carbonetes-lens-extension's People
Forkers
azurecloudmonkcarbonetes-lens-extension's Issues
CVE-2022-31129 (High) detected in moment-2.29.1.tgz - autoclosed
CVE-2022-31129 - High Severity Vulnerability
Vulnerable Library - moment-2.29.1.tgz
Parse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/moment/package.json
Dependency Hierarchy:
❌ moment-2.29.1.tgz (Vulnerable Library)
Found in HEAD commit: b18053da1eb2a6dd2ed258afb2fba523d4173ad7
Found in base branch: main
Vulnerability Details
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Publish Date: 2022-07-06
URL: CVE-2022-31129
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-wc69-rhjr-hc9g
Release Date: 2022-07-06
Fix Resolution: moment - 2.29.4
Step up your Open Source Security Game with Mend here
CVE-2021-44906 (High) detected in minimist-1.2.5.tgz - autoclosed
CVE-2021-44906 - High Severity Vulnerability
Vulnerable Library - minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
- webpack-4.44.2.tgz (Root Library)
- mkdirp-0.5.5.tgz
❌ minimist-1.2.5.tgz (Vulnerable Library)
- mkdirp-0.5.5.tgz
Found in HEAD commit: b18053da1eb2a6dd2ed258afb2fba523d4173ad7
Found in base branch: main
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (webpack): 4.45.0
Step up your Open Source Security Game with Mend here
CVE-2020-28469 (High) detected in glob-parent-3.1.0.tgz - autoclosed
CVE-2020-28469 - High Severity Vulnerability
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json
Dependency Hierarchy:
- webpack-4.44.2.tgz (Root Library)
- watchpack-1.7.4.tgz
- watchpack-chokidar2-2.0.0.tgz
- chokidar-2.1.8.tgz
❌ glob-parent-3.1.0.tgz (Vulnerable Library)
- chokidar-2.1.8.tgz
- watchpack-chokidar2-2.0.0.tgz
- watchpack-1.7.4.tgz
Found in HEAD commit: b18053da1eb2a6dd2ed258afb2fba523d4173ad7
Found in base branch: main
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (webpack): 4.45.0
Step up your Open Source Security Game with Mend here
CVE-2022-46175 (High) detected in json5-2.1.3.tgz, json5-1.0.1.tgz - autoclosed
CVE-2022-46175 - High Severity Vulnerability
Vulnerable Libraries - json5-2.1.3.tgz, json5-1.0.1.tgz
json5-2.1.3.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/css-loader/node_modules/json5/package.json,/node_modules/sass-loader/node_modules/json5/package.json,/node_modules/style-loader/node_modules/json5/package.json
Dependency Hierarchy:
- style-loader-2.0.0.tgz (Root Library)
- loader-utils-2.0.0.tgz
❌ json5-2.1.3.tgz (Vulnerable Library)
- loader-utils-2.0.0.tgz
json5-1.0.1.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/package.json
Dependency Hierarchy:
- ts-loader-8.0.7.tgz (Root Library)
- loader-utils-1.4.0.tgz
❌ json5-1.0.1.tgz (Vulnerable Library)
- loader-utils-1.4.0.tgz
Found in base branch: main
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (style-loader): 3.0.0
Fix Resolution (json5): 1.0.2
Direct dependency fix Resolution (ts-loader): 8.0.8
Step up your Open Source Security Game with Mend here
CVE-2022-24785 (High) detected in moment-2.29.1.tgz - autoclosed
CVE-2022-24785 - High Severity Vulnerability
Vulnerable Library - moment-2.29.1.tgz
Parse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/moment/package.json
Dependency Hierarchy:
❌ moment-2.29.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
Publish Date: 2022-04-04
URL: CVE-2022-24785
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-8hfj-j24r-96c4
Release Date: 2022-04-04
Fix Resolution: 2.29.2
Step up your Open Source Security Game with Mend here
CVE-2021-23382 (Medium) detected in postcss-8.1.9.tgz - autoclosed
CVE-2021-23382 - Medium Severity Vulnerability
Vulnerable Library - postcss-8.1.9.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.1.9.tgz
Path to dependency file: carbonetes-lens-extension/package.json
Path to vulnerable library: carbonetes-lens-extension/node_modules/postcss/package.json
Dependency Hierarchy:
- css-loader-5.0.1.tgz (Root Library)
❌ postcss-8.1.9.tgz (Vulnerable Library)
Found in HEAD commit: b18053da1eb2a6dd2ed258afb2fba523d4173ad7
Found in base branch: main
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution: postcss - 8.2.13
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23368 (Medium) detected in postcss-8.1.9.tgz - autoclosed
CVE-2021-23368 - Medium Severity Vulnerability
Vulnerable Library - postcss-8.1.9.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.1.9.tgz
Path to dependency file: carbonetes-lens-extension/package.json
Path to vulnerable library: carbonetes-lens-extension/node_modules/postcss/package.json
Dependency Hierarchy:
- css-loader-5.0.1.tgz (Root Library)
❌ postcss-8.1.9.tgz (Vulnerable Library)
Found in HEAD commit: b18053da1eb2a6dd2ed258afb2fba523d4173ad7
Found in base branch: main
Vulnerability Details
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution: postcss -8.2.10
