Vulnerable Library - glob-parent-5.1.0.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz

Path to dependency file: node-express-postgre/package.json

Path to vulnerable library: node-express-postgre/node_modules/glob-parent/package.json

Dependency Hierarchy:

• eslint-6.8.0.tgz (Root Library)
  • ❌ glob-parent-5.1.0.tgz (Vulnerable Library)

Found in HEAD commit: f492c6cd17c7f57babb5687a9d0c405dee11220b

Found in base branch: master

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.

Publish Date: 2021-01-27

URL: WS-2021-0154

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2

Release Date: 2021-01-27

Fix Resolution: glob-parent - 5.1.2

Vulnerable Library - moment-timezone-0.5.34.tgz

Parse and display moments in any timezone.

Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.34.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment-timezone/package.json

Dependency Hierarchy:

• sequelize-6.21.0.tgz (Root Library)
  • ❌ moment-timezone-0.5.34.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Command Injection in moment-timezone before 0.5.35.

Publish Date: 2022-08-30

URL: WS-2022-0280

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-56x4-j7p9-fcf9

Release Date: 2022-08-30

Fix Resolution (moment-timezone): 0.5.35

Direct dependency fix Resolution (sequelize): 6.21.1

Vulnerable Library - glob-parent-5.1.0.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz

Path to dependency file: node-express-postgre/package.json

Path to vulnerable library: node-express-postgre/node_modules/glob-parent/package.json

Dependency Hierarchy:

• eslint-6.8.0.tgz (Root Library)
  • ❌ glob-parent-5.1.0.tgz (Vulnerable Library)

Found in HEAD commit: f492c6cd17c7f57babb5687a9d0c405dee11220b

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Vulnerable Library - ajv-6.10.2.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.2.tgz

Path to dependency file: node-express-postgre/package.json

Path to vulnerable library: node-express-postgre/node_modules/ajv/package.json

Dependency Hierarchy:

• eslint-6.8.0.tgz (Root Library)
  • ❌ ajv-6.10.2.tgz (Vulnerable Library)

Found in HEAD commit: f79775576b94c542e0e6d8c10e96faef43c5627c

Found in base branch: master

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3

Release Date: 2020-07-15

Fix Resolution: ajv - 6.12.3

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

• cli-7.17.10.tgz (Root Library)
  • chokidar-3.5.2.tgz
    • ❌ glob-parent-5.1.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package glob-parent from 6.0.0 and before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1

• ✅ Travis CI - Branch: The build passed.
• ❌ WhiteSource Security Check: The Security Check found 1 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
High	7.5	CVE-2020-8116	#12

The new version differs by 14 commits.

• 71ca88f Bump to v2.20.2
• a618f88 [Tests] pin esquery, due to breaking change in a minor version
• 9c5899e utils: v2.6.0
• efb5f07 [Tests] use babel instead of NODE_PATH
• 1a3a128 [Fix] first: Add a way to disable absolute-first explicitly
• efd6be1 [Fix] no-unused-modules: handle export { default } from syntax
• adbced7 utils: [New] Print more helpful info if parsing fails
• b6242b0 [fix] no-duplicates: fix fixer on cases with default import
• 41aaa18 resolvers/node: [New] add .node extension
• 12971f5 [Fix] order: recognize ".." as a "parent" path
• 47f912e [Fix] order: fix isExternalModule detection on windows
• 8905007 [Tests] appveyor: on node 8-12, use npm 6.10.3
• 2beec94 [meta] use in-publish in prepublish
• 1fbef73 [meta] fix changelog link

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

• ❌ WhiteSource Security Check: Oops! An error occurred while running the Security Check.

The build

The new version differs by 3 commits.

• 70425a9 chore(release): 8.2.0
• 75986d3 TypeScript types (#430)
• ba6b34d optimize dotenv.png (#424)

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/node-express-postgre/package.json

Path to vulnerable library: /tmp/ws-scm/node-express-postgre/node_modules/lodash/package.json

Dependency Hierarchy:

• eslint-6.8.0.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 0e6018ba0c759048cb86110f7e1a34b2c99b9bdc

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - moment-timezone-0.5.34.tgz

Parse and display moments in any timezone.

Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.34.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment-timezone/package.json

Dependency Hierarchy:

• sequelize-6.21.0.tgz (Root Library)
  • ❌ moment-timezone-0.5.34.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Cleartext Transmission of Sensitive Information in moment-timezone

Publish Date: 2022-08-30

URL: WS-2022-0284

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-v78c-4p63-2j6c

Release Date: 2022-08-30

Fix Resolution (moment-timezone): 0.5.35

Direct dependency fix Resolution (sequelize): 6.21.1

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: node-express-postgre/package.json

Path to vulnerable library: node-express-postgre/node_modules/lodash/package.json

Dependency Hierarchy:

• eslint-6.8.0.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: f79775576b94c542e0e6d8c10e96faef43c5627c

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-10-21

Fix Resolution: lodash - 4.17.19

Vulnerable Library - moment-2.29.1.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

• sequelize-6.21.0.tgz (Root Library)
  • ❌ moment-2.29.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Publish Date: 2022-07-06

URL: CVE-2022-31129

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-wc69-rhjr-hc9g

Release Date: 2022-07-06

Fix Resolution (moment): 2.29.4

Direct dependency fix Resolution (sequelize): 6.21.1

Vulnerable Library - dottie-2.0.2.tgz

Fast and safe nested object access and manipulation in JavaScript

Library home page: https://registry.npmjs.org/dottie/-/dottie-2.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/dottie/package.json

Dependency Hierarchy:

• sequelize-6.21.0.tgz (Root Library)
  • ❌ dottie-2.0.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.

Publish Date: 2023-06-10

URL: CVE-2023-26132

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26132

Release Date: 2023-06-10

Fix Resolution: dottie - 2.0.4

Vulnerable Library - sequelize-6.21.0.tgz

Sequelize is a promise-based Node.js ORM tool for Postgres, MySQL, MariaDB, SQLite, Microsoft SQL Server, Amazon Redshift and Snowflake’s Data Cloud. It features solid transaction support, relations, eager and lazy loading, read replication and more.

Library home page: https://registry.npmjs.org/sequelize/-/sequelize-6.21.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/sequelize/package.json

Dependency Hierarchy:

• ❌ sequelize-6.21.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.

Publish Date: 2023-02-16

URL: CVE-2023-22579

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-vqfx-gj96-3w95

Release Date: 2023-02-16

Fix Resolution: 6.28.1

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: node-express-postgre/package.json

Path to vulnerable library: node-express-postgre/node_modules/path-parse/package.json

Dependency Hierarchy:

• eslint-plugin-import-2.22.1.tgz (Root Library)
  • resolve-1.19.0.tgz
    • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: f492c6cd17c7f57babb5687a9d0c405dee11220b

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jbgutierrez/path-parse#8

Release Date: 2021-05-04

Fix Resolution: path-parse - 1.0.7

Vulnerable Library - tmpl-1.0.4.tgz

JavaScript micro templates.

Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tmpl/package.json

Dependency Hierarchy:

• babel-jest-26.6.3.tgz (Root Library)
  • transform-26.6.2.tgz
    • jest-haste-map-26.6.2.tgz
      • walker-1.0.7.tgz
        • makeerror-1.0.11.tgz
          • ❌ tmpl-1.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 14f323dcad6382af4c36a845b42d942afa6dcea9

Found in base branch: master

Vulnerability Details

nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3777

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/daaku/nodejs-tmpl/releases/tag/v1.0.5

Release Date: 2021-09-15

Fix Resolution (tmpl): 1.0.5

Direct dependency fix Resolution (babel-jest): 27.0.0-next.0

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

• eslint-friendly-formatter-4.0.1.tgz (Root Library)
  • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 14f323dcad6382af4c36a845b42d942afa6dcea9

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/issues/164

Release Date: 2022-03-17

Fix Resolution: minimist - 1.2.6

Vulnerable Library - sequelize-6.21.0.tgz

Sequelize is a promise-based Node.js ORM tool for Postgres, MySQL, MariaDB, SQLite, Microsoft SQL Server, Amazon Redshift and Snowflake’s Data Cloud. It features solid transaction support, relations, eager and lazy loading, read replication and more.

