - 6.1

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction Required

Scope Changed

Confidentiality Low

Integrity Low

Availability None
References

    React v16.4.2: Server-side vulnerability fix – React Blog
    JavaScript is not available.
    GitHub - facebook/react: A declarative, efficient, and flexible JavaScript library for building user interfaces.
    Fix SSR crash on a hasOwnProperty attribute by gaearon · Pull Request #13303 · facebook/react · GitHub
    react/CODE_OF_CONDUCT.md at main · facebook/react · GitHub
    NVD - CVE-2018-6341
    Sanitize unknown attribute names for SSR by gaearon · Pull Request #13302 · facebook/react · GitHub
    Cross-Site Scripting in react-dom · CVE-2018-6341 · GitHub Advisory Database · GitHub
    react/CODE_OF_CONDUCT.md at main · facebook/react · GitHub

CVE–2018–1107

Description

Uncontrolled Resource Consumption

The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

NVD

It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated.
CVSS details - 5.3

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability Low
References

    1546357 – (CVE-2018-1107) CVE-2018-1107 nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format
    Avoid catastrophic backtracking by LinusU · Pull Request #159 · mafintosh/is-my-json-valid · GitHub
    Merge pull request #159 from mafintosh/safe-regex · mafintosh/is-my-json-valid@b3051b2 · GitHub

CVE–2017–1000427

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

GitHub

Moderate severity vulnerability that affects marked

marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.

NVD

marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.
CVSS details - 6.1

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction Required

Scope Changed

Confidentiality Low

Integrity Low

Availability None
References

    [SECURITY] Fedora 32 Update: marked-1.1.0-3.fc32 - package-announce - Fedora Mailing-Lists
    [SECURITY] Fedora 31 Update: marked-1.1.0-3.fc31 - package-announce - Fedora Mailing-Lists
    marked version 0.3.6 and earlier is vulnerable to an XSS ... · CVE-2017-1000427 · GitHub Advisory Database · GitHub
    GitHub - markedjs/marked: A markdown parser and compiler. Built for speed.
    added data: link fix to prevent xss · markedjs/marked@cd2f6f5 · GitHub
    NVD - CVE-2017-1000427

CVE–2017–16114

Description

Uncontrolled Resource Consumption

The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

GitHub

Regular Expression Denial of Service in marked

Affected versions of marked are vulnerable to a regular expression denial of service.

The amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds.

Recommendation

Update to version 0.3.9 or later.

NVD

The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    nodesecurity.io -&nbspnodesecurity Resources and Information.
    Vulnerable Regular Expression · Issue #937 · markedjs/marked · GitHub
    Regular Expression Denial of Service in marked · CVE-2017-16114 · GitHub Advisory Database · GitHub
    NVD - CVE-2017-16114

CVE–2019–10747

Description

Uncontrolled Resource Consumption

The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

GitHub

Prototype Pollution in set-value

Versions of set-value prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

Recommendation

If you are using set-value 3.x, upgrade to version 3.0.1 or later.
If you are using set-value 2.x, upgrade to version 2.0.1 or later.

NVD

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
CVSS details - 9.8

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High
References

    Pony Mail!
    [SECURITY] Fedora 30 Update: nodejs-set-value-2.0.1-1.fc30 - package-announce - Fedora Mailing-Lists
    [SECURITY] Fedora 31 Update: nodejs-set-value-2.0.1-1.fc31 - package-announce - Fedora Mailing-Lists
    disallow proto keys · jonschlinkert/set-value@95e9d99 · GitHub
    NVD - CVE-2019-10747
    GitHub - jonschlinkert/set-value: Set nested properties on an object using dot-notation.
    Prototype Pollution in set-value · CVE-2019-10747 · GitHub Advisory Database · GitHub

CVE–2019–20149

Description

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

GitHub

Validation Bypass in kind-of

Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

Recommendation

Upgrade to versions 6.0.3 or later.

NVD

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity High

Availability None
References

    type checking · Issue #30 · jonschlinkert/kind-of · GitHub
    fix type checking vul in ctorName by xiaofen9 · Pull Request #31 · jonschlinkert/kind-of · GitHub
    Validation Bypass in kind-of · CVE-2019-20149 · GitHub Advisory Database · GitHub
    NVD - CVE-2019-20149

CVE–2019–10746

Description

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

GitHub

Prototype Pollution in mixin-deep

Versions of mixin-deep prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The mixinDeep function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

Recommendation

If you are using mixin-deep 2.x, upgrade to version 2.0.1 or later.
If you are using mixin-deep 1.x, upgrade to version 1.3.2 or later.