Step up your Open Source Security Game with WhiteSource here
CVE-2021-27290 (High) detected in ssri-6.0.2.tgz - autoclosed
CVE-2021-27290 - High Severity Vulnerability
Vulnerable Library - ssri-6.0.2.tgz
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.2.tgz
Path to dependency file: carbonetes-lens-extension/package.json
Path to vulnerable library: carbonetes-lens-extension/node_modules/ssri/package.json
Dependency Hierarchy:
- webpack-4.44.2.tgz (Root Library)
- terser-webpack-plugin-1.4.5.tgz
- cacache-12.0.4.tgz
❌ ssri-6.0.2.tgz (Vulnerable Library)
- cacache-12.0.4.tgz
- terser-webpack-plugin-1.4.5.tgz
Found in HEAD commit: b18053da1eb2a6dd2ed258afb2fba523d4173ad7
Found in base branch: main
Vulnerability Details
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082
Release Date: 2021-03-12
Fix Resolution: 8.0.1
Step up your Open Source Security Game with WhiteSource here
CVE-2020-28498 (Medium) detected in elliptic-6.5.3.tgz - autoclosed
CVE-2020-28498 - Medium Severity Vulnerability
Vulnerable Library - elliptic-6.5.3.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz
Path to dependency file: carbonetes-lens-extension/package.json
Path to vulnerable library: carbonetes-lens-extension/node_modules/elliptic/package.json
Dependency Hierarchy:
- webpack-4.44.2.tgz (Root Library)
- node-libs-browser-2.2.1.tgz
- crypto-browserify-3.12.0.tgz
- create-ecdh-4.0.4.tgz
❌ elliptic-6.5.3.tgz (Vulnerable Library)
- create-ecdh-4.0.4.tgz
- crypto-browserify-3.12.0.tgz
- node-libs-browser-2.2.1.tgz
Found in HEAD commit: b18053da1eb2a6dd2ed258afb2fba523d4173ad7
Found in base branch: main
Vulnerability Details
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution: v6.5.4
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7788 (High) detected in ini-1.3.5.tgz - autoclosed
CVE-2020-7788 - High Severity Vulnerability
Vulnerable Library - ini-1.3.5.tgz
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: carbonetes-lens-extension/package.json
Path to vulnerable library: carbonetes-lens-extension/node_modules/ini/package.json
Dependency Hierarchy:
- webpack-cli-3.3.12.tgz (Root Library)
- global-modules-2.0.0.tgz
- global-prefix-3.0.0.tgz
❌ ini-1.3.5.tgz (Vulnerable Library)
- global-prefix-3.0.0.tgz
- global-modules-2.0.0.tgz
Found in HEAD commit: b18053da1eb2a6dd2ed258afb2fba523d4173ad7
Found in base branch: main
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution: v1.3.6
Step up your Open Source Security Game with WhiteSource here
CVE-2022-37603 (High) detected in loader-utils-2.0.0.tgz - autoclosed
CVE-2022-37603 - High Severity Vulnerability
Vulnerable Library - loader-utils-2.0.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/css-loader/node_modules/loader-utils/package.json,/node_modules/sass-loader/node_modules/loader-utils/package.json,/node_modules/style-loader/node_modules/loader-utils/package.json
Dependency Hierarchy:
- style-loader-2.0.0.tgz (Root Library)
❌ loader-utils-2.0.0.tgz (Vulnerable Library)
Found in HEAD commit: b18053da1eb2a6dd2ed258afb2fba523d4173ad7
Found in base branch: main
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 2.0.4
Direct dependency fix Resolution (style-loader): 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-23566 (Medium) detected in nanoid-3.1.30.tgz - autoclosed
CVE-2021-23566 - Medium Severity Vulnerability
Vulnerable Library - nanoid-3.1.30.tgz
A tiny (130 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.30.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nanoid/package.json
Dependency Hierarchy:
- css-loader-5.0.1.tgz (Root Library)
- postcss-8.4.4.tgz
❌ nanoid-3.1.30.tgz (Vulnerable Library)
- postcss-8.4.4.tgz
Found in base branch: main
Vulnerability Details
The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Publish Date: 2022-01-14
URL: CVE-2021-23566
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2022-01-14
Fix Resolution (nanoid): 3.1.31
Direct dependency fix Resolution (css-loader): 5.0.2
Step up your Open Source Security Game with Mend here
CVE-2021-23440 (High) detected in set-value-2.0.1.tgz - autoclosed
CVE-2021-23440 - High Severity Vulnerability
Vulnerable Library - set-value-2.0.1.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/set-value/package.json
Dependency Hierarchy:
- webpack-4.44.2.tgz (Root Library)
- micromatch-3.1.10.tgz
- snapdragon-0.8.2.tgz
- base-0.11.2.tgz
- cache-base-1.0.1.tgz
❌ set-value-2.0.1.tgz (Vulnerable Library)
- cache-base-1.0.1.tgz
- base-0.11.2.tgz
- snapdragon-0.8.2.tgz
- micromatch-3.1.10.tgz
Found in base branch: main
Vulnerability Details
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Mend Note: After conducting further research, Mend has determined that all versions of set-value up to version 4.0.0 are vulnerable to CVE-2021-23440.
