capitalone / acronym-decoder Goto Github PK
View Code? Open in Web Editor NEWAcronym Decoder
License: Apache License 2.0
Acronym Decoder
License: Apache License 2.0
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Found in HEAD commit: 42b56e18cf2359a754885c013e12841d91dec9fb
CVE | Severity | CVSS | Dependency | Type | Fixed in (node-sass version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-3517 | High | 7.5 | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
CVE-2022-25883 | Medium | 5.3 | semver-7.3.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: 42b56e18cf2359a754885c013e12841d91dec9fb
Found in base branch: master
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver/package.json
Dependency Hierarchy:
Found in HEAD commit: 42b56e18cf2359a754885c013e12841d91dec9fb
Found in base branch: master
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-06-21
Fix Resolution: semver - 7.5.2
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (node-sass version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2018-19827 | High | 8.8 | node-sass-9.0.0.tgz | Direct | N/A | ❌ |
CVE-2018-11694 | High | 8.8 | node-sass-9.0.0.tgz | Direct | N/A | ❌ |
CVE-2018-11698 | High | 8.1 | node-sass-9.0.0.tgz | Direct | node-sass - 4.14.0 | ✅ |
CVE-2019-6286 | Medium | 6.5 | node-sass-9.0.0.tgz | Direct | N/A | ❌ |
CVE-2018-20190 | Medium | 6.5 | node-sass-9.0.0.tgz | Direct | N/A | ❌ |
CVE-2018-20821 | Medium | 6.5 | node-sass-9.0.0.tgz | Direct | Replace or update the following files: util_string.cpp, util_string.hpp, parser.hpp, parser.cpp | ❌ |
CVE-2018-19839 | Medium | 6.5 | node-sass-9.0.0.tgz | Direct | Replace or update the following files: checked.h, core.h | ❌ |
CVE-2019-6283 | Medium | 6.5 | node-sass-9.0.0.tgz | Direct | N/A | ❌ |
CVE-2018-19797 | Medium | 6.5 | node-sass-9.0.0.tgz | Direct | N/A | ❌ |
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-12-03
URL: CVE-2018-19827
Base Score Metrics:
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11694
Base Score Metrics:
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11698
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r5m8-frrg-389w
Release Date: 2018-06-04
Fix Resolution: node-sass - 4.14.0
⛑️ Automatic Remediation is available for this issue
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.
Publish Date: 2019-01-14
URL: CVE-2019-6286
Base Score Metrics:
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-17
URL: CVE-2018-20190
Base Score Metrics:
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).
Publish Date: 2019-04-23
URL: CVE-2018-20821
Base Score Metrics:
Type: Change files
Release Date: 2019-04-15
Fix Resolution: Replace or update the following files: util_string.cpp, util_string.hpp, parser.hpp, parser.cpp
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.
Publish Date: 2018-12-04
URL: CVE-2018-19839
Base Score Metrics:
Type: Change files
Release Date: 2018-11-28
Fix Resolution: Replace or update the following files: checked.h, core.h
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.
Publish Date: 2019-01-14
URL: CVE-2019-6283
Base Score Metrics:
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-03
URL: CVE-2018-19797
Base Score Metrics:
⛑️ Automatic Remediation is available for this issue.
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (sass version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2024-4068 | High | 7.5 | braces-3.0.2.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json
Dependency Hierarchy:
Found in base branch: master
The NPM package braces
fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Publish Date: 2024-05-14
URL: CVE-2024-4068
Base Score Metrics:
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/scss-tokenizer/package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (node-sass version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-25758 | High | 7.5 | scss-tokenizer-0.3.0.tgz | Transitive | 7.0.2 | ✅ |
CVE-2022-3517 | High | 7.5 | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
CVE-2022-25881 | High | 7.5 | http-cache-semantics-4.1.0.tgz | Transitive | 7.0.2 | ✅ |
CVE-2023-28155 | Medium | 6.1 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
A tokenzier for Sass' SCSS syntax
Library home page: https://registry.npmjs.org/scss-tokenizer/-/scss-tokenizer-0.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/scss-tokenizer/package.json
Dependency Hierarchy:
Found in base branch: master
All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.
