Skip to content

[Aqua] Fix 7 Vulnerabilities#4

Open
aqua-security-supply-chain[bot] wants to merge 1 commit intomasterfrom
a049800c-8ede-4937-8b97-431b4e9ad4b0
Open

[Aqua] Fix 7 Vulnerabilities#4
aqua-security-supply-chain[bot] wants to merge 1 commit intomasterfrom
a049800c-8ede-4937-8b97-431b4e9ad4b0

Conversation

@aqua-security-supply-chain
Copy link

@aqua-security-supply-chain aqua-security-supply-chain bot commented Jun 25, 2024

Aqua - Automatic PR created to fix 7 vulnerabilities

Prior to merging this PR, it's crucial to verify that the updated dependencies won't pose any issues for your application.

File Path: package.json

Severity CVE ID Package Name Title
$${\color{red}CRITICAL}$$ CVE-2020-7699 express-fileupload Prototype Pollution in express-fileupload
$${\color{red}CRITICAL}$$ CVE-2017-1001002 mathjs Arbitrary Code Execution in mathjs
$${\color{red}CRITICAL}$$ CVE-2017-1001003 mathjs Arbitrary Code Execution in mathjs
$${\color{red}CRITICAL}$$ NSWG-ECO-311 node-serialize Code Execution through IIFE
$${\color{orange}HIGH}$$ CVE-2020-7743 mathjs mathjs: prototype pollution via the deepExtend function that runs upon configuration updates
$${\color{yellow}MEDIUM}$$ CVE-2020-7689 bcrypt Integer Overflow or Wraparound and Use of a Broken or Risky Cryptographic Algorithm in bcrypt
$${\color{green}LOW}$$ GHSA-q3w9-g74q-vp5f express-fileupload Denial of Service in express-fileupload

The following vulnerabilities were not fixed:

CVE ID Package Name Path Reason
CVE-2022-29078 ejs package.json failed to find version 2.7.4 in file content
CVE-2024-21508 mysql2 package.json failed to find version 1.7.0 in file content
CVE-2024-21511 mysql2 package.json failed to find version 1.7.0 in file content
CVE-2023-22578 sequelize package.json failed to find version 4.44.4 in file content
CVE-2023-22579 sequelize package.json failed to find version 4.44.4 in file content
CVE-2023-25813 sequelize package.json failed to find version 4.44.4 in file content
CVE-2024-21512 mysql2 package.json failed to find version 1.7.0 in file content
CVE-2024-33883 ejs package.json failed to find version 2.7.4 in file content
CVE-2024-21507 mysql2 package.json failed to find version 1.7.0 in file content
CVE-2024-21509 mysql2 package.json failed to find version 1.7.0 in file content
CVE-2022-25896 passport package.json failed to find version 0.4.1 in file content
CVE-2023-22580 sequelize package.json failed to find version 4.44.4 in file content

Note: if a lock file is present in the repository, it should be updated to reflect the changes made to the dependencies file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants