Git Product home page Git Product logo

fileextension's Introduction

FileExtension

GitHub repo Questions at StackOverflow Ask a question at StackOverflow Community discussions License codecov Nuget .NET Docs Maintainability Rating

What it does

This project helps you to see that a file has the correct extension

What it recognize

There are 344 extensions of files ( 16 tested) . See https://fileextension.readthedocs.io/en/latest/BDD/LightBDDReport/

Please help by making a PR by adding files to https://github.com/ignatandrei/FileExtension/tree/master/src/TestFileExtensions/TestFiles

How to use it

Demo online: https://fileextension.azurewebsites.net/swagger/index.html

NuGet Package: Nuget

Simple use

.NET / C#

Add a reference to Nuget ,

var r = new RecognizerPlugin.RecognizePlugins();
//foreach (var item in r.AllExtensions())
//{
//    Console.WriteLine(item);
//}
//find the sln on the path
string file = FindSlnToBeRecognized();
//found sln, now recognize
var byts = await File.ReadAllBytesAsync(file);

//find short way - directly
var foundDirectly = r.Is_SLN(byts);
Console.WriteLine($"file {file} is recognized {foundDirectly}");
// or long way
//find extension
var fileExtension = Path.GetExtension(file);
// find if there is a recognizer for the extension
var canRecognize = r.CanRecognizeExtension(fileExtension);
Console.WriteLine($"file {file} can be  recognized {canRecognize}");
if (canRecognize)
{
	//now see if the content matches the bytes
	var found = r.RecognizeTheFile(byts, fileExtension);
	Console.Write($"file {file} is recognized {found}");
}

Angular / TypeScript

For calling the service , please see https://github.com/ignatandrei/FileExtension/blob/master/src/FileExtensionAng/src/app/services/FileExtv1.service.ts

For a component, please see https://github.com/ignatandrei/FileExtension/tree/master/src/FileExtensionAng/src/app/file-ext-v1

Contributors ✨

Thanks goes to these wonderful people (emoji key):


Andrei Ignat
⚠️ 💻

This project follows the all-contributors specification. Contributions of any kind welcome!

Links

Licence

The code in this project is licensed under MIT license.

fileextension's People

Contributors

ignatandrei avatar imgbotapp avatar mend-bolt-for-github[bot] avatar

Stargazers

avatar

Watchers

avatar avatar

Forkers

bubdm

fileextension's Issues

CVE-2022-21676 (High) detected in engine.io-4.1.1.tgz

CVE-2022-21676 - High Severity Vulnerability

Vulnerable Library - engine.io-4.1.1.tgz

The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server

Library home page: https://registry.npmjs.org/engine.io/-/engine.io-4.1.1.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/engine.io/package.json

Dependency Hierarchy:

  • karma-6.3.4.tgz (Root Library)
    • socket.io-3.1.2.tgz
      • engine.io-4.1.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package starting from version 4.0.0, including those who uses depending packages like socket.io. Versions prior to 4.0.0 are not impacted. A fix has been released for each major branch, namely 4.1.2 for the 4.x.x branch, 5.2.1 for the 5.x.x branch, and 6.1.1 for the 6.x.x branch. There is no known workaround except upgrading to a safe version.

Publish Date: 2022-01-12

URL: CVE-2022-21676

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-273r-mgr4-v34f

Release Date: 2022-01-12

Fix Resolution (engine.io): 4.1.2

Direct dependency fix Resolution (karma): 6.3.5

Step up your Open Source Security Game with Mend here

Weekly Digest (5 July, 2020 - 12 July, 2020)

Here's the Weekly Digest for ignatandrei/FileExtension:

ISSUES

Last week, no issues were created.

PULL REQUESTS

Last week, no pull requests were created, updated or merged.

COMMITS

Last week there were no commits.

CONTRIBUTORS

Last week there were no contributors.

STARGAZERS

Last week there were no stargazers.

RELEASES

Last week there were no releases.

That's all for last week, please 👀 Watch and Star the repository ignatandrei/FileExtension to receive next weekly updates. 😃

You can also view all Weekly Digests by clicking here.

