Bulk vulnerability fix - Lockfile fix

[debricked]

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2021–23343

• Description

  NVD

  All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      ReDoS in path-parse · Issue #8 · jbgutierrez/path-parse · GitHub
      Pony Mail!
      fixed regexes to avoid ReDoS attacks by jeffrey-pinyan-ithreat · Pull Request #10 · jbgutierrez/path-parse · GitHub

debricked–149688

• Description

  GitHub

  Regular Expression Denial of Service in braces

  Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

  Recommendation

  Upgrade to version 2.3.1 or higher.

• CVSS details

      No information

• References

      Regular Expression Denial of Service in braces · GHSA-g95f-p29q-9xw4 · GitHub Advisory Database · GitHub
      optimize regex · micromatch/braces@abdafb0 · GitHub

CVE–2017–16028

• Description

  Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

  GitHub

  Cryptographically Weak PRNG in randomatic

  Affected versions of randomatic generate random values using a cryptographically weak psuedo-random number generator. This may result in predictable values instead of random values as intended.

  Recommendation

  Update to version 3.0.0 or later.

  NVD

  react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	Low
  Integrity	None
  Availability	None

• References

      nodesecurity.io -&nbspnodesecurity Resources and Information.
      react-native-meteor-oauth/meteor-oauth.js at a7eb738b74c469f5db20296b44b7cae4e2337435 · tableflip/react-native-meteor-oauth · GitHub
      use cryptographically secure random function · jonschlinkert/randomatic@4a52695 · GitHub
      NVD - CVE-2017-16028
      Cryptographically Weak PRNG in randomatic · CVE-2017-16028 · GitHub Advisory Database · GitHub

CVE–2018–16492

• Description

  Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

  GitHub

  Prototype Pollution in extend

  Versions of extend prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The extend() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.

  Recommendation

  If you're using extend 3.x upgrade to 3.0.2 or later.
  If you're using extend 2.x upgrade to 2.0.2 or later.

  NVD

  A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      HackerOne
      Prototype Pollution in extend · CVE-2018-16492 · GitHub Advisory Database · GitHub
      NVD - CVE-2018-16492

CVE–2017–15010

• Description

  Uncontrolled Resource Consumption

  The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  GitHub

  Regular Expression Denial of Service in tough-cookie

  Affected versions of tough-cookie are susceptible to a regular expression denial of service.

  The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.

  If node was compiled using the -DHTTP_MAX_HEADER_SIZE however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.

  Recommendation

  Update to version 2.3.3 or later.

  NVD

  A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      Node.js 'tough-cookie' Module CVE-2017-15010 Denial of Service Vulnerability
      Red Hat Customer Portal - Access to 24x7 support and knowledge
      Red Hat Customer Portal - Access to 24x7 support and knowledge
      Red Hat Customer Portal - Access to 24x7 support and knowledge
      Red Hat Customer Portal - Access to 24x7 support and knowledge
      nodesecurity.io -&nbspnodesecurity Resources and Information.
      Vulnerable Regular Expression · Issue #92 · salesforce/tough-cookie · GitHub
      [SECURITY] Fedora 30 Update: nodejs-tough-cookie-2.3.4-1.fc30 - package-announce - Fedora Mailing-Lists
      Regular Expression Denial of Service in tough-cookie · CVE-2017-15010 · GitHub Advisory Database · GitHub
      NVD - CVE-2017-15010

CVE–2019–13173

• Description

  Improper Link Resolution Before File Access ('Link Following')

  The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

  GitHub

  Arbitrary File Overwrite in fstream

  Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

  Recommendation

  Upgrade to version 1.0.12 or later.

