capitalone / acronym-decoder Goto Github PK
View Code? Open in Web Editor NEWAcronym Decoder
License: Apache License 2.0
acronym-decoder's Issues
node-sass-7.0.2.tgz: 2 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - node-sass-7.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Found in HEAD commit: 42b56e18cf2359a754885c013e12841d91dec9fb
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (node-sass version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-3517 |  High |
7.5 | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
| CVE-2022-25883 |  Medium |
5.3 | semver-7.3.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
- node-sass-7.0.2.tgz (Root Library)
- glob-7.2.0.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.2.0.tgz
Found in HEAD commit: 42b56e18cf2359a754885c013e12841d91dec9fb
Found in base branch: master
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
CVE-2022-25883
Vulnerable Library - semver-7.3.5.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver/package.json
Dependency Hierarchy:
- node-sass-7.0.2.tgz (Root Library)
- node-gyp-9.4.0.tgz
- ❌ semver-7.3.5.tgz (Vulnerable Library)
- node-gyp-9.4.0.tgz
Found in HEAD commit: 42b56e18cf2359a754885c013e12841d91dec9fb
Found in base branch: master
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2023-06-21
Fix Resolution: semver - 7.5.2
node-sass-9.0.0.tgz: 9 vulnerabilities (highest severity is: 8.8) - autoclosed
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (node-sass version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2018-19827 | High |
8.8 | node-sass-9.0.0.tgz | Direct | N/A | ❌ |
| CVE-2018-11694 | High |
8.8 | node-sass-9.0.0.tgz | Direct | N/A | ❌ |
| CVE-2018-11698 | High |
8.1 | node-sass-9.0.0.tgz | Direct | node-sass - 4.14.0 | ✅ |
| CVE-2019-6286 | Medium |
6.5 | node-sass-9.0.0.tgz | Direct | N/A | ❌ |
| CVE-2018-20190 | Medium |
6.5 | node-sass-9.0.0.tgz | Direct | N/A | ❌ |
| CVE-2018-20821 | Medium |
6.5 | node-sass-9.0.0.tgz | Direct | Replace or update the following files: util_string.cpp, util_string.hpp, parser.hpp, parser.cpp | ❌ |
| CVE-2018-19839 | Medium |
6.5 | node-sass-9.0.0.tgz | Direct | Replace or update the following files: checked.h, core.h | ❌ |
| CVE-2019-6283 | Medium |
6.5 | node-sass-9.0.0.tgz | Direct | N/A | ❌ |
| CVE-2018-19797 | Medium |
6.5 | node-sass-9.0.0.tgz | Direct | N/A | ❌ |
Details
CVE-2018-19827
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-12-03
URL: CVE-2018-19827
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2018-11694
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11694
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2018-11698
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11698
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-r5m8-frrg-389w
Release Date: 2018-06-04
Fix Resolution: node-sass - 4.14.0
⛑️ Automatic Remediation is available for this issue
CVE-2019-6286
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.
Publish Date: 2019-01-14
URL: CVE-2019-6286
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2018-20190
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-17
URL: CVE-2018-20190
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2018-20821
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).
Publish Date: 2019-04-23
URL: CVE-2018-20821
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Change files
Release Date: 2019-04-15
Fix Resolution: Replace or update the following files: util_string.cpp, util_string.hpp, parser.hpp, parser.cpp
CVE-2018-19839
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.
Publish Date: 2018-12-04
URL: CVE-2018-19839
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Change files
Release Date: 2018-11-28
Fix Resolution: Replace or update the following files: checked.h, core.h
CVE-2019-6283
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.
Publish Date: 2019-01-14
URL: CVE-2019-6283
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2018-19797
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-03
URL: CVE-2018-19797
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
⛑️ Automatic Remediation is available for this issue.
