dmyers87 / apollo Goto Github PK

Vulnerable Library - marked-0.3.19.js

A markdown parser built for speed

Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.3.19/marked.js

Path to dependency file: apollo/website/node_modules/marked/www/demo.html

Path to vulnerable library: apollo/website/node_modules/marked/www/../lib/marked.js

Dependency Hierarchy:

• ❌ marked-0.3.19.js (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

marked before 0.7.0 vulnerable to Redos attack by he _label subrule that may significantly degrade parsing performance of malformed input.

Publish Date: 2019-07-04

URL: WS-2019-0209

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1076

Release Date: 2019-09-05

Fix Resolution: 0.7.0

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: apollo/website/node_modules/js-base64/test/index.html

Path to vulnerable library: apollo/website/node_modules/js-base64/test/index.html,apollo/website/node_modules/marked/www/demo.html

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Libraries - qs-1.0.2.tgz, qs-2.2.4.tgz

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048

Release Date: 2017-07-17

Fix Resolution: qs - 6.0.4,6.1.2,6.2.3,6.3.2

Vulnerable Library - http-signature-0.10.1.tgz

Reference implementation of Joyent's HTTP Signature scheme.

Library home page: https://registry.npmjs.org/http-signature/-/http-signature-0.10.1.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/lingon-git-deploy/node_modules/http-signature/package.json

Dependency Hierarchy:

• lingon-git-deploy-0.1.0.tgz (Root Library)
  • lingon-2.0.0.tgz
    • gulp-less-1.3.9.tgz
      • less-1.7.5.tgz
        • request-2.40.0.tgz
          • ❌ http-signature-0.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Affected versions (before 1.0.0) of the http-signature package are vulnerable to Timing Attacks.

Publish Date: 2015-01-22

URL: WS-2017-0266

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: TritonDataCenter/node-http-signature#36

Release Date: 2017-01-31

Fix Resolution: 1.0.0

Vulnerable Libraries - lodash-1.0.2.tgz, lodash.template-3.6.2.tgz, lodash-2.4.2.tgz, lodash-3.10.1.tgz

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-08

Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0

Vulnerable Library - ws-6.2.1.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-6.2.1.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/ws/package.json

Dependency Hierarchy:

• lingon-livereload-1.1.0.tgz (Root Library)
  • livereload-0.9.1.tgz
    • ❌ ws-6.2.1.tgz (Vulnerable Library)

Found in base branch: 1.x

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution: ws - 7.4.6

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: apollo/website/node_modules/js-base64/test/index.html

Path to vulnerable library: apollo/website/node_modules/js-base64/test/index.html,apollo/website/node_modules/marked/www/demo.html

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-28

Fix Resolution: jquery - 1.9.0

Vulnerable Libraries - cryptiles-2.0.5.tgz, cryptiles-0.2.2.tgz

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution: v4.1.2

Vulnerable Library - cookie-signature-1.0.5.tgz

Sign and unsign cookies

Library home page: https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.5.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/lingon-git-deploy/node_modules/cookie-signature/package.json

Dependency Hierarchy:

• lingon-git-deploy-0.1.0.tgz (Root Library)
  • lingon-2.0.0.tgz
    • express-4.9.8.tgz
      • ❌ cookie-signature-1.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Node-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used.

Publish Date: 2019-11-19

URL: CVE-2016-1000236

CVSS 3 Score Details (4.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: tj/node-cookie-signature@3979108

Release Date: 2019-11-19

Fix Resolution: 1.0.4

Vulnerable Library - hawk-1.1.1.tgz

HTTP Hawk Authentication Scheme

Library home page: https://registry.npmjs.org/hawk/-/hawk-1.1.1.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/lingon-git-deploy/node_modules/hawk/package.json

Dependency Hierarchy:

• lingon-git-deploy-0.1.0.tgz (Root Library)
  • lingon-2.0.0.tgz
    • gulp-less-1.3.9.tgz
      • less-1.7.5.tgz
        • request-2.40.0.tgz
          • ❌ hawk-1.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.

