dmyers87 / amundsenfrontendlibrary Goto Github PK
View Code? Open in Web Editor NEWThis project forked from amundsen-io/amundsenfrontendlibrary
Front-end service library for Amundsen
License: Apache License 2.0
This project forked from amundsen-io/amundsenfrontendlibrary
Front-end service library for Amundsen
License: Apache License 2.0
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/axios/package.json
Dependency Hierarchy:
Found in base branch: master
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
Base Score Metrics:
๐ Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
Found in base branch: master
/amundsen_application/static/node_modules/node-sass/src/libsass/src/ast.hpp
LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).
Publish Date: 2019-04-23
URL: CVE-2018-20822
Base Score Metrics:
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/package.json
Dependency Hierarchy:
Found in base branch: master
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution (ini): 1.3.6
Direct dependency fix Resolution (babel-jest): 25.0.0
Trim string whitespace
Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/trim/package.json
Dependency Hierarchy:
Found in base branch: master
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
Publish Date: 2020-10-27
URL: CVE-2020-7753
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-10-27
Fix Resolution (trim): 0.0.3
Direct dependency fix Resolution (react-markdown): 5.0.0
URI.js is a Javascript library for working with URLs.
Library home page: https://registry.npmjs.org/urijs/-/urijs-1.19.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/urijs/package.json
Dependency Hierarchy:
Found in base branch: master
URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
Publish Date: 2021-02-22
URL: CVE-2021-27516
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27516
Release Date: 2021-02-22
Fix Resolution: 1.19.6
๐ Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
Found in base branch: master
/amundsen_application/static/node_modules/node-sass/src/libsass/src/sass_context.cpp
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11698
Base Score Metrics:
A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)
Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-5.4.3.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-notifier/package.json
Dependency Hierarchy:
Found in base branch: master
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
Publish Date: 2020-12-11
URL: CVE-2020-7789
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1906853
Release Date: 2020-12-11
Fix Resolution (node-notifier): 5.4.4
Direct dependency fix Resolution (jest): 25.0.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.
Publish Date: 2019-01-14
URL: CVE-2019-6284
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-6284
Release Date: 2019-01-14
Fix Resolution: node-sass - 5.0.0;Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to dependency file: /amundsen_application/static/node_modules/js-base64/test/index.html
Path to vulnerable library: /amundsen_application/static/node_modules/js-base64/test/index.html
Dependency Hierarchy:
Found in base branch: master
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis
Library home page: https://registry.npmjs.org/sanitize-html/-/sanitize-html-1.19.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/sanitize-html/package.json
Dependency Hierarchy:
Found in base branch: master
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.
Publish Date: 2021-02-08
URL: CVE-2021-26539
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26539
Release Date: 2021-02-08
Fix Resolution: 2.3.1
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in base branch: master
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution (elliptic): 6.5.4
Direct dependency fix Resolution (webpack): 4.41.4
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in base branch: master
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (webpack): 4.41.4
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/yargs-parser/package.json
Dependency Hierarchy:
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-5.0.0.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/sass-graph/node_modules/yargs-parser/package.json
Dependency Hierarchy:
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/jest/node_modules/yargs-parser/package.json,/amundsen_application/static/node_modules/jest-runtime/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in base branch: master
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (ts-jest): 25.2.1
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (node-sass): 4.14.0
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (jest): 25.0.0
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Publish Date: 2020-09-30
URL: CVE-2020-26137
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
Release Date: 2020-09-30
Fix Resolution (urllib3): 1.25.9
Direct dependency fix Resolution (responses): 0.10.0
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-6.3.0.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/acorn-globals/node_modules/acorn/package.json
Dependency Hierarchy:
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-6.4.0.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/webpack/node_modules/acorn/package.json
Dependency Hierarchy:
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-5.5.3.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/acorn/package.json
Dependency Hierarchy:
Found in base branch: master
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6chw-6frg-f759
Release Date: 2020-03-01
Fix Resolution (acorn): 6.4.1
Direct dependency fix Resolution (jest): 25.0.0
Fix Resolution (acorn): 6.4.1
Direct dependency fix Resolution (webpack): 4.41.4
Fix Resolution (acorn): 6.4.1
Direct dependency fix Resolution (eslint): 5.0.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-03
URL: CVE-2018-19797
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-12-03
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: master
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (@babel/cli): 7.8.0
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-fetch/package.json
Dependency Hierarchy:
Found in base branch: master
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: 2020-09-10
URL: CVE-2020-15168
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: 2020-09-17
Fix Resolution (node-fetch): 2.6.1
Direct dependency fix Resolution (eslint-plugin-react): 7.8.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.