  NVD

  fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	High
  Availability	None

• References

      Clobber a Link if it's in the way of a File · npm/fstream@6a77d2f · GitHub
      npm
      [security-announce] openSUSE-SU-2019:1846-1: important: Security update for nodejs10 - openSUSE Security Announce - openSUSE Mailing Lists
      [security-announce] openSUSE-SU-2019:1907-1: important: Security update for nodejs8 - openSUSE Security Announce - openSUSE Mailing Lists
      USN-4123-1: npm/fstream vulnerability | Ubuntu security notices | Ubuntu
      NVD - CVE-2019-13173
      Arbitrary File Overwrite in fstream · CVE-2019-13173 · GitHub Advisory Database · GitHub

CVE–2020–7733

• Description

  Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

  The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

  GitHub

  Regular Expression Denial of Service in ua-parser-js

  The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

  NVD

  The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      Fix potential ReDoS vulnerability · faisalman/ua-parser-js@233d3ba · GitHub
      NVD - CVE-2020-7733
      GitHub - faisalman/ua-parser-js: UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.
      Regular Expression Denial of Service in ua-parser-js · CVE-2020-7733 · GitHub Advisory Database · GitHub
      GitHub - faisalman/ua-parser-js: UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.

CVE–2020–7793

• Description

  Uncontrolled Resource Consumption

  The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  NVD

  The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      Fix ReDoS vulnerabilities reported by Snyk · faisalman/ua-parser-js@6d1f26d · GitHub
      GitHub - faisalman/ua-parser-js: UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.
      GitHub - faisalman/ua-parser-js: UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.

CVE–2021–27292

• Description

  GitHub

  Regular Expression Denial of Service (ReDoS) in ua-parser-js

  ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

  NVD

  ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      cve-2021-27292 · GitHub
      Fix several exponential/cubic complexity regexes found by Ben Caller/… · pygments/pygments@2e7e8c4 · GitHub
      Fix potential ReDoS vulnerability as reported by Doyensec · faisalman/ua-parser-js@809439e · GitHub
      Regular Expression Denial of Service (ReDoS) in ua-parser-js · CVE-2021-27292 · GitHub Advisory Database · GitHub
      NVD - CVE-2021-27292

CVE–2017–16099

• Description

  Uncontrolled Resource Consumption

  The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  GitHub

  Regular Expression Denial of Service in no-case

  Affected versions of no-case are vulnerable to a regular expression denial of service when parsing untrusted user input.

  Recommendation

  Update to version 2.3.2 or later.

  NVD

  The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      nodesecurity.io -&nbspnodesecurity Resources and Information.
      THIRD PARTY
      Regular Expression Denial of Service in no-case · CVE-2017-16099 · GitHub Advisory Database · GitHub
      NVD - CVE-2017-16099

CVE–2021–23369

• Description

  GitHub

  Remote code execution in handlebars when compiling templates

  The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

  NVD

  The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      CVE-2021-23369 Node.js Vulnerability in NetApp Products | NetApp Product Security
      fix: check prototype property access in strict-mode (#1736) · handlebars-lang/handlebars.js@b6d3de7 · GitHub
      fix: escape property names in compat mode (#1736) · handlebars-lang/handlebars.js@f058970 · GitHub
      NVD - CVE-2021-23369
      Remote code execution in handlebars when compiling templates · CVE-2021-23369 · GitHub Advisory Database · GitHub

CVE–2021–23383

• Description

  NVD

  The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      fix: escape property names in compat mode (#1736) · handlebars-lang/handlebars.js@f058970 · GitHub
      CVE-2021-23383 Node.js Vulnerability in NetApp Products | NetApp Product Security

debricked–160898

• Description

  GitHub

  Regular Expression Denial of Service

  A Regular Expression vulnerability was found in nwmatcher before 1.4.4. The fix replacing multiple repeated instances of the "\s*" pattern.

• CVSS details

      No information

• References

      Regular Expression Denial of Service · GHSA-6394-6h9h-cfjg · GitHub Advisory Database · GitHub
      changed instances of \s* with \s? in regular expressions to reduce th… · dperini/nwmatcher@9dcc2b0 · GitHub

CVE–2018–3737

• Description

  Incorrect Regular Expression

  The software specifies a regular expression in a way that causes data to be improperly matched or compared.