Your Weekly Digest bot. 📆

CVE-2022-24771 (High) detected in node-forge-0.10.0.tgz

CVE-2022-24771 - High Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/node-forge/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • webpack-dev-server-3.11.2.tgz
      • selfsigned-1.10.11.tgz
        • node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1

Step up your Open Source Security Game with Mend here

CVE-2017-0249 (High) detected in system.net.http.4.3.0.nupkg - autoclosed

CVE-2017-0249 - High Severity Vulnerability

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /src/TestFileExtensions/TestFileExtensions.csproj

Path to vulnerable library: /usr/share/dotnet/sdk/NuGetFallbackFolder/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • lightbdd.xunit2.3.3.0.nupkg (Root Library)
    • xunit.2.4.1.nupkg
      • xunit.assert.2.4.1.nupkg
        • netstandard.library.1.6.1.nupkg
          • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.

Publish Date: 2017-05-12

URL: CVE-2017-0249

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-05-12

Fix Resolution: System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3

Step up your Open Source Security Game with Mend here

CVE-2021-3807 (High) detected in multiple libraries

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: FileExtension/src/FileExtensionAng/package.json

Path to vulnerable library: FileExtension/src/FileExtensionAng/node_modules/webpack-dev-server/node_modules/string-width/node_modules/ansi-regex/package.json,FileExtension/src/FileExtensionAng/node_modules/webpack-dev-server/node_modules/cliui/node_modules/ansi-regex/package.json,FileExtension/src/FileExtensionAng/node_modules/webpack-dev-server/node_modules/wrap-ansi/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • webpack-dev-server-3.11.2.tgz
      • yargs-13.3.2.tgz
        • string-width-3.1.0.tgz
          • strip-ansi-5.2.0.tgz
            • ansi-regex-4.1.0.tgz (Vulnerable Library)
ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: FileExtension/src/FileExtensionAng/package.json

Path to vulnerable library: FileExtension/src/FileExtensionAng/node_modules/wide-align/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • cli-12.2.1.tgz (Root Library)
    • pacote-11.3.5.tgz
      • run-script-1.8.5.tgz
        • node-gyp-7.1.2.tgz
          • npmlog-4.1.2.tgz
            • gauge-2.7.4.tgz
              • wide-align-1.1.3.tgz
                • string-width-2.1.1.tgz
                  • strip-ansi-4.0.0.tgz
                    • ansi-regex-3.0.0.tgz (Vulnerable Library)
ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: FileExtension/src/FileExtensionAng/package.json

Path to vulnerable library: FileExtension/src/FileExtensionAng/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • inquirer-8.1.2.tgz
      • strip-ansi-6.0.0.tgz
        • ansi-regex-5.0.0.tgz (Vulnerable Library)

Found in HEAD commit: ef3d25226e07f223157b24c1d379ee96839ae669

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2022-37599 (High) detected in loader-utils-2.0.0.tgz

CVE-2022-37599 - High Severity Vulnerability

Vulnerable Library - loader-utils-2.0.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • loader-utils-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: ef3d25226e07f223157b24c1d379ee96839ae669

Found in base branch: master

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

Publish Date: 2022-10-11

URL: CVE-2022-37599

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2021-23495 (Medium) detected in karma-6.3.4.tgz

CVE-2021-23495 - Medium Severity Vulnerability

Vulnerable Library - karma-6.3.4.tgz

Spectacular Test Runner for JavaScript.

Library home page: https://registry.npmjs.org/karma/-/karma-6.3.4.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/karma/package.json

Dependency Hierarchy:

  • karma-6.3.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package karma before 6.3.16 are vulnerable to Open Redirect due to missing validation of the return_url query parameter.

Publish Date: 2022-02-25

URL: CVE-2021-23495

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23495

Release Date: 2022-02-25

Fix Resolution: 6.3.16

Step up your Open Source Security Game with Mend here

CVE-2021-35065 (High) detected in glob-parent-5.1.2.tgz

CVE-2021-35065 - High Severity Vulnerability

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • compiler-cli-12.2.1.tgz (Root Library)
    • chokidar-3.5.2.tgz
      • glob-parent-5.1.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package glob-parent from 6.0.0 and before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1

Step up your Open Source Security Game with Mend here

Weekly Digest (26 April, 2020 - 3 May, 2020)

Here's the Weekly Digest for ignatandrei/FileExtension:

ISSUES

Last week, no issues were created.

PULL REQUESTS

Last week, no pull requests were created, updated or merged.

COMMITS

Last week there were no commits.

CONTRIBUTORS

Last week there were no contributors.

STARGAZERS

Last week there were no stargazers.

RELEASES

Last week there were no releases.

That's all for last week, please 👀 Watch and Star the repository ignatandrei/FileExtension to receive next weekly updates. 😃

You can also view all Weekly Digests by clicking here.

Your Weekly Digest bot. 📆

CVE-2017-0247 (High) detected in system.net.http.4.3.0.nupkg - autoclosed

CVE-2017-0247 - High Severity Vulnerability

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /src/TestFileExtensions/TestFileExtensions.csproj

Path to vulnerable library: /usr/share/dotnet/sdk/NuGetFallbackFolder/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • lightbdd.xunit2.3.3.0.nupkg (Root Library)
    • xunit.2.4.1.nupkg
      • xunit.assert.2.4.1.nupkg
        • netstandard.library.1.6.1.nupkg
          • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.

Publish Date: 2017-05-12

URL: CVE-2017-0247

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-05-12

Fix Resolution: System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.5.4;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3

Step up your Open Source Security Game with Mend here

CVE-2021-23424 (High) detected in ansi-html-0.0.7.tgz

CVE-2021-23424 - High Severity Vulnerability

Vulnerable Library - ansi-html-0.0.7.tgz

An elegant lib that converts the chalked (ANSI) text to HTML.

Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz

Path to dependency file: FileExtension/src/FileExtensionAng/package.json

Path to vulnerable library: FileExtension/src/FileExtensionAng/node_modules/ansi-html/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • webpack-dev-server-3.11.2.tgz
      • ansi-html-0.0.7.tgz (Vulnerable Library)

Found in HEAD commit: ef3d25226e07f223157b24c1d379ee96839ae669

Found in base branch: master

Vulnerability Details

This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

Publish Date: 2021-08-18

URL: CVE-2021-23424

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2017-0248 (High) detected in system.net.http.4.3.0.nupkg - autoclosed

CVE-2017-0248 - High Severity Vulnerability

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /src/TestFileExtensions/TestFileExtensions.csproj

Path to vulnerable library: /usr/share/dotnet/sdk/NuGetFallbackFolder/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • lightbdd.xunit2.3.3.0.nupkg (Root Library)
    • xunit.2.4.1.nupkg
      • xunit.assert.2.4.1.nupkg
        • netstandard.library.1.6.1.nupkg
          • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."

Publish Date: 2017-05-12

URL: CVE-2017-0248

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-05-12

Fix Resolution: System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3

Step up your Open Source Security Game with Mend here

CVE-2022-1650 (High) detected in eventsource-1.1.0.tgz

CVE-2022-1650 - High Severity Vulnerability

Vulnerable Library - eventsource-1.1.0.tgz

W3C compliant EventSource client for Node.js and browser (polyfill)

Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.1.0.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/eventsource/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • webpack-dev-server-3.11.2.tgz
      • sockjs-client-1.5.1.tgz
        • eventsource-1.1.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.

Publish Date: 2022-05-12

URL: CVE-2022-1650

CVSS 3 Score Details (9.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-05-12

Fix Resolution (eventsource): 1.1.1

Direct dependency fix Resolution (@angular-devkit/build-angular): 12.2.2

Step up your Open Source Security Game with Mend here

CVE-2021-26701 (High) detected in system.text.encodings.web.5.0.0.nupkg

CVE-2021-26701 - High Severity Vulnerability

Vulnerable Library - system.text.encodings.web.5.0.0.nupkg

Provides types for encoding and escaping strings for use in JavaScript, HyperText Markup Language (H...

Library home page: https://api.nuget.org/packages/system.text.encodings.web.5.0.0.nupkg

Path to dependency file: FileExtension/src/RecognizerPlugin/RecognizerPlugin.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.encodings.web/5.0.0/system.text.encodings.web.5.0.0.nupkg

Dependency Hierarchy:

  • RecognizerPlugin-1.0.0 (Root Library)
    • mcmaster.netcore.plugins.1.4.0.nupkg
      • microsoft.extensions.dependencymodel.5.0.0.nupkg
        • system.text.encodings.web.5.0.0.nupkg (Vulnerable Library)

Found in HEAD commit: 2099d991af9206d382d5d4ebcc42578b64c935f8

Found in base branch: master

Vulnerability Details

.NET Core Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-24112.