Publish Date: 2019-01-14
URL: CVE-2019-6283
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-01-14
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
JavaScript library for DOM operations
Library home page: https://registry.npmjs.org/jquery/-/jquery-3.4.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/jquery/package.json
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to dependency file: /amundsen_application/static/node_modules/js-base64/test/index.html
Path to vulnerable library: /amundsen_application/static/node_modules/js-base64/test/index.html
Dependency Hierarchy:
Found in base branch: master
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: 3.5.0
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: master
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (@babel/cli): 7.8.0
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/ua-parser-js/package.json
Dependency Hierarchy:
Found in base branch: master
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
Publish Date: 2020-12-11
URL: CVE-2020-7793
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-12-11
Fix Resolution (ua-parser-js): 0.7.23
Direct dependency fix Resolution (eslint-plugin-react): 7.8.0
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/y18n/package.json
Dependency Hierarchy:
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/sass-graph/node_modules/y18n/package.json
Dependency Hierarchy:
Found in base branch: master
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 4.0.1
Direct dependency fix Resolution (webpack-cli): 3.2.0
Fix Resolution (y18n): 4.0.1
Direct dependency fix Resolution (node-sass): 4.14.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.
Publish Date: 2018-05-26
URL: CVE-2018-11499
Base Score Metrics:
JavaScript library for DOM operations
Library home page: https://registry.npmjs.org/jquery/-/jquery-3.4.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/jquery/package.json
Dependency Hierarchy:
Found in base branch: master
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp.
Publish Date: 2019-11-06
URL: CVE-2019-18797
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-18797
Release Date: 2019-11-06
Fix Resolution: GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105;node-sass - 4.14.0,4.8.0;Fable.Template.Elmish.React - 0.1.6
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: master
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (@babel/cli): 7.8.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.
Publish Date: 2021-01-11
URL: CVE-2020-24025
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r8f7-9pfq-mjmv
Release Date: 2021-01-11
Fix Resolution: 7.0.0
Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis
Library home page: https://registry.npmjs.org/sanitize-html/-/sanitize-html-1.19.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/sanitize-html/package.json
Dependency Hierarchy:
Found in base branch: master
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\example.com".
Publish Date: 2021-02-08
URL: CVE-2021-26540
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26540
Release Date: 2021-02-08
Fix Resolution: 2.3.2
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-17
URL: CVE-2018-20190
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-12-17
Fix Resolution: GR.PageRender.Razor - 1.8.0;Fable.Template.Elmish.React - 0.1.6
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-5.5.2.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/eslint/node_modules/ajv/package.json,/amundsen_application/static/node_modules/table/node_modules/ajv/package.json,/amundsen_application/static/node_modules/har-validator/node_modules/ajv/package.json
Dependency Hierarchy:
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.4.0.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/ajv/package.json
Dependency Hierarchy:
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.2.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/terser-webpack-plugin/node_modules/ajv/package.json,/amundsen_application/static/node_modules/webpack/node_modules/ajv/package.json,/amundsen_application/static/node_modules/css-loader/node_modules/ajv/package.json
Dependency Hierarchy:
Found in base branch: master
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (node-sass): 4.14.0
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (mini-css-extract-plugin): 0.5.0
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (css-loader): 3.2.1
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/ua-parser-js/package.json
Dependency Hierarchy:
Found in base branch: master
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
Publish Date: 2021-03-17
URL: CVE-2021-27292
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27292
Release Date: 2021-03-17
Fix Resolution (ua-parser-js): 0.7.24
Direct dependency fix Resolution (eslint-plugin-react): 7.8.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).
Publish Date: 2019-04-23
URL: CVE-2018-20821
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-04-23
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().