  GitHub

  Regular Expression Denial of Service in sshpk

  Versions of sshpk before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

  Recommendation

  Update to version 1.13.2, 1.14.1 or later.

  NVD

  sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      HackerOne
      Regular Expression Denial of Service in sshpk · CVE-2018-3737 · GitHub Advisory Database · GitHub
      NVD - CVE-2018-3737

CVE–2018–16469

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  GitHub

  Prototype Pollution in merge

  Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype.

  Recommendation

  Update to version 1.2.1 or later.

  NVD

  The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      HackerOne
      Prototype Pollution in merge · CVE-2018-16469 · GitHub Advisory Database · GitHub
      NVD - CVE-2018-16469

CVE–2018–6342

• Description

  Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

  GitHub

  Remote Code Execution in react-dev-utils

  react-dev-utils on Windows is vulnerable to remote code execution.

  Recommendation

  Update to one of the follow versions, depending on the release line that you are using.

  • 1.0.4
  • 2.0.2
  • 3.1.2
  • 4.2.2
  • 5.0.2
  • 6.0.0-next.a671462c

  NVD

  react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      Use file name whitelist to prevent RCE by acdlite · Pull Request #4866 · facebook/create-react-app · GitHub
      Release v1.1.5 · facebook/create-react-app · GitHub
      Remote Code Execution in react-dev-utils · CVE-2018-6342 · GitHub Advisory Database · GitHub
      NVD - CVE-2018-6342

CVE–2018–3774

• Description

  URL Redirection to Untrusted Site ('Open Redirect')

  A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

  GitHub

  Open Redirect in url-parse

  Versions of url-parse before 1.4.3 returns the wrong hostname which could lead to Open Redirect, Server Side Request Forgery (SSRF), or Bypass Authentication Protocol vulnerabilities.

  Recommendation

  Update to version 1.4.3 or later.

  NVD

  Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

• CVSS details - 10

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Changed
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      [security] Sanitize paths, hosts before parsing. · unshiftio/url-parse@53b1794 · GitHub
      [security] Added missing SECURITY.md · unshiftio/url-parse@d7b582e · GitHub
      HackerOne
      NVD - CVE-2018-3774
      Open Redirect in url-parse · CVE-2018-3774 · GitHub Advisory Database · GitHub

CVE–2020–8124

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  NVD

  Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	Low
  Availability	None

• References

      NVD - CVE-2020-8124
      HackerOne

CVE–2021–27515

• Description

  GitHub

  Path traversal in url-parse

  url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

  NVD

  url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	Low
  Availability	None

• References

      [security] More backslash fixes (#197) · unshiftio/url-parse@d1e7e88 · GitHub
      Comparing 1.4.7...1.5.0 · unshiftio/url-parse · GitHub
      [security] More backslash fixes by 3rd-Eden · Pull Request #197 · unshiftio/url-parse · GitHub
      MISC
      NVD - CVE-2021-27515
      Path traversal in url-parse · CVE-2021-27515 · GitHub Advisory Database · GitHub

debricked–160897

• Description

  GitHub

  Prototype Pollution

  A vulnerability was found in querystringify before 2.0.0. It's possible to override built-in properties of the resulting query string object if a malicious string is inserted in the query string.

• CVSS details

      No information

• References

      Prototype Pollution · GHSA-hxcm-v35h-mg2x · GitHub Advisory Database · GitHub
      [security] Prevent overriding of build-in properties by default by 3rd-Eden · Pull Request #19 · unshiftio/querystringify · GitHub

CVE–2020–7662

• Description

  GitHub

  Regular Expression Denial of Service in websocket-extensions (NPM package)

  Impact

  The ReDoS flaw allows an attacker to exhaust the server's capacity to process
  incoming requests by sending a WebSocket handshake request containing a header
  of the following form:

   Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ...
  