Publish Date: 2021-02-25

URL: CVE-2021-26701

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: dotnet/announcements#178

Release Date: 2021-02-25

Fix Resolution: System.Text.Encodings.Web - 4.5.1,4.7.2,5.0.1

Step up your Open Source Security Game with WhiteSource here

Weekly Digest (11 March, 2020 - 18 March, 2020)

Here's the Weekly Digest for ignatandrei/FileExtension:

ISSUES

Last week, no issues were created.

PULL REQUESTS

Last week, no pull requests were created, updated or merged.

COMMITS

Last week there were no commits.

CONTRIBUTORS

Last week there were no contributors.

STARGAZERS

Last week there were no stargazers.

RELEASES

Last week there were no releases.

That's all for last week, please 👀 Watch and Star the repository ignatandrei/FileExtension to receive next weekly updates. 😃

You can also view all Weekly Digests by clicking here.

Your Weekly Digest bot. 📆

CVE-2021-37712 (High) detected in tar-6.1.8.tgz

CVE-2021-37712 - High Severity Vulnerability

Vulnerable Library - tar-6.1.8.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-6.1.8.tgz

Path to dependency file: FileExtension/src/FileExtensionAng/package.json

Path to vulnerable library: FileExtension/src/FileExtensionAng/node_modules/tar/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • cacache-15.2.0.tgz
      • tar-6.1.8.tgz (Vulnerable Library)

Found in HEAD commit: ef3d25226e07f223157b24c1d379ee96839ae669

Found in base branch: master

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

Publish Date: 2021-08-31

URL: CVE-2021-37712

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qq89-hq3f-393p

Release Date: 2021-08-31

Fix Resolution: tar - 4.4.18, 5.0.10, 6.1.9

Step up your Open Source Security Game with WhiteSource here

Weekly Digest (19 April, 2020 - 26 April, 2020)

Here's the Weekly Digest for ignatandrei/FileExtension:

ISSUES

Last week, no issues were created.

PULL REQUESTS

Last week, no pull requests were created, updated or merged.

COMMITS

Last week there were no commits.

CONTRIBUTORS

Last week there were no contributors.

STARGAZERS

Last week there were no stargazers.

RELEASES

Last week there were no releases.

That's all for last week, please 👀 Watch and Star the repository ignatandrei/FileExtension to receive next weekly updates. 😃

You can also view all Weekly Digests by clicking here.

Your Weekly Digest bot. 📆

CVE-2022-2421 (High) detected in socket.io-parser-4.0.4.tgz

CVE-2022-2421 - High Severity Vulnerability

Vulnerable Library - socket.io-parser-4.0.4.tgz

socket.io protocol parser

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.0.4.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/socket.io-parser/package.json

Dependency Hierarchy:

  • karma-6.3.4.tgz (Root Library)
    • socket.io-3.1.2.tgz
      • socket.io-parser-4.0.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Publish Date: 2022-10-26

URL: CVE-2022-2421

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://csirt.divd.nl/cases/DIVD-2022-00045/

Release Date: 2022-10-26

Fix Resolution: socket.io-parser - 4.0.5,4.2.1

Step up your Open Source Security Game with Mend here

Weekly Digest (3 May, 2020 - 10 May, 2020)

Here's the Weekly Digest for ignatandrei/FileExtension:

ISSUES

Last week, no issues were created.

PULL REQUESTS

Last week, no pull requests were created, updated or merged.

COMMITS

Last week there were no commits.

CONTRIBUTORS

Last week there were no contributors.

STARGAZERS

Last week there were no stargazers.

RELEASES

Last week there were no releases.

That's all for last week, please 👀 Watch and Star the repository ignatandrei/FileExtension to receive next weekly updates. 😃

You can also view all Weekly Digests by clicking here.

Your Weekly Digest bot. 📆

CVE-2022-24773 (Medium) detected in node-forge-0.10.0.tgz

CVE-2022-24773 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/node-forge/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • webpack-dev-server-3.11.2.tgz
      • selfsigned-1.10.11.tgz
        • node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24773

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1

Step up your Open Source Security Game with Mend here

CVE-2022-0437 (Medium) detected in karmav6.3.3, karma-6.3.4.tgz

CVE-2022-0437 - Medium Severity Vulnerability

Vulnerable Libraries - karmav6.3.3, karma-6.3.4.tgz

karma-6.3.4.tgz

Spectacular Test Runner for JavaScript.