Publish Date: 2018-12-04
URL: CVE-2018-19838
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-12-04
Fix Resolution: libsass - 3.5.5;node-sass - 4.14.0
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/ua-parser-js/package.json
Dependency Hierarchy:
Found in base branch: master
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
Publish Date: 2020-09-16
URL: CVE-2020-7733
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-09-16
Fix Resolution (ua-parser-js): 0.7.22
Direct dependency fix Resolution (eslint-plugin-react): 7.8.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11697
Base Score Metrics:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/tsconfig-paths/node_modules/minimist/package.json,/amundsen_application/static/node_modules/webpack/node_modules/minimist/package.json,/amundsen_application/static/node_modules/ts-jest/node_modules/minimist/package.json,/amundsen_application/static/node_modules/sane/node_modules/minimist/package.json,/amundsen_application/static/node_modules/meow/node_modules/minimist/package.json,/amundsen_application/static/node_modules/@babel/core/node_modules/minimist/package.json,/amundsen_application/static/node_modules/@cnakazawa/watch/node_modules/minimist/package.json,/amundsen_application/static/node_modules/css-loader/node_modules/minimist/package.json
Dependency Hierarchy:
Found in base branch: master
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (babel-loader): 8.1.0
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (ts-jest): 24.2.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.
Publish Date: 2019-01-14
URL: CVE-2019-6286
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-07-23
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
IPv4/IPv6 manipulation library
Library home page: https://files.pythonhosted.org/packages/c2/f8/49697181b1651d8347d24c095ce46c7346c37335ddc7d255833e7cde674d/ipaddress-1.0.23-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.
Publish Date: 2020-06-18
URL: CVE-2020-14422
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14422
Release Date: 2020-06-18
Fix Resolution: v3.5.10,v3.6.12,v3.7.9,v3.8.4v3.9.0
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/kind-of/package.json
Dependency Hierarchy:
Found in base branch: master
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2024-08-04
URL: CVE-2019-20149
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-12-30
Fix Resolution (kind-of): 6.0.3
Direct dependency fix Resolution (sass-loader): 7.2.0
URI.js is a Javascript library for working with URLs.
Library home page: https://registry.npmjs.org/urijs/-/urijs-1.19.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/urijs/package.json
Dependency Hierarchy:
Found in base branch: master
URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (\
) character followed by an at (@
) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL https://expected-example.com\@observed-example.com
will incorrectly return observed-example.com
if using an affected version. Patched versions correctly return expected-example.com
. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]
Publish Date: 2020-12-31
URL: CVE-2020-26291
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26291
Release Date: 2020-12-31
Fix Resolution: 1.19.4
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.
Publish Date: 2018-12-04
URL: CVE-2018-19839
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-12-04
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11694
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-12-03
URL: CVE-2018-19827
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-12-03
Fix Resolution: GR.PageRender.Razor - 1.8.0;Fable.Template.Elmish.React - 0.1.6
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/webpack/node_modules/ssri/package.json
Dependency Hierarchy:
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-7.1.0.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/terser-webpack-plugin/node_modules/ssri/package.json
Dependency Hierarchy:
Found in base branch: master
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-vx3p-948g-6vhq
Release Date: 2021-03-12
Fix Resolution (ssri): 6.0.2
Direct dependency fix Resolution (webpack): 4.41.4
Fix Resolution (ssri): 6.0.2
Direct dependency fix Resolution (terser-webpack-plugin): 2.3.3
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Inspect::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11696
Base Score Metrics:
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: master
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-04-12
Fix Resolution (handlebars): 4.7.7
Direct dependency fix Resolution (jest): 25.0.0
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in base branch: master
In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of '%' as a modulo operator in parser.cpp.
Publish Date: 2018-12-04
URL: CVE-2018-19837
Base Score Metrics:
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Path to dependency file: /amundsen_application/static/package.json
Path to vulnerable library: /amundsen_application/static/node_modules/terser-webpack-plugin/node_modules/serialize-javascript/package.json,/amundsen_application/static/node_modules/webpack/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in base branch: master
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-08
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (webpack): 4.41.4
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to dependency file: /amundsen_application/static/node_modules/js-base64/test/index.html
Path to vulnerable library: /amundsen_application/static/node_modules/js-base64/test/index.html
Dependency Hierarchy:
Found in base branch: master
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.