NVD

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
CVSS details - 9.8

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High
References

    [SECURITY] Fedora 30 Update: nodejs-mixin-deep-1.3.2-1.fc30 - package-announce - Fedora Mailing-Lists
    [SECURITY] Fedora 31 Update: nodejs-mixin-deep-1.3.2-1.fc31 - package-announce - Fedora Mailing-Lists
    Prototype Pollution in mixin-deep · CVE-2019-10746 · GitHub Advisory Database · GitHub
    disallow constructor and prototype keys · jonschlinkert/mixin-deep@8f464c8 · GitHub
    NVD - CVE-2019-10746
    GitHub - jonschlinkert/mixin-deep: Deeply mix the properties of objects into the first object, while also mixing-in child objects.

CVE–2019–15599

Description

Improper Control of Generation of Code ('Code Injection')

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

NVD

A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.
CVSS details - 9.8

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High
References

NVD - CVE-2019-15599
HackerOne

CVE–2018–16472

Description

Improper Input Validation

The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

GitHub

Prototype Pollution in cached-path-relative

Version of cached-path-relative before 1.0.2 are vulnerable to prototype pollution.

Recommendation

Update to version 1.0.2 or later.

NVD

A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS attack.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    HackerOne
    Prototype Pollution in cached-path-relative · CVE-2018-16472 · GitHub Advisory Database · GitHub
    NVD - CVE-2018-16472

CVE–2017–16042

Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

GitHub

Command Injection in growl

Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.

Recommendation

Update to version 1.10.2 or later.

NVD

Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.
CVSS details - 9.8

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High
References

    Unsafe use of exec · Issue #60 · tj/node-growl · GitHub
    fix(lib): fixed command injection vulnerability according to Issue #60 by keymandll · Pull Request #61 · tj/node-growl · GitHub
    nodesecurity.io -&nbspnodesecurity Resources and Information.
    Command Injection in growl · CVE-2017-16042 · GitHub Advisory Database · GitHub
    NVD - CVE-2017-16042

CVE–2018–20835

Description

Improper Input Validation

The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

GitHub

High severity vulnerability that affects tar-fs

A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

NVD

A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity High

Availability None
References

    force hardlink targets to be in the tar · mafintosh/tar-fs@0667282 · GitHub
    HackerOne
    Comparing d590fc7...a35ce2f · mafintosh/tar-fs · GitHub
    Improper Input Validation in tar-fs · CVE-2018-20835 · GitHub Advisory Database · GitHub
    NVD - CVE-2018-20835

CVE–2020–15366

Description

Improper Input Validation

The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

NVD

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
CVSS details - 5.6

CVSS3 metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality Low

Integrity Low

Availability Low
References

    Release v6.12.3 · ajv-validator/ajv · GitHub
    Tags · ajv-validator/ajv · GitHub
    HackerOne

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked

Bulk fix vulnerabilities

db44466

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity	None
Availability	High

Bulk vulnerability fix - Lockfile fix #2

Are you sure you want to change the base?

Bulk vulnerability fix - Lockfile fix #2

Conversation

debricked bot commented Aug 9, 2021

Bulk vulnerability fix - Lockfile fix

Fixed vulnerabilities:

NVD

GitHub

Recommendation

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

GitHub

Recommendation

NVD

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

GitHub

Recommendation

NVD

Uncontrolled Resource Consumption

GitHub

Recommendation

NVD

Improper Link Resolution Before File Access ('Link Following')

GitHub

Recommendation

NVD

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

GitHub

NVD

Uncontrolled Resource Consumption

NVD

GitHub

NVD

Uncontrolled Resource Consumption

GitHub

Recommendation

NVD

GitHub

NVD

NVD

GitHub

Incorrect Regular Expression

GitHub

Recommendation

NVD

Improper Input Validation

GitHub

Recommendation

NVD

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

GitHub

Recommendation

NVD

URL Redirection to Untrusted Site ('Open Redirect')

GitHub

Recommendation

NVD

Improper Input Validation

NVD

GitHub

NVD

GitHub

GitHub

Impact

Patches

Workarounds

References

NVD

Improper Input Validation

GitHub

Impact

Patches

References

For more information

Reporter credit

NVD

GitHub

Impact

Patches

References