Library home page: https://registry.npmjs.org/karma/-/karma-6.3.4.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/karma/package.json

Dependency Hierarchy:

  • karma-6.3.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.

Publish Date: 2022-02-05

URL: CVE-2022-0437

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-0437

Release Date: 2022-02-05

Fix Resolution: 6.3.14

Step up your Open Source Security Game with Mend here

CVE-2017-0256 (Medium) detected in system.net.http.4.3.0.nupkg - autoclosed

CVE-2017-0256 - Medium Severity Vulnerability

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /src/TestFileExtensions/TestFileExtensions.csproj

Path to vulnerable library: /usr/share/dotnet/sdk/NuGetFallbackFolder/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • lightbdd.xunit2.3.3.0.nupkg (Root Library)
    • xunit.2.4.1.nupkg
      • xunit.assert.2.4.1.nupkg
        • netstandard.library.1.6.1.nupkg
          • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A spoofing vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.

Publish Date: 2017-05-12

URL: CVE-2017-0256

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-0256

Release Date: 2017-05-12

Fix Resolution: Microsoft.AspNetCore.Mvc.ApiExplorer - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.Abstractions - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.1.3,1.0.4;System.Net.Http - 4.1.2,4.3.2;Microsoft.AspNetCore.Mvc.Razor - 1.1.3,1.0.4;System.Net.Http.WinHttpHandler - 4.0.2,4.3.0-preview1-24530-04;System.Net.Security - 4.3.0-preview1-24530-04,4.0.1;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;System.Text.Encodings.Web - 4.3.0-preview1-24530-04,4.0.1;Microsoft.AspNetCore.Mvc.Razor.Host - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3;System.Net.WebSockets.Client - 4.3.0-preview1-24530-04,4.0.1;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3

Step up your Open Source Security Game with Mend here

CVE-2022-37601 (High) detected in loader-utils-1.4.0.tgz

CVE-2022-37601 - High Severity Vulnerability

Vulnerable Library - loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/babel-loader/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • babel-loader-8.2.2.tgz
      • loader-utils-1.4.0.tgz (Vulnerable Library)

Found in HEAD commit: ef3d25226e07f223157b24c1d379ee96839ae669

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-12

Fix Resolution (loader-utils): 2.0.0

Direct dependency fix Resolution (@angular-devkit/build-angular): 13.3.6

Step up your Open Source Security Game with Mend here

CVE-2022-25858 (High) detected in terser-5.7.1.tgz

CVE-2022-25858 - High Severity Vulnerability

Vulnerable Library - terser-5.7.1.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-5.7.1.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/terser/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • terser-5.7.1.tgz (Vulnerable Library)

Found in HEAD commit: ef3d25226e07f223157b24c1d379ee96839ae669

Found in base branch: master

Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

URL: CVE-2022-25858

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution: terser - 4.8.1,5.14.2

Step up your Open Source Security Game with Mend here

CVE-2022-0691 (High) detected in url-parse-1.5.3.tgz

CVE-2022-0691 - High Severity Vulnerability

Vulnerable Library - url-parse-1.5.3.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/url-parse/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • webpack-dev-server-3.11.2.tgz
      • sockjs-client-1.5.1.tgz
        • url-parse-1.5.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (@angular-devkit/build-angular): 12.2.2

Step up your Open Source Security Game with Mend here

CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz

CVE-2022-3517 - High Severity Vulnerability

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/minimatch/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: ef3d25226e07f223157b24c1d379ee96839ae669

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

Weekly Digest (28 June, 2020 - 5 July, 2020)

Here's the Weekly Digest for ignatandrei/FileExtension:

ISSUES

Last week, no issues were created.

PULL REQUESTS

Last week, no pull requests were created, updated or merged.

COMMITS

Last week there were no commits.

CONTRIBUTORS

Last week there were no contributors.

STARGAZERS

Last week there were no stargazers.

RELEASES

Last week there were no releases.

