Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add severity to JSON feed #1374

Merged
merged 5 commits into from
Sep 12, 2024
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion __mocks__/mockVuln/pass/core/1.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,6 @@
"patched": "^8.1.4 || ^7.10.1 || ^4.8.4 || ^6.11.1",
"description": "mocked core vulnerability overview",
"overview": "mocked core vulnerability overview",
"affectedEnvironments": ["all"]
"affectedEnvironments": ["all"],
"severity": "medium"
}
4 changes: 4 additions & 0 deletions tools/vuln_valid/vulnValidate.js
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ const coreModel = joi.object().keys({
// See: https://nodejs.org/api/os.html#osplatform
.items(joi.string().valid("all", "aix", "darwin", "freebsd", "linux", "openbsd", "sunos", "win32", "android"))
.min(1)
.required(),
severity: joi
.string()
.regex(/^(unknown)|(low)|(medium)|(high)|(critical)$/)
.required()
});

Expand Down
5 changes: 4 additions & 1 deletion vuln/core/1.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,8 @@
"patched": "^8.1.4 || ^7.10.1 || ^4.8.4 || ^6.11.1",
"description": "memory overread when parsing invalid NAPTR responses",
"overview": "The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR\nresponses, could be triggered to read memory outside of the given input buffer\nif the passed in DNS response packet was crafted in a particular way.\n\n",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "unknown"
}
5 changes: 4 additions & 1 deletion vuln/core/10.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,8 @@
"patched": "^6.9.0",
"ref": "https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/",
"overview": "The V8 parser mishandled scopes, potentially allowing an attacker to obtain\nsensitive information from arbitrary memory locations via crafted JavaScript\ncode. This vulnerability would require an attacker to be able to execute\narbitrary JavaScript code in a Node.js process.\n\n",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "unknown"
}
9 changes: 7 additions & 2 deletions vuln/core/100.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2022-35256"],
"cve": [
"CVE-2022-35256"
],
"vulnerable": "14.x || 16.x || 18.x",
"patched": "^14.20.1 || ^16.17.1 || ^18.9.1",
"ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/",
"overview": "The llhttp parser in the http module in Node.js v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "medium"
}
9 changes: 7 additions & 2 deletions vuln/core/101.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2022-35255"],
"cve": [
"CVE-2022-35255"
],
"vulnerable": "18.x",
"patched": "^18.9.1",
"ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/",
"overview": "Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "high"
}
9 changes: 7 additions & 2 deletions vuln/core/102.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2022-43548"],
"cve": [
"CVE-2022-43548"
],
"vulnerable": "14.x || 16.x || 18.x || 19.x",
"patched": "^14.21.1 || ^16.18.1 || ^18.12.1 || ^19.0.1",
"ref": "https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/",
"overview": "The Node.js rebinding protector for --inspect still allows invalid IP address, specifically, the octal format.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "medium"
}
9 changes: 7 additions & 2 deletions vuln/core/103.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-23918"],
"cve": [
"CVE-2023-23918"
],
"vulnerable": "14.x || 16.x || 18.x || 19.x",
"patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1",
"ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/",
"overview": "It was possible to bypass Permissions and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "high"
}
9 changes: 7 additions & 2 deletions vuln/core/104.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-23919"],
"cve": [
"CVE-2023-23919"
],
"vulnerable": "14.x || 16.x || 18.x || 19.x",
"patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.2.0",
"ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/",
"overview": "In some cases Node.js did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "medium"
}
9 changes: 7 additions & 2 deletions vuln/core/105.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-23936"],
"cve": [
"CVE-2023-23936"
],
"vulnerable": "14.x || 16.x || 18.x || 19.x",
"patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1",
"ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/",
"overview": "The fetch API in Node.js did not prevent CRLF injection in the 'host' header potentially allowing attacks such as HTTP response splitting and HTTP header injection.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "medium"
}
9 changes: 7 additions & 2 deletions vuln/core/106.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-24807"],
"cve": [
"CVE-2023-24807"
],
"vulnerable": "14.x || 16.x || 18.x || 19.x",
"patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1",
"ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/",
"overview": "The Headers.set() and Headers.append() methods in the fetch API in Node.js where vulnerable to Regular a Expression Denial of Service (ReDoS) attacks.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "low"
}
9 changes: 7 additions & 2 deletions vuln/core/107.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-23920"],
"cve": [
"CVE-2023-23920"
],
"vulnerable": "14.x || 16.x || 18.x || 19.x",
"patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1",
"ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/",
