helmet-2.3.0.tgz: 6 vulnerabilities (highest severity is: 9.8) [main] #32
Description
📂 Vulnerable Library - helmet-2.3.0.tgz
help secure Express/Connect apps with various HTTP headers
Path to dependency file: /package.json
Findings
| Finding | Severity | 🎯 CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-238984-357813 | 🟣 Critical | 9.8 | N/A | N/A | debug-2.2.0.tgz | Transitive | N/A | ❌ | |
| CVE-768328-330953 | 🟣 Critical | 9.8 | N/A | N/A | ms-0.7.1.tgz | Transitive | N/A | ❌ | |
| CVE-984631-293917 | 🟣 Critical | 9.8 | N/A | N/A | utils-merge-1.0.0.tgz | Transitive | N/A | ❌ | |
| WS-2019-0289 | 🟠 Medium | 6.1 | N/A | N/A | helmet-csp-1.2.2.tgz | Transitive | N/A | ❌ | |
| CVE-2017-20162 | 🟠 Medium | 4.3 | Not Defined | < 1% | ms-0.7.1.tgz | Transitive | N/A | ❌ | |
| CVE-2017-20165 | 🟡 Low | 3.5 | Not Defined | 1.6% | debug-2.2.0.tgz | Transitive | N/A | ❌ |
Details
🟣CVE-238984-357813
Vulnerable Library - debug-2.2.0.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- helmet-2.3.0.tgz (Root Library)
- connect-3.4.1.tgz
- ❌ debug-2.2.0.tgz (Vulnerable Library)
- connect-3.4.1.tgz
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-238984-357813
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-768328-330953
Vulnerable Library - ms-0.7.1.tgz
Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- helmet-2.3.0.tgz (Root Library)
- connect-3.4.1.tgz
- debug-2.2.0.tgz
- ❌ ms-0.7.1.tgz (Vulnerable Library)
- debug-2.2.0.tgz
- connect-3.4.1.tgz
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-768328-330953
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-984631-293917
Vulnerable Library - utils-merge-1.0.0.tgz
merge() utility function
Library home page: https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- helmet-2.3.0.tgz (Root Library)
- connect-3.4.1.tgz
- ❌ utils-merge-1.0.0.tgz (Vulnerable Library)
- connect-3.4.1.tgz
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-984631-293917
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠WS-2019-0289
Vulnerable Library - helmet-csp-1.2.2.tgz
Content Security Policy middleware.
Library home page: https://registry.npmjs.org/helmet-csp/-/helmet-csp-1.2.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- helmet-2.3.0.tgz (Root Library)
- ❌ helmet-csp-1.2.2.tgz (Vulnerable Library)
Vulnerability Details
Helmet-csp before 2.9.1 is vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting.
Publish Date: Nov 18, 2019 03:14 AM
URL: WS-2019-0289
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 6.1
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1176
Release Date: Nov 18, 2019 03:14 AM
Fix Resolution : 2.9.1
🟠CVE-2017-20162
Vulnerable Library - ms-0.7.1.tgz
Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- helmet-2.3.0.tgz (Root Library)
- connect-3.4.1.tgz
- debug-2.2.0.tgz
- ❌ ms-0.7.1.tgz (Vulnerable Library)
- debug-2.2.0.tgz
- connect-3.4.1.tgz
Vulnerability Details
A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The patch is named caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.
Publish Date: Jan 05, 2023 11:49 AM
URL: CVE-2017-20162
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 4.3
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟡CVE-2017-20165
Vulnerable Library - debug-2.2.0.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- helmet-2.3.0.tgz (Root Library)
- connect-3.4.1.tgz
- ❌ debug-2.2.0.tgz (Vulnerable Library)
- connect-3.4.1.tgz
Vulnerability Details
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The identifier of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.
Publish Date: Jan 09, 2023 09:33 AM
URL: CVE-2017-20165
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.6%
Score: 3.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-9vvw-cc9w-f27h
Release Date: Jan 09, 2023 09:33 AM
Fix Resolution : debug - 2.6.9,debug - 3.1.0