That's all for last week, please 👀 Watch and Star the repository ignatandrei/FileExtension to receive next weekly updates. 😃

You can also view all Weekly Digests by clicking here.

Your Weekly Digest bot. 📆

Weekly Digest (19 July, 2020 - 26 July, 2020)

Here's the Weekly Digest for ignatandrei/FileExtension:

ISSUES

Last week, no issues were created.

PULL REQUESTS

Last week, no pull requests were created, updated or merged.

COMMITS

Last week there were no commits.

CONTRIBUTORS

Last week there were no contributors.

STARGAZERS

Last week there were no stargazers.

RELEASES

Last week there were no releases.

That's all for last week, please 👀 Watch and Star the repository ignatandrei/FileExtension to receive next weekly updates. 😃

You can also view all Weekly Digests by clicking here.

Your Weekly Digest bot. 📆

Weekly Digest (2 August, 2020 - 9 August, 2020)

Here's the Weekly Digest for ignatandrei/FileExtension:

ISSUES

Last week, no issues were created.

PULL REQUESTS

Last week, no pull requests were created, updated or merged.

COMMITS

Last week there were no commits.

CONTRIBUTORS

Last week there were no contributors.

STARGAZERS

Last week there were no stargazers.

RELEASES

Last week there were no releases.

That's all for last week, please 👀 Watch and Star the repository ignatandrei/FileExtension to receive next weekly updates. 😃

You can also view all Weekly Digests by clicking here.

Your Weekly Digest bot. 📆

CVE-2021-43138 (High) detected in async-2.6.3.tgz

CVE-2021-43138 - High Severity Vulnerability

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/async/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • webpack-dev-server-3.11.2.tgz
      • portfinder-1.0.28.tgz
        • async-2.6.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (@angular-devkit/build-angular): 12.2.2

Step up your Open Source Security Game with Mend here

CVE-2022-0512 (Medium) detected in url-parse-1.5.3.tgz

CVE-2022-0512 - Medium Severity Vulnerability

Vulnerable Library - url-parse-1.5.3.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/url-parse/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • webpack-dev-server-3.11.2.tgz
      • sockjs-client-1.5.1.tgz
        • url-parse-1.5.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

Publish Date: 2022-02-14

URL: CVE-2022-0512

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512

Release Date: 2022-02-14

Fix Resolution (url-parse): 1.5.6

Direct dependency fix Resolution (@angular-devkit/build-angular): 12.2.2

Step up your Open Source Security Game with Mend here

CVE-2020-28469 (High) detected in glob-parent-3.1.0.tgz

CVE-2020-28469 - High Severity Vulnerability

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: FileExtension/src/FileExtensionAng/package.json

Path to vulnerable library: FileExtension/src/FileExtensionAng/node_modules/webpack-dev-server/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • webpack-dev-server-3.11.2.tgz
      • chokidar-2.1.8.tgz
        • glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: ef3d25226e07f223157b24c1d379ee96839ae669

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23566 (Medium) detected in nanoid-3.1.25.tgz

CVE-2021-23566 - Medium Severity Vulnerability

Vulnerable Library - nanoid-3.1.25.tgz

A tiny (108 bytes), secure URL-friendly unique string ID generator

Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.25.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/nanoid/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • postcss-8.3.6.tgz
      • nanoid-3.1.25.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Publish Date: 2022-01-14

URL: CVE-2021-23566

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-14

Fix Resolution (nanoid): 3.1.31

Direct dependency fix Resolution (@angular-devkit/build-angular): 12.2.2

Step up your Open Source Security Game with Mend here

CVE-2022-0639 (Medium) detected in url-parse-1.5.3.tgz

CVE-2022-0639 - Medium Severity Vulnerability

Vulnerable Library - url-parse-1.5.3.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/url-parse/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • webpack-dev-server-3.11.2.tgz
      • sockjs-client-1.5.1.tgz
        • url-parse-1.5.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.

