katerinaorg / monorepo Goto Github PK

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.

Publish Date: 2012-09-05

URL: CVE-2012-4386

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-4386

Release Date: 2012-09-05

Fix Resolution: org.apache.struts:struts2-core - 2.3.4.1,2.3.14.2

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

Publish Date: 2017-09-20

URL: CVE-2017-12611

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/WW/S2-053

Release Date: 2017-09-20

Fix Resolution: org.apache.struts:struts2-core:2.3.34;org.apache.struts:struts2-core:2.5.12

Vulnerable Library - tmpl-1.0.4.tgz

JavaScript micro templates.

Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz

Dependency Hierarchy:

• @zgriesinger/cdk-file:tools/cdk.tgz (Root Library)
  • jest-26.6.0.tgz
    • core-26.6.3.tgz
      • jest-haste-map-26.6.2.tgz
        • walker-1.0.7.tgz
          • makeerror-1.0.11.tgz
            • ❌ tmpl-1.0.4.tgz (Vulnerable Library)

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3777

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/daaku/nodejs-tmpl/releases/tag/v1.0.5

Release Date: 2021-09-15

Fix Resolution: tmpl - 1.0.5

Vulnerable Library - @zgriesinger/service-a-file:api/service-a.tgz

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

CVE-2021-3749

Vulnerable Library - axios-0.21.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz

Dependency Hierarchy:

• @zgriesinger/service-a-file:api/service-a.tgz (Root Library)
  • nestjs-dynamodb-0.1.0.tgz
    • common-7.6.18.tgz
      • ❌ axios-0.21.1.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

axios is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-08-31

URL: CVE-2021-3749

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/axios/axios/releases/tag/v0.21.2

Release Date: 2021-08-31

Fix Resolution: axios - 0.21.2

CVE-2022-0144

Vulnerable Library - shelljs-0.8.4.tgz

Portable Unix shell commands for Node.js

Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.8.4.tgz

Dependency Hierarchy:

• @zgriesinger/service-a-file:api/service-a.tgz (Root Library)
  • cli-8.1.5.tgz
    • ❌ shelljs-0.8.4.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

shelljs is vulnerable to Improper Privilege Management

Publish Date: 2022-01-11

URL: CVE-2022-0144

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: shelljs/shelljs@d919d22

Release Date: 2022-01-11

Fix Resolution: shelljs - 0.8.5

CVE-2022-0235

Vulnerable Library - node-fetch-2.6.6.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.6.tgz

Dependency Hierarchy:

• @zgriesinger/service-a-file:api/service-a.tgz (Root Library)
  • core-8.2.3.tgz
    • opencollective-0.3.2.tgz
      • ❌ node-fetch-2.6.6.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

CVE-2021-23566

Vulnerable Library - nanoid-3.1.30.tgz

A tiny (130 bytes), secure URL-friendly unique string ID generator

Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.30.tgz

Dependency Hierarchy:

• @zgriesinger/service-a-file:api/service-a.tgz (Root Library)
  • ❌ nanoid-3.1.30.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Publish Date: 2022-01-14

URL: CVE-2021-23566

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: ai/nanoid#328

Release Date: 2022-01-14

Fix Resolution: nanoid - 3.1.31

Vulnerable Library - netty-codec-4.1.39.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.39.Final/38b9d79e31f6b00bd680f88c0289a2522d30d05b/netty-codec-4.1.39.Final.jar

Dependency Hierarchy:

• netty-codec-http-4.1.39.Final.jar (Root Library)
  • ❌ netty-codec-4.1.39.Final.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Publish Date: 2021-10-19

URL: CVE-2021-37137

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9vjp-v76f-g363

Release Date: 2021-10-19

Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all:4.1.68.Final

Vulnerable Libraries - follow-redirects-1.14.6.tgz, follow-redirects-1.14.5.tgz

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution: follow-redirects - 1.14.8

Vulnerable Library - vm2-3.9.5.tgz

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!

Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.5.tgz

Dependency Hierarchy:

• @zgriesinger/cdk-file:tools/cdk.tgz (Root Library)
  • aws-cdk-1.136.0.tgz
    • proxy-agent-5.0.0.tgz
      • pac-proxy-agent-5.0.0.tgz
        • pac-resolver-5.0.0.tgz
          • degenerator-3.0.1.tgz
            • ❌ vm2-3.9.5.tgz (Vulnerable Library)

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.

Publish Date: 2022-02-11

URL: CVE-2021-23555

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23555

Release Date: 2022-02-11

Fix Resolution: vm2 - 3.9.6

Vulnerable Library - next-12.0.7.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-12.0.7.tgz

Dependency Hierarchy:

• @zgriesinger/static-file:frontend/static.tgz (Root Library)
  • ❌ next-12.0.7.tgz (Vulnerable Library)

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-in i18n support. Deployments on Vercel, along with similar environments where invalid requests are filtered before reaching Next.js, are not affected. A patch has been released, [email protected], that mitigates this issue. As a workaround, one may ensure /${locale}/_next/ is blocked from reaching the Next.js instance until it becomes feasible to upgrade.

Publish Date: 2022-01-28

URL: CVE-2022-21721

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-wr66-vrwm-5g5x

Release Date: 2022-01-28

Fix Resolution: next - 12.0.9

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.

Publish Date: 2013-09-30

URL: CVE-2013-4310

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-4310

Release Date: 2013-09-30

Fix Resolution: org.apache.struts:struts2-core - 2.3.15.2;org.apache.struts:struts2-rest-plugin - 2.3.15.2

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531

Release Date: 2019-10-12

Fix Resolution: 2.10

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540

Release Date: 2019-09-15

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10,2.10.0.pr3,2.11.0.rc1

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

Publish Date: 2016-04-26

URL: CVE-2016-3081

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/apache/struts/tree/STRUTS_2_3_28_1/

Release Date: 2016-04-26

Fix Resolution: org.apache.struts:struts2-core:2.3.20.3,org.apache.struts:struts2-core:2.3.24.3,org.apache.struts:struts2-core: 2.3.28.1

Vulnerable Library - css-what-3.4.2.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-scripts-5.0.0.tgz
    • webpack-5.5.0.tgz
      • plugin-svgo-5.5.0.tgz
        • svgo-1.3.2.tgz
          • css-select-2.1.0.tgz
            • ❌ css-what-3.4.2.tgz (Vulnerable Library)

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution: css-what - 5.0.1

Vulnerable Libraries - follow-redirects-1.14.6.tgz, follow-redirects-1.14.5.tgz

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution: follow-redirects - v1.14.7

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.

Publish Date: 2016-04-26

URL: CVE-2016-3082

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/apache/struts/tree/STRUTS_2_3_28_1/

Release Date: 2016-04-26

Fix Resolution: org.apache.struts:struts2-core:2.3.20.3,org.apache.struts:struts2-core:2.3.24.3,org.apache.struts:struts2-core: 2.3.28.1

Vulnerable Library - @zgriesinger/static-file:frontend/static.tgz

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

CVE-2022-23646

Vulnerable Library - next-12.0.7.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-12.0.7.tgz

Dependency Hierarchy:

• @zgriesinger/static-file:frontend/static.tgz (Root Library)
  • ❌ next-12.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Publish Date: 2022-02-17

URL: CVE-2022-23646

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23646

Release Date: 2022-02-17

Fix Resolution: next - 12.1.0

CVE-2022-21721

Vulnerable Library - next-12.0.7.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-12.0.7.tgz

Dependency Hierarchy:

• @zgriesinger/static-file:frontend/static.tgz (Root Library)
  • ❌ next-12.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-in i18n support. Deployments on Vercel, along with similar environments where invalid requests are filtered before reaching Next.js, are not affected. A patch has been released, [email protected], that mitigates this issue. As a workaround, one may ensure /${locale}/_next/ is blocked from reaching the Next.js instance until it becomes feasible to upgrade.