  That is, a header containing an unclosed string parameter value whose content is
  a repeating two-byte sequence of a backslash and some other character. The
  parser takes exponential time to reject this header as invalid, and this will
  block the processing of any other work on the same thread. Thus if you are
  running a single-threaded server, such a request can render your service
  completely unavailable.

  Patches

  Users should upgrade to version 0.1.4.

  Workarounds

  There are no known work-arounds other than disabling any public-facing
  WebSocket functionality you are operating.

  References

  • https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions/

  NVD

  websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      ReDoS vulnerability in websocket-extensions – The If Works
      Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser · faye/websocket-extensions-node@29496f6 · GitHub
      ReDoS vulnerability in Sec-WebSocket-Extensions parser · Advisory · faye/websocket-extensions-node · GitHub
      Regular Expression Denial of Service in websocket-extensions (NPM package) · CVE-2020-7662 · GitHub Advisory Database · GitHub
      NVD - CVE-2020-7662
      Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser · faye/websocket-extensions-ruby@aa156a4 · GitHub

CVE–2020–26291

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  GitHub

  Hostname spoofing via backslashes in URL

  Impact

  If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect.

  Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

  Example URL: https://expected-example.com\@observed-example.com
  Escaped string: https://expected-example.com\\@observed-example.com (JavaScript strings must escape backslash)

  Affected versions incorrectly return observed-example.com. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.

  Patches

  Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.

  References

  https://github.com/medialize/URI.js/releases/tag/v1.19.4 (complete fix for this bypass)
  https://github.com/medialize/URI.js/releases/tag/v1.19.3 (partial fix for this bypass)
  PR #233 (initial fix for backslash handling)

  For more information

  If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js

  Reporter credit

  Alesandro Ortiz

  NVD

  URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL https://expected-example.com\@observed-example.com will incorrectly return observed-example.com if using an affected version. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]

• CVSS details - 6.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	Low
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	High
  Availability	None

• References

      fix(parse): treat backslash as forwardslash in authority (#403) · medialize/URI.js@b02bf03 · GitHub
      Release 1.19.4 (December 23rd 2020) · medialize/URI.js · GitHub
      Hostname spoofing via backslashes in URL · Advisory · medialize/URI.js · GitHub
      urijs - npm
      NVD - CVE-2020-26291
      Hostname spoofing via backslashes in URL · CVE-2020-26291 · GitHub Advisory Database · GitHub
      GitHub - garycourt/uri-js: An RFC 3986 compliant, scheme extendable URI parsing/validating/normalizing/resolving library for JavaScript
      GitHub - ericf/urljs: [DEPRECATED] An API for working with URLs in JavaScript

CVE–2021–27516

• Description

  GitHub

  Hostname spoofing via backslashes in URL

  Impact

  If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash (\) character as part of the scheme delimiter, e.g. scheme:/\hostname. If the hostname is used in security decisions, the decision may be incorrect.

  Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

  Example URL: https:/\expected-example.com/path
  Escaped string: https:/\\expected-example.com/path (JavaScript strings must escape backslash)

  Affected versions incorrectly return no hostname. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.

  Patches

  Version 1.19.6 is patched against all known payload variants.

  References

  https://github.com/medialize/URI.js/releases/tag/v1.19.6 (fix for this particular bypass)
  https://github.com/medialize/URI.js/releases/tag/v1.19.4 (fix for related bypass)
  https://github.com/medialize/URI.js/releases/tag/v1.19.3 (fix for related bypass)
  PR #233 (initial fix for backslash handling)

  For more information

  If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js

  Reporter credit

  Yaniv Nizry from the CxSCA AppSec team at Checkmarx

  NVD

  URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	None
  Availability	None

• References

      fix(parse): treat backslash as forwardslash in scheme delimiter · medialize/URI.js@a1ad8bc · GitHub
      Release 1.19.6 (February 13th 2021) · medialize/URI.js · GitHub
      MISC
      NVD - CVE-2021-27516
      Hostname spoofing via backslashes in URL · Advisory · medialize/URI.js · GitHub
      Hostname spoofing via backslashes in URL · CVE-2021-27516 · GitHub Advisory Database · GitHub