Publish Date: 2016-04-13

URL: CVE-2016-2515

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2515

Release Date: 2016-04-13

Fix Resolution: 3.1.3,4.1.1

Vulnerable Library - ajv-4.11.8.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-4.11.8.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/less/node_modules/ajv/package.json

Dependency Hierarchy:

• lingon-2.4.2.tgz (Root Library)
  • gulp-less-3.3.2.tgz
    • less-2.7.3.tgz
      • request-2.81.0.tgz
        • har-validator-4.2.1.tgz
          • ❌ ajv-4.11.8.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3

Release Date: 2020-07-15

Fix Resolution: ajv - 6.12.3

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-1.0.2.tgz, lodash-3.10.1.tgz

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2019-07-17

Fix Resolution: 4.17.11

Vulnerable Libraries - lodash-3.10.1.tgz, lodash-1.0.2.tgz, lodash-2.4.2.tgz

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-23

Fix Resolution: lodash - 4.17.19

Vulnerable Library - send-0.9.3.tgz

Better streaming static file server with Range and conditional-GET support

Library home page: https://registry.npmjs.org/send/-/send-0.9.3.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/lingon-git-deploy/node_modules/send/package.json

Dependency Hierarchy:

• lingon-git-deploy-0.1.0.tgz (Root Library)
  • lingon-2.0.0.tgz
    • ❌ send-0.9.3.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.

Publish Date: 2017-01-23

URL: CVE-2015-8859

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8859

Release Date: 2017-01-23

Fix Resolution: 0.11.1

Vulnerable Libraries - mime-1.3.4.tgz, mime-1.2.11.tgz

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-06-07

Fix Resolution: 1.4.1,2.0.3

Vulnerable Library - marked-0.3.19.js

A markdown parser built for speed

Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.3.19/marked.js

Path to dependency file: apollo/website/node_modules/marked/www/demo.html

Path to vulnerable library: apollo/website/node_modules/marked/www/../lib/marked.js

Dependency Hierarchy:

• ❌ marked-0.3.19.js (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.

Publish Date: 2018-05-31

URL: CVE-2016-10531

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/101

Release Date: 2016-04-18

Fix Resolution: Update to version 0.3.6 or later.

Vulnerable Library - negotiator-0.4.9.tgz

HTTP content negotiation

Library home page: https://registry.npmjs.org/negotiator/-/negotiator-0.4.9.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/lingon-git-deploy/node_modules/negotiator/package.json

Dependency Hierarchy:

• lingon-git-deploy-0.1.0.tgz (Root Library)
  • lingon-2.0.0.tgz
    • express-4.9.8.tgz
      • accepts-1.1.4.tgz
        • ❌ negotiator-0.4.9.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Publish Date: 2018-05-31

URL: CVE-2016-10539

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/106

Release Date: 2018-05-31

Fix Resolution: 0.6.1

Vulnerable Library - ejs-1.0.0.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-1.0.0.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/lingon-git-deploy/node_modules/ejs/package.json

Dependency Hierarchy:

• lingon-git-deploy-0.1.0.tgz (Root Library)
  • lingon-2.0.0.tgz
    • gulp-ejs-0.3.1.tgz
      • ❌ ejs-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function

Publish Date: 2017-11-17

URL: CVE-2017-1000228

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000228

Release Date: 2017-11-17

Fix Resolution: 2.5.3

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: apollo/website/node_modules/js-base64/test/index.html

Path to vulnerable library: apollo/website/node_modules/js-base64/test/index.html,apollo/website/node_modules/marked/www/demo.html

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Libraries - hoek-2.16.3.tgz, hoek-0.9.1.tgz

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3728

Release Date: 2018-03-30

Fix Resolution: 4.2.1,5.0.3

Vulnerable Library - guava-29.0-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: apollo/apollo-extra/pom.xml

Path to vulnerable library: canner/.m2/repository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar,canner/.m2/repository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar,canner/.m2/repository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar,canner/.m2/repository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar,canner/.m2/repository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar,canner/.m2/repository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar,canner/.m2/repository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar,canner/.m2/repository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar,canner/.m2/repository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar

Dependency Hierarchy:

• ❌ guava-29.0-jre.jar (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Publish Date: 2020-12-10

URL: CVE-2020-8908

CVSS 3 Score Details (3.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908

Release Date: 2020-12-10

Fix Resolution: v30.0

Vulnerable Library - ms-0.6.2.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.6.2.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/lingon-git-deploy/node_modules/ms/package.json

Dependency Hierarchy:

• lingon-git-deploy-0.1.0.tgz (Root Library)
  • lingon-2.0.0.tgz
    • send-0.9.3.tgz
      • ❌ ms-0.6.2.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8315

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8315

Release Date: 2017-01-23

Fix Resolution: 0.7.1

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-3.10.1.tgz, lodash-1.0.2.tgz

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Vulnerable Library - minimist-1.1.3.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.1.3.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/lingon-git-deploy/node_modules/minimist/package.json

Dependency Hierarchy:

• lingon-git-deploy-0.1.0.tgz (Root Library)
  • lingon-2.0.0.tgz
    • ❌ minimist-1.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Vulnerable Library - tunnel-agent-0.4.3.tgz

HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.

Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/lingon-git-deploy/node_modules/tunnel-agent/package.json

Dependency Hierarchy:

• lingon-git-deploy-0.1.0.tgz (Root Library)
  • lingon-2.0.0.tgz
    • gulp-less-1.3.9.tgz
      • less-1.7.5.tgz
        • request-2.40.0.tgz
          • ❌ tunnel-agent-0.4.3.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure.

This is exploitable if user supplied input is provided to the auth value and is a number.

Publish Date: 2017-03-05

URL: WS-2018-0076

CVSS 3 Score Details (5.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/598

Release Date: 2018-01-27

Fix Resolution: 0.6.0

Vulnerable Library - marked-0.3.19.js

A markdown parser built for speed

Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.3.19/marked.js

Path to dependency file: apollo/website/node_modules/marked/www/demo.html

Path to vulnerable library: apollo/website/node_modules/marked/www/../lib/marked.js

Dependency Hierarchy:

• ❌ marked-0.3.19.js (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Versions 0.3.7 and earlier of marked unescape only lowercase while owsers support both lowercase and uppercase x in hexadecimal form of HTML character entity

Publish Date: 2017-12-23

URL: WS-2019-0026

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: markedjs/marked@6d1901f

Release Date: 2019-03-17

Fix Resolution: 0.3.9

Vulnerable Library - serve-static-1.6.5.tgz

Serve static files

Library home page: https://registry.npmjs.org/serve-static/-/serve-static-1.6.5.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/lingon-git-deploy/node_modules/serve-static/package.json

Dependency Hierarchy:

• lingon-git-deploy-0.1.0.tgz (Root Library)
  • lingon-2.0.0.tgz
    • express-4.9.8.tgz
      • ❌ serve-static-1.6.5.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI.

Publish Date: 2015-01-21

URL: CVE-2015-1164

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-1164

Release Date: 2015-01-21

Fix Resolution: 1.7.2

Vulnerable Libraries - marked-0.3.19.tgz, marked-0.3.19.js

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/v1.1.1

Release Date: 2020-07-02

Fix Resolution: marked - 1.1.1

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: apollo/website/node_modules/js-base64/test/index.html

Path to vulnerable library: apollo/website/node_modules/js-base64/test/index.html,apollo/website/node_modules/marked/www/demo.html

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Vulnerable Library - debug-2.0.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.0.0.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/lingon-git-deploy/node_modules/debug/package.json

Dependency Hierarchy:

• lingon-git-deploy-0.1.0.tgz (Root Library)
  • lingon-2.0.0.tgz
    • express-4.9.8.tgz
      • ❌ debug-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137

Release Date: 2018-06-07

Fix Resolution: 2.6.9

Vulnerable Libraries - minimatch-2.0.10.tgz, minimatch-0.3.0.tgz, minimatch-0.2.14.tgz

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: apollo/website/node_modules/js-base64/test/index.html

Path to vulnerable library: apollo/website/node_modules/js-base64/test/index.html,apollo/website/node_modules/marked/www/demo.html

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - clean-css-2.2.23.tgz

A well-tested CSS minifier

Library home page: https://registry.npmjs.org/clean-css/-/clean-css-2.2.23.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/clean-css/package.json

Dependency Hierarchy:

• lingon-git-deploy-0.1.0.tgz (Root Library)
  • lingon-2.0.0.tgz
    • gulp-less-1.3.9.tgz
      • less-1.7.5.tgz
        • ❌ clean-css-2.2.23.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2018-03-06

URL: WS-2019-0017

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/785

Release Date: 2019-02-21

Fix Resolution: v4.1.11

Vulnerable Libraries - lodash-1.0.2.tgz, lodash-3.10.1.tgz, lodash-2.4.2.tgz

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

Vulnerable Library - marked-0.3.19.js

A markdown parser built for speed

Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.3.19/marked.js

Path to dependency file: apollo/website/node_modules/marked/www/demo.html

Path to vulnerable library: apollo/website/node_modules/marked/www/../lib/marked.js

Dependency Hierarchy:

• ❌ marked-0.3.19.js (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Versions 0.3.7 and earlier of marked When mangling is disabled via option mangle don't escape target href. This allow attacker to inject arbitrary html-event into resulting a tag.