sass-1.64.2.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - sass-1.64.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (sass version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-4068 | High |
7.5 | braces-3.0.2.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-4068
Vulnerable Library - braces-3.0.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json
Dependency Hierarchy:
- sass-1.64.2.tgz (Root Library)
- chokidar-3.5.3.tgz
- ❌ braces-3.0.2.tgz (Vulnerable Library)
- chokidar-3.5.3.tgz
Found in base branch: master
Vulnerability Details
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Publish Date: 2024-05-14
URL: CVE-2024-4068
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
node-sass-7.0.1.tgz: 4 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - node-sass-7.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/scss-tokenizer/package.json
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (node-sass version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-25758 | High |
7.5 | scss-tokenizer-0.3.0.tgz | Transitive | 7.0.2 | ✅ |
| CVE-2022-3517 | High |
7.5 | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
| CVE-2022-25881 | High |
7.5 | http-cache-semantics-4.1.0.tgz | Transitive | 7.0.2 | ✅ |
| CVE-2023-28155 | Medium |
6.1 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-25758
Vulnerable Library - scss-tokenizer-0.3.0.tgz
A tokenzier for Sass' SCSS syntax
Library home page: https://registry.npmjs.org/scss-tokenizer/-/scss-tokenizer-0.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/scss-tokenizer/package.json
Dependency Hierarchy:
- node-sass-7.0.1.tgz (Root Library)
- sass-graph-4.0.0.tgz
- ❌ scss-tokenizer-0.3.0.tgz (Vulnerable Library)
- sass-graph-4.0.0.tgz
Found in base branch: master
Vulnerability Details
All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.
Publish Date: 2022-07-01
URL: CVE-2022-25758
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-7mwh-4pqv-wmr8
Release Date: 2022-07-01
Fix Resolution (scss-tokenizer): 0.4.3
Direct dependency fix Resolution (node-sass): 7.0.2
⛑️ Automatic Remediation is available for this issue
CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Dependency Hierarchy:
- node-sass-7.0.1.tgz (Root Library)
- glob-7.2.0.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.2.0.tgz
Found in base branch: master
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
CVE-2022-25881
Vulnerable Library - http-cache-semantics-4.1.0.tgz
Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/http-cache-semantics/package.json
Dependency Hierarchy:
- node-sass-7.0.1.tgz (Root Library)
- node-gyp-8.4.1.tgz
- make-fetch-happen-9.1.0.tgz
- ❌ http-cache-semantics-4.1.0.tgz (Vulnerable Library)
- make-fetch-happen-9.1.0.tgz
- node-gyp-8.4.1.tgz
Found in base branch: master
Vulnerability Details
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25881
Release Date: 2023-01-31
Fix Resolution (http-cache-semantics): 4.1.1
Direct dependency fix Resolution (node-sass): 7.0.2
⛑️ Automatic Remediation is available for this issue
CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
- node-sass-7.0.1.tgz (Root Library)
- ❌ request-2.88.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
⛑️ Automatic Remediation is available for this issue.
sass-1.77.1.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - sass-1.77.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json,/package.json
Found in HEAD commit: 5b37fdd23dd05cd85bb7a274e0cb2c6d680b5c00
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (sass version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-4068 | High |
7.5 | braces-3.0.2.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-4068
Vulnerable Library - braces-3.0.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json,/package.json
Dependency Hierarchy:
- sass-1.77.1.tgz (Root Library)
- chokidar-3.5.3.tgz
- ❌ braces-3.0.2.tgz (Vulnerable Library)
- chokidar-3.5.3.tgz
Found in HEAD commit: 5b37fdd23dd05cd85bb7a274e0cb2c6d680b5c00
Found in base branch: master
Vulnerability Details
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Publish Date: 2024-05-14
URL: CVE-2024-4068
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Update the SPDX License Headers
Plase update the License Headers so that the lines get broken in the right place as follows. Currently the line is breaking before LLC which is incorrect.
SPDX-Copyright: Copyright (c) Capital One Services,LLC
SPDX-License-Identifier: Apache-2.0
crypto-browserify-3.12.0.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - crypto-browserify-3.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (crypto-browserify version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-46234 | High |
7.5 | browserify-sign-4.2.1.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-46234
Vulnerable Library - browserify-sign-4.2.1.tgz
adds node crypto signing for browsers
Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- crypto-browserify-3.12.0.tgz (Root Library)
- ❌ browserify-sign-4.2.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.