Publish Date: 2022-01-28

URL: CVE-2022-21721

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-wr66-vrwm-5g5x

Release Date: 2022-01-28

Fix Resolution: next - 12.0.9

CVE-2022-0235

Vulnerable Library - node-fetch-2.6.1.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Dependency Hierarchy:

• @zgriesinger/static-file:frontend/static.tgz (Root Library)
  • next-12.0.7.tgz
    • ❌ node-fetch-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Vulnerable Library - plexus-utils-2.0.3.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.codehaus.plexus/plexus-utils/2.0.3/df24cc90fc59f7200f3a1d15c80febb736db9e23/plexus-utils-2.0.3.jar

Dependency Hierarchy:

• ❌ plexus-utils-2.0.3.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

Publish Date: 2018-01-03

URL: CVE-2017-1000487

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1000487

Release Date: 2018-01-03

Fix Resolution: 3.0.16

Vulnerable Library - @zgriesinger/static-file:frontend/static.tgz

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

CVE-2022-23646

Vulnerable Library - next-12.0.7.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-12.0.7.tgz

Dependency Hierarchy:

• @zgriesinger/static-file:frontend/static.tgz (Root Library)
  • ❌ next-12.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Publish Date: 2022-02-17

URL: CVE-2022-23646

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23646

Release Date: 2022-02-17

Fix Resolution: next - 12.1.0

CVE-2022-21721

Vulnerable Library - next-12.0.7.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-12.0.7.tgz

Dependency Hierarchy:

• @zgriesinger/static-file:frontend/static.tgz (Root Library)
  • ❌ next-12.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-in i18n support. Deployments on Vercel, along with similar environments where invalid requests are filtered before reaching Next.js, are not affected. A patch has been released, [email protected], that mitigates this issue. As a workaround, one may ensure /${locale}/_next/ is blocked from reaching the Next.js instance until it becomes feasible to upgrade.

Publish Date: 2022-01-28

URL: CVE-2022-21721

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-wr66-vrwm-5g5x

Release Date: 2022-01-28

Fix Resolution: next - 12.0.9

CVE-2022-0235

Vulnerable Library - node-fetch-2.6.1.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Dependency Hierarchy:

• @zgriesinger/static-file:frontend/static.tgz (Root Library)
  • next-12.0.7.tgz
    • ❌ node-fetch-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Vulnerable Library - netty-codec-4.1.39.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.39.Final/38b9d79e31f6b00bd680f88c0289a2522d30d05b/netty-codec-4.1.39.Final.jar

Dependency Hierarchy:

• netty-codec-http-4.1.39.Final.jar (Root Library)
  • ❌ netty-codec-4.1.39.Final.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Publish Date: 2021-10-19

URL: CVE-2021-37136

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-grg4-wf29-r9vv

Release Date: 2021-10-19

Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all::4.1.68.Final

Vulnerable Library - @zgriesinger/logger-file:packages/backend/logger.tgz

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

CVE-2022-0155

Vulnerable Library - follow-redirects-1.14.5.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.5.tgz

Dependency Hierarchy:

• @zgriesinger/logger-file:packages/backend/logger.tgz (Root Library)
  • common-8.2.3.tgz
    • axios-0.24.0.tgz
      • ❌ follow-redirects-1.14.5.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution: follow-redirects - v1.14.7

CVE-2022-0536

Vulnerable Library - follow-redirects-1.14.5.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.5.tgz

Dependency Hierarchy:

• @zgriesinger/logger-file:packages/backend/logger.tgz (Root Library)
  • common-8.2.3.tgz
    • axios-0.24.0.tgz
      • ❌ follow-redirects-1.14.5.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution: follow-redirects - 1.14.8

Vulnerable Library - jackson-core-2.7.9.jar

Core Jackson abstractions, basic JSON streaming API implementation

Library home page: https://github.com/FasterXML/jackson-core

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.7.9/9b530cec4fd2eb841ab8e79f19fc7cf0ec487b2/jackson-core-2.7.9.jar

Dependency Hierarchy:

• jackson-databind-2.7.9.jar (Root Library)
  • ❌ jackson-core-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

In Jackson Core before version 2.8.6 if the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log. If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.