CVE–2020–28498

• Description

  Use of a Broken or Risky Cryptographic Algorithm

  The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

  GitHub

  Use of a Broken or Risky Cryptographic Algorithm

  The npm package elliptic before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

  NVD

  The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

• CVSS details - 6.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	High
  Privileges Required	None
  User interaction	None
  Scope	Changed
  Confidentiality	High
  Integrity	None
  Availability	None

• References

      blog/secp256k1_twist_attacks.md at master · christianlundkvist/blog · GitHub
      ec: validate that a point before deriving keys · indutny/elliptic@441b742 · GitHub
      Use of a Broken or Risky Cryptographic Algorithm · CVE-2020-28498 · GitHub Advisory Database · GitHub
      Private by kdenhartog · Pull Request #244 · indutny/elliptic · GitHub
      NVD - CVE-2020-28498

CVE–2021–23386

• Description

  Exposure of Sensitive Information to an Unauthorized Actor

  The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  GitHub

  Potential memory exposure in dns-packet

  This affects the package dns-packet before versions 1.3.2 and 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

  NVD

  This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

• CVSS details - 6.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	Low
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	None
  Availability	None

• References

      HackerOne
      do trim on encodingLength as well · mafintosh/dns-packet@25f15dd · GitHub
      NVD - CVE-2021-23386
      Potential memory exposure in dns-packet · CVE-2021-23386 · GitHub Advisory Database · GitHub

CVE–2017–16119

• Description

  Uncontrolled Resource Consumption

  The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  GitHub

  Regular Expression Denial of Service in fresh

  Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.

  Recommendation

  Update to version 0.5.2 or later.

  NVD

  Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      nodesecurity.io -&nbspnodesecurity Resources and Information.
      NVD - CVE-2017-16119
      Regular Expression Denial of Service in fresh · CVE-2017-16119 · GitHub Advisory Database · GitHub

CVE–2017–16118

• Description

  Uncontrolled Resource Consumption

  The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  GitHub

  Regular Expression Denial of Service in forwarded

  Affected versions of forwarded are vulnerable to regular expression denial of service when parsing specially crafted user input.

  Recommendation

  Update to version 0.1.2 or later

  NVD

  The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      Bugtraq
      nodesecurity.io -&nbspnodesecurity Resources and Information.
      NVD - CVE-2017-16118
      Regular Expression Denial of Service in forwarded · CVE-2017-16118 · GitHub Advisory Database · GitHub

CVE–2020–7720

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  GitHub

  Prototype Pollution in node-forge

  The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

  NVD

  The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

• CVSS details - 7.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	Low
  Integrity	Low
  Availability	Low

• References

      forge/CHANGELOG.md at master · digitalbazaar/forge · GitHub
      NVD - CVE-2020-7720
      Prototype Pollution in node-forge · CVE-2020-7720 · GitHub Advisory Database · GitHub
      GitHub - digitalbazaar/forge: A native implementation of TLS in Javascript and tools to write crypto-based and network-heavy webapps

CVE–2021–33502

• Description

  GitHub

  ReDoS in normalize-url

  The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

  NVD

  The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      Release v6.0.1 · sindresorhus/normalize-url · GitHub
      NVD - CVE-2021-33502
      ReDoS in normalize-url · CVE-2021-33502 · GitHub Advisory Database · GitHub

CVE–2021–26707

• Description

  GitHub

  Prototype pollution in Merge-deep

  The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

  NVD

  The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      add isValidKey function to ensure only valid keys are merged · jonschlinkert/merge-deep@11e5dd5 · GitHub
      merge-deep - npm
      GHSL-2020-160: Prototype pollution in Merge-deep | GitHub Security Lab
      merge-deep/.verb.md at 628ff47c9d824ccf21adf9a2b7cc6b74632e11a1 · jonschlinkert/merge-deep · GitHub
      NVD - CVE-2021-26707
      Sign in to GitHub · GitHub
      Prototype pollution in Merge-deep · CVE-2021-26707 · GitHub Advisory Database · GitHub
      merge-deep/LICENSE at 628ff47c9d824ccf21adf9a2b7cc6b74632e11a1 · jonschlinkert/merge-deep · GitHub
      GitHub - jonschlinkert/merge-deep: Recursively merge values in a JavaScript object.

