katerinaorg / terraform-iac-scan Goto Github PK

View Code? Open in Web Editor NEW

This project forked from futurice/terraform-examples

0.0 0.0 0.0 2.44 MB

Terraform samples for all the major clouds you can copy and paste. The future, co-created.

Home Page: https://futurice.com

License: MIT License

Shell 2.96% JavaScript 10.38% Lua 0.80% TypeScript 0.13% HCL 85.66% Dockerfile 0.07%

terraform-iac-scan's People

Contributors

terraform-iac-scan's Issues

redis-2.8.0.tgz: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - redis-2.8.0.tgz

Redis client library

Library home page: https://registry.npmjs.org/redis/-/redis-2.8.0.tgz

Path to dependency file: /google_cloud/CQRS_bigquery_memorystore/functions/src/memorystoreload/package.json

Path to vulnerable library: /google_cloud/CQRS_bigquery_memorystore/functions/src/memorystoreload/node_modules/redis/package.json

Found in HEAD commit: 803f0b648fe9d9b2dc840b564e4a342e7f77fa19

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2021-29469	High	7.5	redis-2.8.0.tgz	Direct	3.1.1	✅

Details

CVE-2021-29469

Vulnerable Library - redis-2.8.0.tgz

Redis client library

Library home page: https://registry.npmjs.org/redis/-/redis-2.8.0.tgz

Path to dependency file: /google_cloud/CQRS_bigquery_memorystore/functions/src/memorystoreload/package.json

Path to vulnerable library: /google_cloud/CQRS_bigquery_memorystore/functions/src/memorystoreload/node_modules/redis/package.json

Dependency Hierarchy:

❌ redis-2.8.0.tgz (Vulnerable Library)

Found in HEAD commit: 803f0b648fe9d9b2dc840b564e4a342e7f77fa19

Found in base branch: master

Vulnerability Details

Node-redis is a Node.js Redis client. Before version 3.1.1, when a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. The issue is patched in version 3.1.1.

Publish Date: 2021-04-23

URL: CVE-2021-29469

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-35q2-47q7-3pc3

Release Date: 2021-04-23

Fix Resolution: 3.1.1

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

bigquery-3.0.0.tgz: 6 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - bigquery-3.0.0.tgz

Path to dependency file: /google_cloud/CQRS_bigquery_memorystore/functions/src/materialize/package.json

Path to vulnerable library: /google_cloud/CQRS_bigquery_memorystore/functions/src/probe/node_modules/json-bigint/package.json,/google_cloud/CQRS_bigquery_memorystore/functions/src/memorystoreload/node_modules/json-bigint/package.json,/google_cloud/CQRS_bigquery_memorystore/functions/src/materialize/node_modules/json-bigint/package.json

Found in HEAD commit: 803f0b648fe9d9b2dc840b564e4a342e7f77fa19

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-24772	High	7.5	node-forge-0.10.0.tgz	Transitive	5.0.0	✅
CVE-2020-8237	High	7.5	json-bigint-0.3.1.tgz	Transitive	5.0.0	✅
CVE-2022-24771	High	7.5	node-forge-0.10.0.tgz	Transitive	5.0.0	✅
WS-2022-0008	Medium	6.6	node-forge-0.10.0.tgz	Transitive	5.0.0	✅
CVE-2022-0122	Medium	6.1	node-forge-0.10.0.tgz	Transitive	5.0.0	✅
CVE-2022-24773	Medium	5.3	node-forge-0.10.0.tgz	Transitive	5.0.0	✅

Details

CVE-2022-24772

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /google_cloud/CQRS_bigquery_memorystore/functions/src/probe/package.json

Path to vulnerable library: /google_cloud/CQRS_bigquery_memorystore/functions/src/probe/node_modules/node-forge/package.json,/google_cloud/CQRS_bigquery_memorystore/functions/src/memorystoreload/node_modules/node-forge/package.json,/google_cloud/CQRS_bigquery_memorystore/functions/src/materialize/node_modules/node-forge/package.json

Dependency Hierarchy:

bigquery-3.0.0.tgz (Root Library)
- common-0.31.1.tgz
  - google-auth-library-3.1.2.tgz
    - gtoken-2.3.3.tgz
      - google-p12-pem-1.0.5.tgz
        
        ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 803f0b648fe9d9b2dc840b564e4a342e7f77fa19

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (@google-cloud/bigquery): 5.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-8237

Vulnerable Library - json-bigint-0.3.1.tgz

JSON.parse with bigints support

Library home page: https://registry.npmjs.org/json-bigint/-/json-bigint-0.3.1.tgz

Path to dependency file: /google_cloud/CQRS_bigquery_memorystore/functions/src/probe/package.json

Dependency Hierarchy:

bigquery-3.0.0.tgz (Root Library)
- common-0.31.1.tgz
  - google-auth-library-3.1.2.tgz
    - gcp-metadata-1.0.0.tgz
      - ❌ json-bigint-0.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 803f0b648fe9d9b2dc840b564e4a342e7f77fa19

Found in base branch: master

Vulnerability Details

Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.