Library home page: https://registry.npmjs.org/sequelize/-/sequelize-6.21.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/sequelize/package.json

Dependency Hierarchy:

• ❌ sequelize-6.21.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.

Publish Date: 2023-02-16

URL: CVE-2023-22580

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-8c25-f3mj-v6h8

Release Date: 2023-02-16

Fix Resolution: 6.28.1

Vulnerable Library - hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Path to dependency file: node-express-postgre/package.json

Path to vulnerable library: node-express-postgre/node_modules/hosted-git-info/package.json

Dependency Hierarchy:

• eslint-plugin-import-2.22.1.tgz (Root Library)
  • read-pkg-up-2.0.0.tgz
    • read-pkg-2.0.0.tgz
      • normalize-package-data-2.5.0.tgz
        • ❌ hosted-git-info-2.8.8.tgz (Vulnerable Library)

Found in HEAD commit: 1c2e7d37da6b0fe3f93b541e4b41747afaec6e1a

Found in base branch: master

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution: hosted-git-info - 2.8.9,3.0.8

• ❌ Travis CI - Branch: The build errored.
• ✅ WhiteSource Security Check: Way to go! The Security Check did not find any vulnerabilities.
  Scan token: 27c8c2c6dcf44954a38868ee5df1f23a

Fixed

• Fix prop-types crash on multiple destructuring (#2319 @golopot)

The new version differs by 3 commits.

• 62255af Update CHANGELOG and bump version
• 655eb01 Merge pull request #2320 from golopot/issue-2319
• 9639d82 [Fix] prop-types: fix crash on multiple destructuring

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

• ✅ Travis CI - Branch: The build passed.
• ❌ WhiteSource Security Check: The Security Check found 1 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
High	8.1	WS-2020-0070	#16

2.0.4 (2020-05-14)

Bug Fixes

• add funding in package (a74f5dc)

The new version differs by 3 commits.

• a74f5dc fix: add funding in package
• 43def51 docs: Fix run-on sentence (#1704)
• f18286e docs: update issue templates

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: node-express-postgre/package.json

Path to vulnerable library: node-express-postgre/node_modules/lodash/package.json

Dependency Hierarchy:

• eslint-6.8.0.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: c3a8bd72bd1494ac15fa3c5246e28014b6ffe7a2

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

• ✅ Travis CI - Branch: The build passed.
• ❌ WhiteSource Security Check: Oops! An error occurred while running the Security Check.

The new version differs by 9 commits.

• 9fbdaec 🔖 9.2.0
• c1d5dbf ✨ add no-callback-literal rule (#179)
• 72de3a3 🐛 vulnerability fix: update eslint-utils to ^1.4.2 & eslint-plugin-es to ^1.4.1 (fixes #180) (#183)
• cfc6352 🎨 fix typos in function names (#177)
• b757c3e ⚒ improve azure-pipelines.yml (#173)
• a85d541 ⚒ trivial fix
• 88829af ⚒ Update azure-pipelines.yml for codecov (#170)
• 5b3f815 🐛 fix for ESLint 6 (#169)
• fe73872 ⚒ Switch to Azure Pipelines (#168)

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Library - moment-2.29.1.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

• sequelize-6.21.0.tgz (Root Library)
  • ❌ moment-2.29.1.tgz (Vulnerable Library)

Found in HEAD commit: 14f323dcad6382af4c36a845b42d942afa6dcea9

Found in base branch: master

Vulnerability Details

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Publish Date: 2022-04-04

URL: CVE-2022-24785

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-8hfj-j24r-96c4

Release Date: 2022-04-04

Fix Resolution (moment): 2.29.2

Direct dependency fix Resolution (sequelize): 6.21.1

Vulnerable Library - qs-6.9.7.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.9.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

• express-4.17.3.tgz (Root Library)
  • ❌ qs-6.9.7.tgz (Vulnerable Library)

Found in HEAD commit: 362cc433e4f25c4f38d41ab9f5b30507718fb4b2

Found in base branch: master

Vulnerability Details

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.
WhiteSource Note: After conducting further research, WhiteSource has determined that versions 0.0.1--6.10.3 of qs are vulnerable to CVE-2021-44907.