Publish Date: 2022-02-17

URL: CVE-2022-0639

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639

Release Date: 2022-02-17

Fix Resolution (url-parse): 1.5.7

Direct dependency fix Resolution (@angular-devkit/build-angular): 12.2.2

Step up your Open Source Security Game with Mend here

CVE-2022-0686 (High) detected in url-parse-1.5.3.tgz

CVE-2022-0686 - High Severity Vulnerability

Vulnerable Library - url-parse-1.5.3.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/url-parse/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • webpack-dev-server-3.11.2.tgz
      • sockjs-client-1.5.1.tgz
        • url-parse-1.5.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Publish Date: 2022-02-20

URL: CVE-2022-0686

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686

Release Date: 2022-02-20

Fix Resolution (url-parse): 1.5.8

Direct dependency fix Resolution (@angular-devkit/build-angular): 12.2.2

Step up your Open Source Security Game with Mend here

CVE-2022-24772 (High) detected in node-forge-0.10.0.tgz

CVE-2022-24772 - High Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/node-forge/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • webpack-dev-server-3.11.2.tgz
      • selfsigned-1.10.11.tgz
        • node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1

Step up your Open Source Security Game with Mend here

Weekly Digest (26 July, 2020 - 2 August, 2020)

Here's the Weekly Digest for ignatandrei/FileExtension:

ISSUES

Last week, no issues were created.

PULL REQUESTS

Last week, no pull requests were created, updated or merged.

COMMITS

Last week there were no commits.

CONTRIBUTORS

Last week there were no contributors.

STARGAZERS

Last week there were no stargazers.

RELEASES

Last week there were no releases.

That's all for last week, please 👀 Watch and Star the repository ignatandrei/FileExtension to receive next weekly updates. 😃

You can also view all Weekly Digests by clicking here.

Your Weekly Digest bot. 📆

CVE-2021-37713 (High) detected in tar-6.1.8.tgz

CVE-2021-37713 - High Severity Vulnerability

Vulnerable Library - tar-6.1.8.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-6.1.8.tgz

Path to dependency file: FileExtension/src/FileExtensionAng/package.json

Path to vulnerable library: FileExtension/src/FileExtensionAng/node_modules/tar/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • cacache-15.2.0.tgz
      • tar-6.1.8.tgz (Vulnerable Library)

Found in HEAD commit: ef3d25226e07f223157b24c1d379ee96839ae669

Found in base branch: master

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain .. path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory. Additionally, a .. portion of the path could occur immediately after the drive letter, such as C:../foo, and was not properly sanitized by the logic that checked for .. within the normalized and split portions of the path. This only affects users of node-tar on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.

Publish Date: 2021-08-31

URL: CVE-2021-37713

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5955-9wpr-37jh

Release Date: 2021-08-31

Fix Resolution: tar - 4.4.18, 5.0.10, 6.1.9

Step up your Open Source Security Game with WhiteSource here

CVE-2018-8292 (High) detected in system.net.http.4.3.0.nupkg

CVE-2018-8292 - High Severity Vulnerability

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: FileExtension/src/TestFileExtensions/TestFileExtensions.csproj

Path to vulnerable library: /usr/share/dotnet/sdk/NuGetFallbackFolder/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.4.1.nupkg (Root Library)
    • xunit.assert.2.4.1.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 07bd536b7da8a6bb06004de2c876ec7d3dfc7b2d

Found in base branch: master

Vulnerability Details

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

Publish Date: 2018-10-10

URL: CVE-2018-8292

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: dotnet/announcements#88

Release Date: 2018-10-10

Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-3803 (High) detected in nth-check-2.0.0.tgz

CVE-2021-3803 - High Severity Vulnerability

Vulnerable Library - nth-check-2.0.0.tgz

Parses and compiles CSS nth-checks to highly optimized functions.

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-2.0.0.tgz

Path to dependency file: FileExtension/src/FileExtensionAng/package.json

Path to vulnerable library: FileExtension/src/FileExtensionAng/node_modules/nth-check/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • css-minimizer-webpack-plugin-3.0.2.tgz
      • cssnano-5.0.7.tgz
        • cssnano-preset-default-5.1.3.tgz
          • postcss-svgo-5.0.2.tgz
            • svgo-2.3.1.tgz
              • css-select-4.1.3.tgz
                • nth-check-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: ef3d25226e07f223157b24c1d379ee96839ae669

Found in base branch: master

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: fb55/nth-check@v2.0.0...v2.0.1

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

Step up your Open Source Security Game with WhiteSource here

WS-2022-0008 (Medium) detected in node-forge-0.10.0.tgz

WS-2022-0008 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/node-forge/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • webpack-dev-server-3.11.2.tgz
      • selfsigned-1.10.11.tgz
        • node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1