Publish Date: 2021-09-12
URL: CVE-2021-23440
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-12
Fix Resolution (set-value): 4.0.1
Direct dependency fix Resolution (webpack): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-1214 (High) detected in axios-0.21.4.tgz - autoclosed
CVE-2022-1214 - High Severity Vulnerability
Vulnerable Library - axios-0.21.4.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
❌ axios-0.21.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.
Publish Date: 2022-05-03
URL: CVE-2022-1214
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/
Release Date: 2022-05-03
Fix Resolution: 0.26.0
Step up your Open Source Security Game with WhiteSource here
It's still alive?
Hello, guys!
Are project still alive? I see last release at 2021... And a lot of vulnerability issues which are created automatically.
Any active devs still here?
CVE-2021-3749 (High) detected in axios-0.21.0.tgz - autoclosed
CVE-2021-3749 - High Severity Vulnerability
Vulnerable Library - axios-0.21.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.0.tgz
Path to dependency file: carbonetes-lens-extension/package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
❌ axios-0.21.0.tgz (Vulnerable Library)
Found in HEAD commit: b18053da1eb2a6dd2ed258afb2fba523d4173ad7
Found in base branch: main
Vulnerability Details
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://github.com/axios/axios/releases/tag/v0.21.2
Release Date: 2021-08-31
Fix Resolution: axios - 0.21.2
Step up your Open Source Security Game with WhiteSource here
CVE-2021-35065 (High) detected in glob-parent-5.1.2.tgz, glob-parent-3.1.0.tgz - autoclosed
CVE-2021-35065 - High Severity Vulnerability
Vulnerable Libraries - glob-parent-5.1.2.tgz, glob-parent-3.1.0.tgz
glob-parent-5.1.2.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
- sass-1.29.0.tgz (Root Library)
- chokidar-3.4.3.tgz
❌ glob-parent-5.1.2.tgz (Vulnerable Library)
- chokidar-3.4.3.tgz
glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json
Dependency Hierarchy:
- webpack-4.44.2.tgz (Root Library)
- watchpack-1.7.4.tgz
- watchpack-chokidar2-2.0.0.tgz
- chokidar-2.1.8.tgz
❌ glob-parent-3.1.0.tgz (Vulnerable Library)
- chokidar-2.1.8.tgz
- watchpack-chokidar2-2.0.0.tgz
- watchpack-1.7.4.tgz
Found in HEAD commit: b18053da1eb2a6dd2ed258afb2fba523d4173ad7
Found in base branch: main
Vulnerability Details
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution (glob-parent): 6.0.1
Direct dependency fix Resolution (webpack): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-7774 (High) detected in y18n-4.0.0.tgz - autoclosed
CVE-2020-7774 - High Severity Vulnerability
Vulnerable Library - y18n-4.0.0.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: carbonetes-lens-extension/package.json
Path to vulnerable library: carbonetes-lens-extension/node_modules/y18n/package.json
Dependency Hierarchy:
- webpack-cli-3.3.12.tgz (Root Library)
- yargs-13.3.2.tgz
❌ y18n-4.0.0.tgz (Vulnerable Library)
- yargs-13.3.2.tgz
Found in HEAD commit: b18053da1eb2a6dd2ed258afb2fba523d4173ad7
Found in base branch: main
Vulnerability Details
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution: 3.2.2, 4.0.1, 5.0.5
Step up your Open Source Security Game with WhiteSource here
CVE-2022-0155 (Medium) detected in follow-redirects-1.14.5.tgz - autoclosed
CVE-2022-0155 - Medium Severity Vulnerability
Vulnerable Library - follow-redirects-1.14.5.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy:
- axios-0.21.4.tgz (Root Library)
❌ follow-redirects-1.14.5.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (axios): 0.22.0
Step up your Open Source Security Game with Mend here
CVE-2020-28168 (Medium) detected in axios-0.21.0.tgz - autoclosed
CVE-2020-28168 - Medium Severity Vulnerability
Vulnerable Library - axios-0.21.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.0.tgz
Path to dependency file: carbonetes-lens-extension/package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
❌ axios-0.21.0.tgz (Vulnerable Library)
Found in HEAD commit: b18053da1eb2a6dd2ed258afb2fba523d4173ad7