Publish Date: 2018-06-24

URL: WS-2018-0124

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=WS-2018-0124

Release Date: 2018-01-24

Fix Resolution: 2.8.6

Vulnerable Library - @zgriesinger/cdk-file:tools/cdk.tgz

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

CVE-2021-23555

Vulnerable Library - vm2-3.9.5.tgz

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!

Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.5.tgz

Dependency Hierarchy:

• @zgriesinger/cdk-file:tools/cdk.tgz (Root Library)
  • aws-cdk-1.136.0.tgz
    • proxy-agent-5.0.0.tgz
      • pac-proxy-agent-5.0.0.tgz
        • pac-resolver-5.0.0.tgz
          • degenerator-3.0.1.tgz
            • ❌ vm2-3.9.5.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.

Publish Date: 2022-02-11

URL: CVE-2021-23555

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23555

Release Date: 2022-02-11

Fix Resolution: vm2 - 3.9.6

CVE-2021-3777

Vulnerable Library - tmpl-1.0.4.tgz

JavaScript micro templates.

Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz

Dependency Hierarchy:

• @zgriesinger/cdk-file:tools/cdk.tgz (Root Library)
  • jest-26.6.0.tgz
    • core-26.6.3.tgz
      • jest-haste-map-26.6.2.tgz
        • walker-1.0.7.tgz
          • makeerror-1.0.11.tgz
            • ❌ tmpl-1.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3777

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/daaku/nodejs-tmpl/releases/tag/v1.0.5

Release Date: 2021-09-15

Fix Resolution: tmpl - 1.0.5

CVE-2022-0155

Vulnerable Library - follow-redirects-1.14.6.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.6.tgz

Dependency Hierarchy:

• @zgriesinger/cdk-file:tools/cdk.tgz (Root Library)
  • cdk8s-1.3.0.tgz
    • ❌ follow-redirects-1.14.6.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution: follow-redirects - v1.14.7

CVE-2022-0536

Vulnerable Library - follow-redirects-1.14.6.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.6.tgz

Dependency Hierarchy:

• @zgriesinger/cdk-file:tools/cdk.tgz (Root Library)
  • cdk8s-1.3.0.tgz
    • ❌ follow-redirects-1.14.6.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution: follow-redirects - 1.14.8

Vulnerable Library - node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • evergreen-ui-6.6.3.tgz
    • glamor-2.20.40.tgz
      • fbjs-0.8.18.tgz
        • isomorphic-fetch-2.2.1.tgz
          • ❌ node-fetch-1.7.3.tgz (Vulnerable Library)

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-09-17

Fix Resolution: 2.6.1,3.0.0-beta.9

Vulnerable Library - next-12.0.7.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-12.0.7.tgz

Dependency Hierarchy:

• @zgriesinger/static-file:frontend/static.tgz (Root Library)
  • ❌ next-12.0.7.tgz (Vulnerable Library)

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Publish Date: 2022-02-17

URL: CVE-2022-23646

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23646

Release Date: 2022-02-17

Fix Resolution: next - 12.1.0

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.

Publish Date: 2013-07-16

URL: CVE-2013-2135

CVSS 2 Score Details (9.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-2135

Release Date: 2013-07-16

Fix Resolution: 2.3.14.3

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

Publish Date: 2013-09-30

URL: CVE-2013-4316

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-4316

Release Date: 2013-09-30

Fix Resolution: org.apache.struts:struts2-core - 2.3.15.2

Vulnerable Library - @zgriesinger/cdk-file:tools/cdk.tgz

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

CVE-2021-23555

Vulnerable Library - vm2-3.9.5.tgz

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!

Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.5.tgz

Dependency Hierarchy:

• @zgriesinger/cdk-file:tools/cdk.tgz (Root Library)
  • aws-cdk-1.136.0.tgz
    • proxy-agent-5.0.0.tgz
      • pac-proxy-agent-5.0.0.tgz
        • pac-resolver-5.0.0.tgz
          • degenerator-3.0.1.tgz
            • ❌ vm2-3.9.5.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.

Publish Date: 2022-02-11

URL: CVE-2021-23555

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23555

Release Date: 2022-02-11

Fix Resolution: vm2 - 3.9.6

CVE-2021-3777

Vulnerable Library - tmpl-1.0.4.tgz

JavaScript micro templates.

Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz

Dependency Hierarchy:

• @zgriesinger/cdk-file:tools/cdk.tgz (Root Library)
  • jest-26.6.0.tgz
    • core-26.6.3.tgz
      • jest-haste-map-26.6.2.tgz
        • walker-1.0.7.tgz
          • makeerror-1.0.11.tgz
            • ❌ tmpl-1.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3777

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/daaku/nodejs-tmpl/releases/tag/v1.0.5

Release Date: 2021-09-15

Fix Resolution: tmpl - 1.0.5

CVE-2022-0155

Vulnerable Library - follow-redirects-1.14.6.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.6.tgz

Dependency Hierarchy:

• @zgriesinger/cdk-file:tools/cdk.tgz (Root Library)
  • cdk8s-1.3.0.tgz
    • ❌ follow-redirects-1.14.6.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution: follow-redirects - v1.14.7

CVE-2022-0536

Vulnerable Library - follow-redirects-1.14.6.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.6.tgz

Dependency Hierarchy:

• @zgriesinger/cdk-file:tools/cdk.tgz (Root Library)
  • cdk8s-1.3.0.tgz
    • ❌ follow-redirects-1.14.6.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution: follow-redirects - 1.14.8

Vulnerable Library - shelljs-0.8.4.tgz

Portable Unix shell commands for Node.js

Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.8.4.tgz

Dependency Hierarchy:

• @zgriesinger/service-a-file:api/service-a.tgz (Root Library)
  • cli-8.1.5.tgz
    • ❌ shelljs-0.8.4.tgz (Vulnerable Library)

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

shelljs is vulnerable to Improper Privilege Management

Publish Date: 2022-01-11

URL: CVE-2022-0144

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: shelljs/shelljs@d919d22

Release Date: 2022-01-11

Fix Resolution: shelljs - 0.8.5

Vulnerable Library - @zgriesinger/single-page-app-file:frontend/single-page-app.tgz

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

CVE-2021-33587

Vulnerable Library - css-what-3.4.2.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-scripts-5.0.0.tgz
    • webpack-5.5.0.tgz
      • plugin-svgo-5.5.0.tgz
        • svgo-1.3.2.tgz
          • css-select-2.1.0.tgz
            • ❌ css-what-3.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution: css-what - 5.0.1

CVE-2021-3807

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-md-editor-3.9.0.tgz
    • react-markdown-preview-3.4.5.tgz
      • rehype-prism-0.8.0.tgz
        • mrm-3.0.10.tgz
          • libnpx-10.2.4.tgz
            • yargs-14.2.3.tgz
              • string-width-3.1.0.tgz
                • strip-ansi-5.2.0.tgz
                  • ❌ ansi-regex-4.1.0.tgz (Vulnerable Library)

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-md-editor-3.9.0.tgz
    • react-markdown-preview-3.4.5.tgz
      • rehype-prism-0.8.0.tgz
        • mrm-3.0.10.tgz
          • libnpx-10.2.4.tgz
            • update-notifier-2.5.0.tgz
              • boxen-1.3.0.tgz
                • string-width-2.1.1.tgz
                  • strip-ansi-4.0.0.tgz
                  • ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

CVE-2021-3803

Vulnerable Libraries - nth-check-1.0.2.tgz, nth-check-2.0.0.tgz

nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-scripts-5.0.0.tgz
    • webpack-5.5.0.tgz
      • plugin-svgo-5.5.0.tgz
        • svgo-1.3.2.tgz
          • css-select-2.1.0.tgz
            • ❌ nth-check-1.0.2.tgz (Vulnerable Library)

nth-check-2.0.0.tgz

Parses and compiles CSS nth-checks to highly optimized functions.