Step up your Open Source Security Game with Mend here

CVE-2022-0122 (Medium) detected in node-forge-0.10.0.tgz

CVE-2022-0122 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/node-forge/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • webpack-dev-server-3.11.2.tgz
      • selfsigned-1.10.11.tgz
        • node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1

Step up your Open Source Security Game with Mend here

CVE-2020-7746 (High) detected in Chart-2.8.0.min.js

CVE-2020-7746 - High Severity Vulnerability

Vulnerable Library - Chart-2.8.0.min.js

Simple HTML5 charts using the canvas element.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/Chart.js/2.8.0/Chart.min.js

Path to dependency file: FileExtension/src/FileExtensionAng/node_modules/hdr-histogram-js/benchmark/results/data-access-co.chart.html

Path to vulnerable library: FileExtensionAng/node_modules/hdr-histogram-js/benchmark/results/data-access-co.chart.html

Dependency Hierarchy:

  • Chart-2.8.0.min.js (Vulnerable Library)

Found in HEAD commit: ef3d25226e07f223157b24c1d379ee96839ae669

Found in base branch: master

Vulnerability Details

This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.

Publish Date: 2020-10-29

URL: CVE-2020-7746

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7746

Release Date: 2020-07-21

Fix Resolution: chart.js - 2.9.4

Step up your Open Source Security Game with WhiteSource here

CVE-2022-37603 (High) detected in loader-utils-2.0.0.tgz

CVE-2022-37603 - High Severity Vulnerability

Vulnerable Library - loader-utils-2.0.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz

Path to dependency file: /src/FileExtensionAng/package.json

Path to vulnerable library: /src/FileExtensionAng/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • build-angular-12.2.1.tgz (Root Library)
    • loader-utils-2.0.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-14

Fix Resolution (loader-utils): 2.0.1

Direct dependency fix Resolution (@angular-devkit/build-angular): 13.0.0

Step up your Open Source Security Game with Mend here

Weekly Digest (12 July, 2020 - 19 July, 2020)

Here's the Weekly Digest for ignatandrei/FileExtension:

ISSUES

Last week, no issues were created.

PULL REQUESTS

Last week, no pull requests were created, updated or merged.

COMMITS

Last week there were no commits.

CONTRIBUTORS

Last week there were no contributors.

STARGAZERS

Last week there were no stargazers.

RELEASES

Last week there were no releases.

That's all for last week, please 👀 Watch and Star the repository ignatandrei/FileExtension to receive next weekly updates. 😃

You can also view all Weekly Digests by clicking here.

Your Weekly Digest bot. 📆

Weekly Digest (5 April, 2020 - 12 April, 2020)

Here's the Weekly Digest for ignatandrei/FileExtension:

ISSUES

This week, no issues have been created or closed.

PULL REQUESTS

This week, no pull requests has been proposed by the users.

CONTRIBUTORS

This week, no user has contributed to this repository.

STARGAZERS

This week, no user has starred this repository.

COMMITS

This week, there have been no commits.

RELEASES

This week, no releases were published.

That's all for this week, please watch 👀 and star ⭐ ignatandrei/FileExtension to receive next weekly updates. 😃

CVE-2019-0820 (High) detected in system.text.regularexpressions.4.3.0.nupkg

CVE-2019-0820 - High Severity Vulnerability

Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg

Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...

Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg

Path to dependency file: FileExtension/src/TestFileExtensions/TestFileExtensions.csproj

Path to vulnerable library: /usr/share/dotnet/sdk/NuGetFallbackFolder/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Dependency Hierarchy:

  • xunit.2.4.1.nupkg (Root Library)
    • xunit.assert.2.4.1.nupkg
      • netstandard.library.1.6.1.nupkg
        • system.xml.xdocument.4.3.0.nupkg
          • system.xml.readerwriter.4.3.0.nupkg
            • system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 07bd536b7da8a6bb06004de2c876ec7d3dfc7b2d

Found in base branch: master

Vulnerability Details

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.

Publish Date: 2019-05-16

URL: CVE-2019-0820

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cmhx-cq75-c4mj

Release Date: 2020-08-24

Fix Resolution: System.Text.RegularExpressions - 4.3.1

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.