Found in base branch: main
Vulnerability Details
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: axios/axios@c7329fe
Release Date: 2020-11-06
Fix Resolution: axios - 0.21.1
Step up your Open Source Security Game with WhiteSource here
CVE-2022-37599 (High) detected in loader-utils-2.0.0.tgz - autoclosed
CVE-2022-37599 - High Severity Vulnerability
Vulnerable Library - loader-utils-2.0.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/css-loader/node_modules/loader-utils/package.json,/node_modules/sass-loader/node_modules/loader-utils/package.json,/node_modules/style-loader/node_modules/loader-utils/package.json
Dependency Hierarchy:
- style-loader-2.0.0.tgz (Root Library)
❌ loader-utils-2.0.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: 2022-10-11
URL: CVE-2022-37599
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-hhq3-ff78-jv3g
Release Date: 2022-10-11
Fix Resolution (loader-utils): 2.0.3
Direct dependency fix Resolution (style-loader): 3.0.0
Step up your Open Source Security Game with Mend here
Carbonetes lens extension doesn't work with Lens 5.2 version and is showing as Incompatible.
CVE-2021-3807 (High) detected in ansi-regex-4.1.0.tgz - autoclosed
CVE-2021-3807 - High Severity Vulnerability
Vulnerable Library - ansi-regex-4.1.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ansi-regex/package.json
Dependency Hierarchy:
- webpack-cli-3.3.12.tgz (Root Library)
- yargs-13.3.2.tgz
- string-width-3.1.0.tgz
- strip-ansi-5.2.0.tgz
❌ ansi-regex-4.1.0.tgz (Vulnerable Library)
- strip-ansi-5.2.0.tgz
- string-width-3.1.0.tgz
- yargs-13.3.2.tgz
Found in HEAD commit: b18053da1eb2a6dd2ed258afb2fba523d4173ad7
Found in base branch: main
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (webpack-cli): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-38900 (High) detected in decode-uri-component-0.2.0.tgz - autoclosed
CVE-2022-38900 - High Severity Vulnerability
Vulnerable Library - decode-uri-component-0.2.0.tgz
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/decode-uri-component/package.json
Dependency Hierarchy:
- webpack-4.44.2.tgz (Root Library)
- micromatch-3.1.10.tgz
- snapdragon-0.8.2.tgz
- source-map-resolve-0.5.3.tgz
❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)
- source-map-resolve-0.5.3.tgz
- snapdragon-0.8.2.tgz
- micromatch-3.1.10.tgz
Found in HEAD commit: b18053da1eb2a6dd2ed258afb2fba523d4173ad7
Found in base branch: main
Vulnerability Details
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (webpack): 4.45.0
Step up your Open Source Security Game with Mend here
CVE-2022-25858 (High) detected in terser-4.8.0.tgz - autoclosed
CVE-2022-25858 - High Severity Vulnerability
Vulnerable Library - terser-4.8.0.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-4.8.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/terser/package.json
Dependency Hierarchy:
- webpack-4.44.2.tgz (Root Library)
- terser-webpack-plugin-1.4.5.tgz
❌ terser-4.8.0.tgz (Vulnerable Library)
- terser-webpack-plugin-1.4.5.tgz
Found in base branch: main
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 4.8.1
Direct dependency fix Resolution (webpack): 4.45.0
Step up your Open Source Security Game with Mend here
CVE-2022-37601 (High) detected in loader-utils-1.4.0.tgz - autoclosed
CVE-2022-37601 - High Severity Vulnerability
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
- ts-loader-8.0.7.tgz (Root Library)
❌ loader-utils-1.4.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (ts-loader): 8.0.8
Step up your Open Source Security Game with Mend here
CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz - autoclosed
CVE-2022-3517 - High Severity Vulnerability
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
- webpack-4.44.2.tgz (Root Library)
- terser-webpack-plugin-1.4.5.tgz
- cacache-12.0.4.tgz
- glob-7.1.6.tgz
❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.1.6.tgz
- cacache-12.0.4.tgz
- terser-webpack-plugin-1.4.5.tgz
Found in base branch: main
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.