Publish Date: 2017-12-23

URL: WS-2019-0025

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: markedjs/marked@cb72584

Release Date: 2019-03-17

Fix Resolution: 0.3.9

Vulnerable Library - ms-0.6.2.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.6.2.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/lingon-git-deploy/node_modules/ms/package.json

Dependency Hierarchy:

• lingon-git-deploy-0.1.0.tgz (Root Library)
  • lingon-2.0.0.tgz
    • send-0.9.3.tgz
      • ❌ ms-0.6.2.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-04-12

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: vercel/ms#89

Release Date: 2017-04-12

Fix Resolution: 2.1.1

Vulnerable Libraries - marked-0.3.19.js, marked-0.3.19.tgz

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.

Publish Date: 2018-04-16

URL: WS-2018-0628

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/0.4.0

Release Date: 2018-04-16

Fix Resolution: marked - 0.4.0

Vulnerable Libraries - lodash-1.0.2.tgz, lodash-2.4.2.tgz, lodash-3.10.1.tgz

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerable Library - css-what-1.0.0.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-1.0.0.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/css-what/package.json

Dependency Hierarchy:

• gulp-highlight-1.1.0.tgz (Root Library)
  • cheerio-0.19.0.tgz
    • css-select-1.0.0.tgz
      • ❌ css-what-1.0.0.tgz (Vulnerable Library)

Found in base branch: 1.x

Vulnerability Details

The css-what package before 5.0.1 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution: css-what - 5.0.1

Vulnerable Library - marked-0.3.19.js

A markdown parser built for speed

Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.3.19/marked.js

Path to dependency file: apollo/website/node_modules/marked/www/demo.html

Path to vulnerable library: apollo/website/node_modules/marked/www/../lib/marked.js

Dependency Hierarchy:

• ❌ marked-0.3.19.js (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Versions 0.3.17 and earlier of marked has Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack.

Publish Date: 2018-02-26

URL: WS-2019-0027

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: markedjs/marked@b15e42b

Release Date: 2019-03-17

Fix Resolution: 0.3.18

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-3.10.1.tgz, lodash-1.0.2.tgz

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@02906b8

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerable Libraries - marked-0.3.19.tgz, marked-0.3.19.js

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

marked versions >0.3.14 and < 0.6.2 has Regular Expression Denial of Service vulnerability Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.

Publish Date: 2019-04-03

URL: WS-2019-0169

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/812

Release Date: 2019-07-15

Fix Resolution: 0.6.2

Vulnerable Library - postcss-4.1.16.tgz

Tool for transforming CSS with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-4.1.16.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/postcss/package.json

Dependency Hierarchy:

• gulp-autoprefixer-2.3.1.tgz (Root Library)
  • ❌ postcss-4.1.16.tgz (Vulnerable Library)

Found in base branch: 1.x

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution: postcss - 8.2.13

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/path-parse/package.json

Dependency Hierarchy:

• lingon-2.4.2.tgz (Root Library)
  • gulp-less-3.3.2.tgz
    • accord-0.27.3.tgz
      • resolve-1.20.0.tgz
        • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in base branch: 1.x

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jbgutierrez/path-parse#8

Release Date: 2021-05-04

Fix Resolution: path-parse - 1.0.7

Vulnerable Library - fresh-0.2.4.tgz

HTTP response freshness testing

Library home page: https://registry.npmjs.org/fresh/-/fresh-0.2.4.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/lingon-git-deploy/node_modules/fresh/package.json

Dependency Hierarchy:

• lingon-git-deploy-0.1.0.tgz (Root Library)
  • lingon-2.0.0.tgz
    • express-4.9.8.tgz
      • ❌ fresh-0.2.4.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16119

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/526

Release Date: 2018-06-07

Fix Resolution: fresh - 0.5.2

Vulnerable Library - request-2.40.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.40.0.tgz

Path to dependency file: apollo/website/package.json

Path to vulnerable library: apollo/website/node_modules/lingon-git-deploy/node_modules/request/package.json

Dependency Hierarchy:

• lingon-git-deploy-0.1.0.tgz (Root Library)
  • lingon-2.0.0.tgz
    • gulp-less-1.3.9.tgz
      • less-1.7.5.tgz
        • ❌ request-2.40.0.tgz (Vulnerable Library)

Found in HEAD commit: 69726c22434acce7b013152897cd82ea4aef2b43

Found in base branch: 1.x

Vulnerability Details

Request is an http client. If a request is made using multipart, and the body type is a number, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.

Publish Date: 2018-06-04

URL: CVE-2017-16026

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16026

Release Date: 2018-06-04

Fix Resolution: 2.47.1,2.67.1