Publish Date: 2022-07-01
URL: CVE-2022-25758
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7mwh-4pqv-wmr8
Release Date: 2022-07-01
Fix Resolution (scss-tokenizer): 0.4.3
Direct dependency fix Resolution (node-sass): 7.0.2
⛑️ Automatic Remediation is available for this issue
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Dependency Hierarchy:
Found in base branch: master
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/http-cache-semantics/package.json
Dependency Hierarchy:
Found in base branch: master
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25881
Release Date: 2023-01-31
Fix Resolution (http-cache-semantics): 4.1.1
Direct dependency fix Resolution (node-sass): 7.0.2
⛑️ Automatic Remediation is available for this issue
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
Found in base branch: master
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Base Score Metrics:
⛑️ Automatic Remediation is available for this issue.
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json,/package.json
Found in HEAD commit: 5b37fdd23dd05cd85bb7a274e0cb2c6d680b5c00
CVE | Severity | CVSS | Dependency | Type | Fixed in (sass version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2024-4068 | High | 7.5 | braces-3.0.2.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: 5b37fdd23dd05cd85bb7a274e0cb2c6d680b5c00
Found in base branch: master
The NPM package braces
fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Publish Date: 2024-05-14
URL: CVE-2024-4068
Base Score Metrics:
Plase update the License Headers so that the lines get broken in the right place as follows. Currently the line is breaking before LLC which is incorrect.
SPDX-Copyright: Copyright (c) Capital One Services,LLC
SPDX-License-Identifier: Apache-2.0
Path to dependency file: /package.json
Path to vulnerable library: /package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (crypto-browserify version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-46234 | High | 7.5 | browserify-sign-4.2.1.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
adds node crypto signing for browsers
Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in dsaVerify
function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.
Publish Date: 2023-10-26
URL: CVE-2023-46234
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-x9w5-v3q2-3rhw
Release Date: 2023-10-26
Fix Resolution: browserify-sign - 4.2.2
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json,/package.json
Found in HEAD commit: 5b37fdd23dd05cd85bb7a274e0cb2c6d680b5c00
CVE | Severity | CVSS | Dependency | Type | Fixed in (patch-package version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2024-4067 | High | 7.5 | micromatch-4.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: 5b37fdd23dd05cd85bb7a274e0cb2c6d680b5c00
Found in base branch: master
The NPM package micromatch
is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Publish Date: 2024-05-14
URL: CVE-2024-4067
Base Score Metrics:
hey guys, former c1 associates here. tow questions:
Tests whether one path is inside another path
Library home page: https://registry.npmjs.org/path-is-inside/-/path-is-inside-1.0.2.tgz
Path to dependency file: /package.json
Path to library: /node_modules/path-is-inside/package.json
Dependency Hierarchy:
Found in HEAD commit: abfaf096fa72d83433e8818d0904e98225ce913e
Found in base branch: master
MIT
License Reference File: https://github.com/domenic/path-is-inside
WTFPL
License Reference File: https://github.com/domenic/path-is-inside
⛔ License Policy Violation - Banned License: Remove the use of library under a critical severity license that cannot be used at Capital One
look into upgrading the package for hapijs / hoek
to remediate the potential security concern.
Please add trusted reviewers to your code owners file and write team if necessary. Thanks!
Nice tool! What you guys think on giving the ability to add acronym and definition to the users? Also, when used within an organization, whats the best way to distribute it to large audience, should I be sending "dist" folder to everyone and ask them to load it to their chrome extension?
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (patch-package version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2024-4067 | High | 7.5 | micromatch-4.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json
Dependency Hierarchy:
Found in base branch: master
The NPM package micromatch
is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Publish Date: 2024-05-14
URL: CVE-2024-4067
Base Score Metrics:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.