CVE–2020–13822

• Description

  Integer Overflow or Wraparound

  The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

  GitHub

  Signature Malleabillity in elliptic

  The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

  NVD

  The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

• CVSS details - 7.7

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	High
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	Low

• References

      Lack of encoding checks allows a certain degree of signature malleability in ECDSA signatures · Issue #226 · indutny/elliptic · GitHub
      Malleability-Attack: Why It Matters | by Herman Schoenfeld | Medium
      elliptic - npm
      How Not to Use ECDSA – Learning Words
      NVD - CVE-2020-13822
      GitHub - indutny/elliptic: Fast Elliptic Curve Cryptography in plain javascript
      Signature Malleabillity in elliptic · CVE-2020-13822 · GitHub Advisory Database · GitHub

debricked–149740

• Description

  GitHub

  Denial of Service in http-proxy

  Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

  For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
  curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

  Recommendation

  Upgrade to version 1.18.1 or later

• CVSS details

      No information

• References

      Denial of Service in http-proxy · GHSA-6x33-pw7p-hmpq · GitHub Advisory Database · GitHub
      Skip sending the proxyReq event when the expect header is present by jsmylnycky · Pull Request #1447 · http-party/node-http-proxy · GitHub

debricked–149739

• Description

  GitHub

  Prototype Pollution in yargs-parser

  Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
  Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

  Recommendation

  Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

• CVSS details

      No information

• References

      fix: proto will now be replaced with proto in parse (#258) · yargs/yargs-parser@63810ca · GitHub
      Prototype Pollution in yargs-parser · CVE-2020-7608 · GitHub Advisory Database · GitHub

debricked–149694

• Description

  GitHub

  Denial of Service in js-yaml

  Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

  Recommendation

  Upgrade to version 3.13.0.

• CVSS details

      No information

• References

      Denial of Service in js-yaml · GHSA-2pr6-76vf-7546 · GitHub Advisory Database · GitHub
      Using complex arrays as map keys may hang the process · Issue #475 · nodeca/js-yaml · GitHub

debricked–149699

• Description

  GitHub

  Code Injection in js-yaml

  Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.

  An example payload is
  { toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
  which returns the object
  {
  "1553107949161": 1
  }

  Recommendation

  Upgrade to version 3.13.1.

• CVSS details

      No information

• References

      Fix possible code execution in (already unsafe) load() by rlidwka · Pull Request #480 · nodeca/js-yaml · GitHub
      Code Injection in js-yaml · GHSA-8j8c-7jfh-h6hx · GitHub Advisory Database · GitHub

debricked–149662

• Description

  GitHub

  Denial of Service in mem

  Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.

  Recommendation

  Upgrade to version 4.0.0 or later.

• CVSS details

      No information

• References

      Denial of Service in mem · GHSA-4xcv-9jjx-gfj3 · GitHub Advisory Database · GitHub
      Automatically release memory when an item expires - fixes #14 (#19) · sindresorhus/mem@da4e439 · GitHub

CVE–2018–6341

• Description

  Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  GitHub

  Cross-Site Scripting in react-dom

  Affected versions of react-dom are vulnerable to Cross-Site Scripting (XSS). The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim's browser. To be affected by this vulnerability, the application needs to:

  • be a server-side React app
  • be rendered to HTML using ReactDOMServer
  • include an attribute name from user input in an HTML tag

  Recommendation

  If you are using react-dom 16.0.x, upgrade to 16.0.1 or later.
  If you are using react-dom 16.1.x, upgrade to 16.1.2 or later.
  If you are using react-dom 16.2.x, upgrade to 16.2.1 or later.
  If you are using react-dom 16.3.x, upgrade to 16.3.3 or later.
  If you are using react-dom 16.4.x, upgrade to 16.4.2 or later.