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-2.0.0.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-md-editor-3.9.0.tgz
    • react-markdown-preview-3.4.5.tgz
      • rehype-rewrite-3.0.4.tgz
        • hast-util-select-5.0.1.tgz
          • ❌ nth-check-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: fb55/nth-check@v2.0.0...v2.0.1

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

WS-2022-0008

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-scripts-5.0.0.tgz
    • webpack-dev-server-4.6.0.tgz
      • selfsigned-1.10.11.tgz
        • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution: node-forge - 1.0.0

CVE-2022-0122

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-scripts-5.0.0.tgz
    • webpack-dev-server-4.6.0.tgz
      • selfsigned-1.10.11.tgz
        • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution: node-forge - 1.0.0

CVE-2022-23647

Vulnerable Library - prismjs-1.25.0.tgz

Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.

Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.25.0.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-md-editor-3.9.0.tgz
    • react-markdown-preview-3.4.5.tgz
      • rehype-prism-0.8.0.tgz
        • refractor-3.5.0.tgz
          • ❌ prismjs-1.25.0.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.

Publish Date: 2022-02-18

URL: CVE-2022-23647

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-3949-f494-cm99

Release Date: 2022-02-18

Fix Resolution: prismjs- v1.27.0

CVE-2022-0235

Vulnerable Library - node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • evergreen-ui-6.6.3.tgz
    • glamor-2.20.40.tgz
      • fbjs-0.8.18.tgz
        • isomorphic-fetch-2.2.1.tgz
          • ❌ node-fetch-1.7.3.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

CVE-2020-15168

Vulnerable Library - node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • evergreen-ui-6.6.3.tgz
    • glamor-2.20.40.tgz
      • fbjs-0.8.18.tgz
        • isomorphic-fetch-2.2.1.tgz
          • ❌ node-fetch-1.7.3.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-09-17

Fix Resolution: 2.6.1,3.0.0-beta.9

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

Publish Date: 2013-07-20

URL: CVE-2013-2251

CVSS 2 Score Details (9.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251

Release Date: 2013-07-20

Fix Resolution: 2.3.16

Vulnerable Library - @zgriesinger/service-a-file:api/service-a.tgz

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

CVE-2021-3749

Vulnerable Library - axios-0.21.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz

Dependency Hierarchy:

• @zgriesinger/service-a-file:api/service-a.tgz (Root Library)
  • nestjs-dynamodb-0.1.0.tgz
    • common-7.6.18.tgz
      • ❌ axios-0.21.1.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

axios is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-08-31

URL: CVE-2021-3749

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/axios/axios/releases/tag/v0.21.2

Release Date: 2021-08-31

Fix Resolution: axios - 0.21.2

CVE-2022-0144

Vulnerable Library - shelljs-0.8.4.tgz

Portable Unix shell commands for Node.js

Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.8.4.tgz

Dependency Hierarchy:

• @zgriesinger/service-a-file:api/service-a.tgz (Root Library)
  • cli-8.1.5.tgz
    • ❌ shelljs-0.8.4.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

shelljs is vulnerable to Improper Privilege Management

Publish Date: 2022-01-11

URL: CVE-2022-0144

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: shelljs/shelljs@d919d22

Release Date: 2022-01-11

Fix Resolution: shelljs - 0.8.5

CVE-2022-0235

Vulnerable Library - node-fetch-2.6.6.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.6.tgz

Dependency Hierarchy:

• @zgriesinger/service-a-file:api/service-a.tgz (Root Library)
  • core-8.2.3.tgz
    • opencollective-0.3.2.tgz
      • ❌ node-fetch-2.6.6.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

CVE-2021-23566

Vulnerable Library - nanoid-3.1.30.tgz

A tiny (130 bytes), secure URL-friendly unique string ID generator

Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.30.tgz

Dependency Hierarchy:

• @zgriesinger/service-a-file:api/service-a.tgz (Root Library)
  • ❌ nanoid-3.1.30.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Publish Date: 2022-01-14

URL: CVE-2021-23566

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: ai/nanoid#328

Release Date: 2022-01-14

Fix Resolution: nanoid - 3.1.31

Vulnerable Library - prismjs-1.25.0.tgz

Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.

Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.25.0.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-md-editor-3.9.0.tgz
    • react-markdown-preview-3.4.5.tgz
      • rehype-prism-0.8.0.tgz
        • refractor-3.5.0.tgz
          • ❌ prismjs-1.25.0.tgz (Vulnerable Library)

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.