Publish Date: 2023-10-26
URL: CVE-2023-46234
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-x9w5-v3q2-3rhw
Release Date: 2023-10-26
Fix Resolution: browserify-sign - 4.2.2
patch-package-8.0.0.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - patch-package-8.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json,/package.json
Found in HEAD commit: 5b37fdd23dd05cd85bb7a274e0cb2c6d680b5c00
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (patch-package version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-4067 | High |
7.5 | micromatch-4.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-4067
Vulnerable Library - micromatch-4.0.5.tgz
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json,/package.json
Dependency Hierarchy:
- patch-package-8.0.0.tgz (Root Library)
- find-yarn-workspace-root-2.0.0.tgz
- ❌ micromatch-4.0.5.tgz (Vulnerable Library)
- find-yarn-workspace-root-2.0.0.tgz
Found in HEAD commit: 5b37fdd23dd05cd85bb7a274e0cb2c6d680b5c00
Found in base branch: master
Vulnerability Details
The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Publish Date: 2024-05-14
URL: CVE-2024-4067
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
need help installing
hey guys, former c1 associates here. tow questions:
- is this the code base for slurp?
- having below error when running npm install
npm ERR! code 1
npm ERR! path /Users/lyan/workspace/acronym-decoder/node_modules/node-sass
npm ERR! command failed
npm ERR! command sh -c node scripts/build.js
npm ERR! Building: /usr/local/Cellar/node/17.2.0/bin/node /Users/lyan/workspace/acronym-decoder/node_modules/node-gyp/bin/node-gyp.js rebuild --verbose --libsass_ext= --libsass_cflags= --libsass_ldflags= --libsass_library=
npm ERR! gyp info it worked if it ends with ok
npm ERR! gyp verb cli [
npm ERR! gyp verb cli '/usr/local/Cellar/node/17.2.0/bin/node',
npm ERR! gyp verb cli '/Users/lyan/workspace/acronym-decoder/node_modules/node-gyp/bin/node-gyp.js',
npm ERR! gyp verb cli 'rebuild',
npm ERR! gyp verb cli '--verbose',
npm ERR! gyp verb cli '--libsass_ext=',
npm ERR! gyp verb cli '--libsass_cflags=',
npm ERR! gyp verb cli '--libsass_ldflags=',
npm ERR! gyp verb cli '--libsass_library='
npm ERR! gyp verb cli ]
License Policy Violation detected in path-is-inside-1.0.2.tgz (Multiple Licenses)
License Policy Violation detected in path-is-inside-1.0.2.tgz (Multiple Licenses)
Library - path-is-inside-1.0.2.tgz
Tests whether one path is inside another path
Library home page: https://registry.npmjs.org/path-is-inside/-/path-is-inside-1.0.2.tgz
Path to dependency file: /package.json
Path to library: /node_modules/path-is-inside/package.json
Dependency Hierarchy:
- protractor-7.0.0.tgz (Root Library)
- webdriver-manager-12.1.8.tgz
- del-2.2.2.tgz
- is-path-in-cwd-1.0.1.tgz
- is-path-inside-1.0.1.tgz
- ❌ path-is-inside-1.0.2.tgz (Library containing License Policy Violation)
- is-path-inside-1.0.1.tgz
- is-path-in-cwd-1.0.1.tgz
- del-2.2.2.tgz
- webdriver-manager-12.1.8.tgz
Found in HEAD commit: abfaf096fa72d83433e8818d0904e98225ce913e
Found in base branch: master
📃 License Details
MIT
License Reference File: https://github.com/domenic/path-is-inside
WTFPL
License Reference File: https://github.com/domenic/path-is-inside
⛔ License Policy Violation - Banned License: Remove the use of library under a critical severity license that cannot be used at Capital One
hapijs / hoek Potential Issue
look into upgrading the package for hapijs / hoek to remediate the potential security concern.
Codeowners file
Please add trusted reviewers to your code owners file and write team if necessary. Thanks!
Add acronym and distributing
Nice tool! What you guys think on giving the ability to add acronym and definition to the users? Also, when used within an organization, whats the best way to distribute it to large audience, should I be sending "dist" folder to everyone and ask them to load it to their chrome extension?
patch-package-7.0.2.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - patch-package-7.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (patch-package version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-4067 | High |
7.5 | micromatch-4.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-4067
Vulnerable Library - micromatch-4.0.5.tgz
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json
Dependency Hierarchy:
- patch-package-7.0.2.tgz (Root Library)
- find-yarn-workspace-root-2.0.0.tgz
- ❌ micromatch-4.0.5.tgz (Vulnerable Library)
- find-yarn-workspace-root-2.0.0.tgz
Found in base branch: master
Vulnerability Details
The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Publish Date: 2024-05-14
URL: CVE-2024-4067
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.