"overview": "Node.js would search and potentially load ICU data when running with elevated priviledges. Node.js was modified to build with ICU_NO_USER_DATA_OVERRIDE to avoid this.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "low"
}
9 changes: 7 additions & 2 deletions vuln/core/108.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-30581"],
"cve": [
"CVE-2023-30581"
],
"vulnerable": "16.x || 18.x || 20.x",
"patched": "^16.20.1 || ^18.16.1 || ^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "high"
}
9 changes: 7 additions & 2 deletions vuln/core/109.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-30582"],
"cve": [
"CVE-2023-30582"
],
"vulnerable": "20.x",
"patched": "^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "medium"
}
5 changes: 4 additions & 1 deletion vuln/core/11.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,8 @@
"author": "Jann Horn",
"description": "unauthorized clients can easily access inspector port",
"overview": "Generate a UUID for each execution of the inspector. This provides additional\nsecurity to prevent unauthorized clients from connecting to the Node.js process\nvia the v8_inspector port when running with `--inspect`. Since the debugging\nprotocol allows extensive access to the internals of a running process, and the\nexecution of arbitrary code, it is important to limit connections to authorized\ntools only.\n\n",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "medium"
}
9 changes: 7 additions & 2 deletions vuln/core/110.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-30583"],
"cve": [
"CVE-2023-30583"
],
"vulnerable": "20.x",
"patched": "^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag in Node.js 20",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "medium"
}
9 changes: 7 additions & 2 deletions vuln/core/111.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-30584"],
"cve": [
"CVE-2023-30584"
],
"vulnerable": "20.x",
"patched": "^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "high"
}
9 changes: 7 additions & 2 deletions vuln/core/112.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-30585"],
"cve": [
"CVE-2023-30585"
],
"vulnerable": "16.x || 18.x || 20.x",
"patched": "^16.20.1 || ^18.16.1 || ^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process",
"affectedEnvironments": ["win32"]
"affectedEnvironments": [
"win32"
],
"severity": "medium"
}
9 changes: 7 additions & 2 deletions vuln/core/113.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-30586"],
"cve": [
"CVE-2023-30586"
],
"vulnerable": "20.x",
"patched": "^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "Node.js 20 allows loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "medium"
}
9 changes: 7 additions & 2 deletions vuln/core/114.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-30587"],
"cve": [
"CVE-2023-30587"
],
"vulnerable": "20.x",
"patched": "^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector).",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "high"
}
9 changes: 7 additions & 2 deletions vuln/core/115.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-30589"],
"cve": [
"CVE-2023-30589"
],
"vulnerable": "16.x || 18.x || 20.x",
"patched": "^16.20.1 || ^18.16.1 || ^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "medium"
}
9 changes: 7 additions & 2 deletions vuln/core/116.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-30588"],
"cve": [
"CVE-2023-30588"
],
"vulnerable": "16.x || 18.x || 20.x",
"patched": "^16.20.1 || ^18.16.1 || ^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "medium"
}
9 changes: 7 additions & 2 deletions vuln/core/117.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-30590"],
"cve": [
"CVE-2023-30590"
],
"vulnerable": "16.x || 18.x || 20.x",
"patched": "^16.20.1 || ^18.16.1 || ^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "medium"
}
9 changes: 7 additions & 2 deletions vuln/core/118.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-32002"],
"cve": [
"CVE-2023-32002"
],
"vulnerable": "16.x || 18.x || 20.x",
"patched": "^16.20.2 || ^18.17.1 || ^20.5.1",
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
"overview": "The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "unknown"
}
9 changes: 7 additions & 2 deletions vuln/core/119.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-32004"],
"cve": [
"CVE-2023-32004"
],
"vulnerable": "20.x",
"patched": "^20.5.1",
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
"overview": "Improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "unknown"
}
5 changes: 4 additions & 1 deletion vuln/core/12.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,8 @@
"patched": "^6.7.0 || ^4.6.0",
"description": "openssl 1.0.2h vulnerabilities",
"overview": "A malicious client can exhaust a server's memory, resulting in a denial of\nservice (DoS) by sending very large OCSP Status Request extensions in a single\nsession.\n\nThis flaw is labelled high severity due to the ease of use for a DoS attack and\nNode.js servers using TLS are vulnerable.\n\n",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "unknown"
}
9 changes: 7 additions & 2 deletions vuln/core/120.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
{
"cve": ["CVE-2023-32558"],
"cve": [
"CVE-2023-32558"
],
"vulnerable": "20.x",
"patched": "^20.5.1",
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
"overview": "The use of the deprecated API process.binding() can bypass the permission model through path traversal.",
"affectedEnvironments": ["all"]
"affectedEnvironments": [
"all"
],
"severity": "unknown"
}
Loading
Loading