Publish Date: 2022-02-18

URL: CVE-2022-23647

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-3949-f494-cm99

Release Date: 2022-02-18

Fix Resolution: prismjs- v1.27.0

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.

Publish Date: 2012-09-05

URL: CVE-2012-4387

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-4387

Release Date: 2012-09-05

Fix Resolution: org.apache.struts:struts2-core - 2.3.4.1;org.apache.struts.xwork:xwork-core - 2.3.14.3,2.3.16

Vulnerable Library - @zgriesinger/logger-file:packages/backend/logger.tgz

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

CVE-2022-0155

Vulnerable Library - follow-redirects-1.14.5.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.5.tgz

Dependency Hierarchy:

• @zgriesinger/logger-file:packages/backend/logger.tgz (Root Library)
  • common-8.2.3.tgz
    • axios-0.24.0.tgz
      • ❌ follow-redirects-1.14.5.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution: follow-redirects - v1.14.7

CVE-2022-0536

Vulnerable Library - follow-redirects-1.14.5.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.5.tgz

Dependency Hierarchy:

• @zgriesinger/logger-file:packages/backend/logger.tgz (Root Library)
  • common-8.2.3.tgz
    • axios-0.24.0.tgz
      • ❌ follow-redirects-1.14.5.tgz (Vulnerable Library)

Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea

Found in base branch: main

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution: follow-redirects - 1.14.8

Vulnerable Library - commons-codec-1.8.jar

The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.8/af3be3f74d25fc5163b54f56a0d394b462dafafd/commons-codec-1.8.jar

Dependency Hierarchy:

• ❌ commons-codec-1.8.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: apache/commons-codec@48b6157

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

Vulnerable Library - @zgriesinger/single-page-app-file:frontend/single-page-app.tgz

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

CVE-2021-33587

Vulnerable Library - css-what-3.4.2.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-scripts-5.0.0.tgz
    • webpack-5.5.0.tgz
      • plugin-svgo-5.5.0.tgz
        • svgo-1.3.2.tgz
          • css-select-2.1.0.tgz
            • ❌ css-what-3.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution: css-what - 5.0.1

CVE-2021-3807

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-md-editor-3.9.0.tgz
    • react-markdown-preview-3.4.5.tgz
      • rehype-prism-0.8.0.tgz
        • mrm-3.0.10.tgz
          • libnpx-10.2.4.tgz
            • yargs-14.2.3.tgz
              • string-width-3.1.0.tgz
                • strip-ansi-5.2.0.tgz
                  • ❌ ansi-regex-4.1.0.tgz (Vulnerable Library)

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-md-editor-3.9.0.tgz
    • react-markdown-preview-3.4.5.tgz
      • rehype-prism-0.8.0.tgz
        • mrm-3.0.10.tgz
          • libnpx-10.2.4.tgz
            • update-notifier-2.5.0.tgz
              • boxen-1.3.0.tgz
                • string-width-2.1.1.tgz
                  • strip-ansi-4.0.0.tgz
                  • ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

CVE-2021-3803

Vulnerable Libraries - nth-check-1.0.2.tgz, nth-check-2.0.0.tgz

nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-scripts-5.0.0.tgz
    • webpack-5.5.0.tgz
      • plugin-svgo-5.5.0.tgz
        • svgo-1.3.2.tgz
          • css-select-2.1.0.tgz
            • ❌ nth-check-1.0.2.tgz (Vulnerable Library)

nth-check-2.0.0.tgz

Parses and compiles CSS nth-checks to highly optimized functions.

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-2.0.0.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-md-editor-3.9.0.tgz
    • react-markdown-preview-3.4.5.tgz
      • rehype-rewrite-3.0.4.tgz
        • hast-util-select-5.0.1.tgz
          • ❌ nth-check-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: fb55/nth-check@v2.0.0...v2.0.1

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

WS-2022-0008

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-scripts-5.0.0.tgz
    • webpack-dev-server-4.6.0.tgz
      • selfsigned-1.10.11.tgz
        • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution: node-forge - 1.0.0

CVE-2022-0122

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-scripts-5.0.0.tgz
    • webpack-dev-server-4.6.0.tgz
      • selfsigned-1.10.11.tgz
        • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution: node-forge - 1.0.0

CVE-2022-23647

Vulnerable Library - prismjs-1.25.0.tgz

Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.

Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.25.0.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-md-editor-3.9.0.tgz
    • react-markdown-preview-3.4.5.tgz
      • rehype-prism-0.8.0.tgz
        • refractor-3.5.0.tgz
          • ❌ prismjs-1.25.0.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.

Publish Date: 2022-02-18

URL: CVE-2022-23647

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-3949-f494-cm99

Release Date: 2022-02-18

Fix Resolution: prismjs- v1.27.0

CVE-2022-0235

Vulnerable Library - node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • evergreen-ui-6.6.3.tgz
    • glamor-2.20.40.tgz
      • fbjs-0.8.18.tgz
        • isomorphic-fetch-2.2.1.tgz
          • ❌ node-fetch-1.7.3.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

CVE-2020-15168

Vulnerable Library - node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • evergreen-ui-6.6.3.tgz
    • glamor-2.20.40.tgz
      • fbjs-0.8.18.tgz
        • isomorphic-fetch-2.2.1.tgz
          • ❌ node-fetch-1.7.3.tgz (Vulnerable Library)

Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8

Found in base branch: main

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-09-17

Fix Resolution: 2.6.1,3.0.0-beta.9

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.

Publish Date: 2014-05-08

URL: CVE-2014-0116

CVSS 2 Score Details (5.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0116

Release Date: 2014-05-08

Fix Resolution: 2.3.16.3

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.

Publish Date: 2013-07-16

URL: CVE-2013-2134

CVSS 2 Score Details (9.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-2134

Release Date: 2013-07-16

Fix Resolution: 2.3.14.3

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution: 2.9.9

Vulnerable Library - axios-0.21.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz

Dependency Hierarchy:

• @zgriesinger/service-a-file:api/service-a.tgz (Root Library)
  • nestjs-dynamodb-0.1.0.tgz
    • common-7.6.18.tgz
      • ❌ axios-0.21.1.tgz (Vulnerable Library)

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

axios is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-08-31

URL: CVE-2021-3749

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/axios/axios/releases/tag/v0.21.2

Release Date: 2021-08-31

Fix Resolution: axios - 0.21.2

Vulnerable Libraries - nth-check-1.0.2.tgz, nth-check-2.0.0.tgz

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: fb55/nth-check@v2.0.0...v2.0.1

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

Vulnerable Library - nanoid-3.1.30.tgz

A tiny (130 bytes), secure URL-friendly unique string ID generator

Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.30.tgz

Dependency Hierarchy:

• @zgriesinger/service-a-file:api/service-a.tgz (Root Library)
  • ❌ nanoid-3.1.30.tgz (Vulnerable Library)

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Publish Date: 2022-01-14

URL: CVE-2021-23566

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: ai/nanoid#328

Release Date: 2022-01-14

Fix Resolution: nanoid - 3.1.31

Vulnerable Libraries - node-fetch-2.6.6.tgz, node-fetch-2.6.1.tgz, node-fetch-1.7.3.tgz

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Publish Date: 2014-04-29

URL: CVE-2014-0112

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0112

Release Date: 2014-04-29

Fix Resolution: 2.3.16.2

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-scripts-5.0.0.tgz
    • webpack-dev-server-4.6.0.tgz
      • selfsigned-1.10.11.tgz
        • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution: node-forge - 1.0.0

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /build.gradle

Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1

Found in base branch: main

Vulnerability Details

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Publish Date: 2014-04-29

URL: CVE-2014-0113

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0113

Release Date: 2014-04-29

Fix Resolution: 2.3.16.2

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library)
  • react-scripts-5.0.0.tgz
    • webpack-dev-server-4.6.0.tgz
      • selfsigned-1.10.11.tgz
        • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62

Found in base branch: main

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution: node-forge - 1.0.0