  NVD

  React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

• CVSS details - 6.1

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	Required
  Scope	Changed
  Confidentiality	Low
  Integrity	Low
  Availability	None

• References

      React v16.4.2: Server-side vulnerability fix – React Blog
      JavaScript is not available.
      GitHub - facebook/react: A declarative, efficient, and flexible JavaScript library for building user interfaces.
      Fix SSR crash on a hasOwnProperty attribute by gaearon · Pull Request #13303 · facebook/react · GitHub
      react/CODE_OF_CONDUCT.md at main · facebook/react · GitHub
      NVD - CVE-2018-6341
      Sanitize unknown attribute names for SSR by gaearon · Pull Request #13302 · facebook/react · GitHub
      Cross-Site Scripting in react-dom · CVE-2018-6341 · GitHub Advisory Database · GitHub
      react/CODE_OF_CONDUCT.md at main · facebook/react · GitHub

CVE–2018–1107

• Description

  Uncontrolled Resource Consumption

  The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  NVD

  It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	Low

• References

      1546357 – (CVE-2018-1107) CVE-2018-1107 nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format
      Avoid catastrophic backtracking by LinusU · Pull Request #159 · mafintosh/is-my-json-valid · GitHub
      Merge pull request #159 from mafintosh/safe-regex · mafintosh/is-my-json-valid@b3051b2 · GitHub

CVE–2017–1000427

• Description

  Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  GitHub

  Moderate severity vulnerability that affects marked

  marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.

  NVD

  marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.

• CVSS details - 6.1

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	Required
  Scope	Changed
  Confidentiality	Low
  Integrity	Low
  Availability	None

• References

      [SECURITY] Fedora 32 Update: marked-1.1.0-3.fc32 - package-announce - Fedora Mailing-Lists
      [SECURITY] Fedora 31 Update: marked-1.1.0-3.fc31 - package-announce - Fedora Mailing-Lists
      marked version 0.3.6 and earlier is vulnerable to an XSS ... · CVE-2017-1000427 · GitHub Advisory Database · GitHub
      GitHub - markedjs/marked: A markdown parser and compiler. Built for speed.
      added data: link fix to prevent xss · markedjs/marked@cd2f6f5 · GitHub
      NVD - CVE-2017-1000427

CVE–2017–16114

• Description

  Uncontrolled Resource Consumption

  The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  GitHub

  Regular Expression Denial of Service in marked

  Affected versions of marked are vulnerable to a regular expression denial of service.

  The amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds.

  Recommendation

  Update to version 0.3.9 or later.

  NVD

  The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      nodesecurity.io -&nbspnodesecurity Resources and Information.
      Vulnerable Regular Expression · Issue #937 · markedjs/marked · GitHub
      Regular Expression Denial of Service in marked · CVE-2017-16114 · GitHub Advisory Database · GitHub
      NVD - CVE-2017-16114

CVE–2019–10747

• Description

  Uncontrolled Resource Consumption

  The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  GitHub

  Prototype Pollution in set-value

  Versions of set-value prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

  Recommendation

  If you are using set-value 3.x, upgrade to version 3.0.1 or later.
  If you are using set-value 2.x, upgrade to version 2.0.1 or later.