Publish Date: 2022-03-17

URL: CVE-2021-44907

CVSS 3 Score Details (3.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz

Found in HEAD commit: 14f323dcad6382af4c36a845b42d942afa6dcea9

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (eslint): 7.16.0

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (eslint): 7.0.0-alpha.0

• ✅ Travis CI - Branch: The build passed.
• ❌ WhiteSource Security Check: Oops! An error occurred while running the Security Check.

The new version differs by 99 commits.

• cccf84e Publish
• 69f30df Merge pull request #2030 from brianc/bmc/add-pg-cursor
• b14cf67 Remove postgres 9.1 from test matrix - json is not supported
• 57177d7 Use public npm - accidentally had my work npm configured
• 5c0c93c Remove nested travis file
• 423baa6 Update lint rules for pg-cursor
• 37d1574 Add 'packages/pg-cursor/' from commit '492fbdbb65f6f33396d1017fa4cdbbb247dd3895'
• 492fbdb Merge branch 'juneidysoo-master'
• e20d012 Merge branch 'master' of https://github.com/juneidysoo/node-pg-cursor into juneidysoo-master
• e34c602 Merge pull request #32 from hetul/fix-closing-finished-connections
• 124c89b fix lint issues
• 3790609 Bump version
• 5055b3a Merge pull request #58 from brianc/bmc/add-test-and-deprecate-method
• cedce4b Fix lint & enable all tests
• 507c7ea Merge branch 'master' into bmc/add-test-and-deprecate-method

There are 99 commits in total.

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: /tmp/ws-scm/node-express-postgre/package.json

Path to vulnerable library: /tmp/ws-scm/node-express-postgre/node_modules/dot-prop/package.json

Dependency Hierarchy:

• nodemon-2.0.2.tgz (Root Library)
  • update-notifier-2.5.0.tgz
    • configstore-3.1.2.tgz
      • ❌ dot-prop-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: e0ce2bd853e906818484ba53199569f35b4c97af

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: node-express-postgre/package.json

Path to vulnerable library: node-express-postgre/node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

• eslint-6.8.0.tgz (Root Library)
  • mkdirp-0.5.1.tgz
    • ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: f79775576b94c542e0e6d8c10e96faef43c5627c

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

• ❌ WhiteSource Security Check: Oops! An error occurred while running the Security Check.

The build

• 0e0b784 Upgrade: espree@^6.1.1 (#12158) (Kevin Partington)
• 04e859f Sponsors: Sync README with website (ESLint Jenkins)
• 34783d1 Sponsors: Sync README with website (ESLint Jenkins)
• b809e72 Docs: Update README team and sponsors (ESLint Jenkins)

The new version differs by 6 commits.

• ca658fb 6.2.2
• 3ed9f76 Build: changelog update for 6.2.2
• 0e0b784 Upgrade: espree@^6.1.1 (#12158)
• 04e859f Sponsors: Sync README with website
• 34783d1 Sponsors: Sync README with website
• b809e72 Docs: Update README team and sponsors

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: node-express-postgre/package.json

Path to vulnerable library: node-express-postgre/node_modules/lodash/package.json

Dependency Hierarchy:

• eslint-6.8.0.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: c3a8bd72bd1494ac15fa3c5246e28014b6ffe7a2

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash-4.17.21

Vulnerable Library - sequelize-6.21.0.tgz

Sequelize is a promise-based Node.js ORM tool for Postgres, MySQL, MariaDB, SQLite, Microsoft SQL Server, Amazon Redshift and Snowflake’s Data Cloud. It features solid transaction support, relations, eager and lazy loading, read replication and more.

Library home page: https://registry.npmjs.org/sequelize/-/sequelize-6.21.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/sequelize/package.json

Dependency Hierarchy:

• ❌ sequelize-6.21.0.tgz (Vulnerable Library)

Found in HEAD commit: 14f323dcad6382af4c36a845b42d942afa6dcea9

Found in base branch: master

Vulnerability Details

Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.

Publish Date: 2023-02-16

URL: CVE-2023-22578

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-f598-mfpv-gmfx

Release Date: 2023-02-16

Fix Resolution: 6.29.0