Publish Date: 2020-09-18

URL: CVE-2020-8237

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/916430

Release Date: 2020-09-30

Fix Resolution (json-bigint): 1.0.0

Direct dependency fix Resolution (@google-cloud/bigquery): 5.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-24771

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /google_cloud/CQRS_bigquery_memorystore/functions/src/probe/package.json

Dependency Hierarchy:

bigquery-3.0.0.tgz (Root Library)
- common-0.31.1.tgz
  - google-auth-library-3.1.2.tgz
    - gtoken-2.3.3.tgz
      - google-p12-pem-1.0.5.tgz
        
        ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 803f0b648fe9d9b2dc840b564e4a342e7f77fa19

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (@google-cloud/bigquery): 5.0.0

⛑️ Automatic Remediation is available for this issue

WS-2022-0008

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /google_cloud/CQRS_bigquery_memorystore/functions/src/probe/package.json

Dependency Hierarchy:

bigquery-3.0.0.tgz (Root Library)
- common-0.31.1.tgz
  - google-auth-library-3.1.2.tgz
    - gtoken-2.3.3.tgz
      - google-p12-pem-1.0.5.tgz
        
        ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 803f0b648fe9d9b2dc840b564e4a342e7f77fa19

Found in base branch: master

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (@google-cloud/bigquery): 5.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-0122

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /google_cloud/CQRS_bigquery_memorystore/functions/src/probe/package.json

Dependency Hierarchy:

bigquery-3.0.0.tgz (Root Library)
- common-0.31.1.tgz
  - google-auth-library-3.1.2.tgz
    - gtoken-2.3.3.tgz
      - google-p12-pem-1.0.5.tgz
        
        ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 803f0b648fe9d9b2dc840b564e4a342e7f77fa19

Found in base branch: master

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (@google-cloud/bigquery): 5.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-24773

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /google_cloud/CQRS_bigquery_memorystore/functions/src/probe/package.json

Dependency Hierarchy:

bigquery-3.0.0.tgz (Root Library)
- common-0.31.1.tgz
  - google-auth-library-3.1.2.tgz
    - gtoken-2.3.3.tgz
      - google-p12-pem-1.0.5.tgz
        
        ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 803f0b648fe9d9b2dc840b564e4a342e7f77fa19

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24773

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (@google-cloud/bigquery): 5.0.0

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

storage-3.5.0.tgz: 2 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - storage-3.5.0.tgz

Path to dependency file: /google_cloud/CQRS_bigquery_memorystore/functions/src/memorystoreload/package.json

Path to vulnerable library: /google_cloud/CQRS_bigquery_memorystore/functions/src/memorystoreload/node_modules/date-and-time/package.json,/google_cloud/CQRS_bigquery_memorystore/functions/src/materialize/node_modules/date-and-time/package.json

Found in HEAD commit: 803f0b648fe9d9b2dc840b564e4a342e7f77fa19

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2020-26289	High	7.5	date-and-time-0.10.0.tgz	Transitive	4.7.2	✅
WS-2020-0219	High	7.5	date-and-time-0.10.0.tgz	Transitive	4.7.2	✅

Details

CVE-2020-26289

Vulnerable Library - date-and-time-0.10.0.tgz

A Minimalist DateTime utility for Node.js and the browser

Library home page: https://registry.npmjs.org/date-and-time/-/date-and-time-0.10.0.tgz

Path to dependency file: /google_cloud/CQRS_bigquery_memorystore/functions/src/memorystoreload/package.json

Dependency Hierarchy:

storage-3.5.0.tgz (Root Library)
- ❌ date-and-time-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 803f0b648fe9d9b2dc840b564e4a342e7f77fa19

Found in base branch: master

Vulnerability Details

date-and-time is an npm package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. This is fixed in version 0.14.2.

Publish Date: 2020-12-28

URL: CVE-2020-26289

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26289

Release Date: 2020-12-28

Fix Resolution (date-and-time): 0.14.2

Direct dependency fix Resolution (@google-cloud/storage): 4.7.2

⛑️ Automatic Remediation is available for this issue

WS-2020-0219

Vulnerable Library - date-and-time-0.10.0.tgz

A Minimalist DateTime utility for Node.js and the browser

Library home page: https://registry.npmjs.org/date-and-time/-/date-and-time-0.10.0.tgz

Path to dependency file: /google_cloud/CQRS_bigquery_memorystore/functions/src/memorystoreload/package.json

Dependency Hierarchy:

storage-3.5.0.tgz (Root Library)
- ❌ date-and-time-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 803f0b648fe9d9b2dc840b564e4a342e7f77fa19

Found in base branch: master

Vulnerability Details

Due to an overly permissive regular expression, the parsing of certain date strings may lead to a denial of service.

Publish Date: 2020-12-25

URL: WS-2020-0219

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-25

Fix Resolution (date-and-time): 0.14.2

Direct dependency fix Resolution (@google-cloud/storage): 4.7.2

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.