  NVD

  set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      Pony Mail!
      [SECURITY] Fedora 30 Update: nodejs-set-value-2.0.1-1.fc30 - package-announce - Fedora Mailing-Lists
      [SECURITY] Fedora 31 Update: nodejs-set-value-2.0.1-1.fc31 - package-announce - Fedora Mailing-Lists
      disallow proto keys · jonschlinkert/set-value@95e9d99 · GitHub
      NVD - CVE-2019-10747
      GitHub - jonschlinkert/set-value: Set nested properties on an object using dot-notation.
      Prototype Pollution in set-value · CVE-2019-10747 · GitHub Advisory Database · GitHub

CVE–2019–20149

• Description

  Exposure of Resource to Wrong Sphere

  The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

  GitHub

  Validation Bypass in kind-of

  Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

  Recommendation

  Upgrade to versions 6.0.3 or later.

  NVD

  ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	High
  Availability	None

• References

      type checking · Issue #30 · jonschlinkert/kind-of · GitHub
      fix type checking vul in ctorName by xiaofen9 · Pull Request #31 · jonschlinkert/kind-of · GitHub
      Validation Bypass in kind-of · CVE-2019-20149 · GitHub Advisory Database · GitHub
      NVD - CVE-2019-20149

CVE–2019–10746

• Description

  Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

  The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

  GitHub

  Prototype Pollution in mixin-deep

  Versions of mixin-deep prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The mixinDeep function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

  Recommendation

  If you are using mixin-deep 2.x, upgrade to version 2.0.1 or later.
  If you are using mixin-deep 1.x, upgrade to version 1.3.2 or later.

  NVD

  mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      [SECURITY] Fedora 30 Update: nodejs-mixin-deep-1.3.2-1.fc30 - package-announce - Fedora Mailing-Lists
      [SECURITY] Fedora 31 Update: nodejs-mixin-deep-1.3.2-1.fc31 - package-announce - Fedora Mailing-Lists
      Prototype Pollution in mixin-deep · CVE-2019-10746 · GitHub Advisory Database · GitHub
      disallow constructor and prototype keys · jonschlinkert/mixin-deep@8f464c8 · GitHub
      NVD - CVE-2019-10746
      GitHub - jonschlinkert/mixin-deep: Deeply mix the properties of objects into the first object, while also mixing-in child objects.

CVE–2019–15599

• Description

  Improper Control of Generation of Code ('Code Injection')

  The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  NVD

  A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      NVD - CVE-2019-15599
      HackerOne

CVE–2018–16472

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  GitHub

  Prototype Pollution in cached-path-relative

  Version of cached-path-relative before 1.0.2 are vulnerable to prototype pollution.

  Recommendation

  Update to version 1.0.2 or later.

  NVD

  A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS attack.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      HackerOne
      Prototype Pollution in cached-path-relative · CVE-2018-16472 · GitHub Advisory Database · GitHub
      NVD - CVE-2018-16472

CVE–2017–16042

• Description

  Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

  GitHub

  Command Injection in growl

  Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.

  Recommendation

  Update to version 1.10.2 or later.

  NVD

  Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      Unsafe use of exec · Issue #60 · tj/node-growl · GitHub
      fix(lib): fixed command injection vulnerability according to Issue #60 by keymandll · Pull Request #61 · tj/node-growl · GitHub
      nodesecurity.io -&nbspnodesecurity Resources and Information.
      Command Injection in growl · CVE-2017-16042 · GitHub Advisory Database · GitHub
      NVD - CVE-2017-16042

CVE–2018–20835

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  GitHub

  High severity vulnerability that affects tar-fs

  A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

  NVD

  A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	High
  Availability	None

• References

      force hardlink targets to be in the tar · mafintosh/tar-fs@0667282 · GitHub
      HackerOne
      Comparing d590fc7...a35ce2f · mafintosh/tar-fs · GitHub
      Improper Input Validation in tar-fs · CVE-2018-20835 · GitHub Advisory Database · GitHub
      NVD - CVE-2018-20835

CVE–2020–15366

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  NVD

  An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

• CVSS details - 5.6

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	High
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	Low
  Integrity	Low
  Availability	Low

• References

      Release v6.12.3 · ajv-validator/ajv · GitHub
      Tags · ajv-validator/ajv · GitHub
      HackerOne

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked