lesjoursfr / audio-waveform Goto Github PK

Vulnerable Library - electron-26.1.0.tgz

Library home page: https://registry.npmjs.org/electron/-/electron-26.1.0.tgz

Dependency Hierarchy:

• ❌ electron-26.1.0.tgz (Vulnerable Library)

Found in HEAD commit: d8698c41202314b8d7a0f82f7bf9b80ee3e477c0

Found in base branch: main

Vulnerability Details

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Publish Date: 2023-09-12

URL: CVE-2023-4863

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-j7hp-h8jx-5ppr

Release Date: 2023-09-12

Fix Resolution: 116.0.5845.187;libwebp-sys2 - 0.1.8;libwebp-sys - 0.9.3;electron - 22.3.24,24.8.3,25.8.1,26.2.1;SkiaSharp - 2.88.6

Vulnerable Library - http-cache-semantics-4.1.0.tgz

Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies

Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/http-cache-semantics/package.json

Dependency Hierarchy:

• electron-22.0.0.tgz (Root Library)
  • get-2.0.2.tgz
    • got-11.8.6.tgz
      • cacheable-request-7.0.2.tgz
        • ❌ http-cache-semantics-4.1.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Publish Date: 2023-01-31

URL: CVE-2022-25881

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-25881

Release Date: 2023-01-31

Fix Resolution: http-cache-semantics - 4.1.1

Vulnerable Library - semver-6.3.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@electron/get/node_modules/semver/package.json

Dependency Hierarchy:

• electron-25.2.0.tgz (Root Library)
  • get-2.0.2.tgz
    • ❌ semver-6.3.0.tgz (Vulnerable Library)

Found in HEAD commit: d2a2d0d24014ebced16e1340303d64609b9ce32d

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2023-06-21

Fix Resolution: semver - 7.5.2

.github/workflows/codeql-analysis.yml

• actions/checkout v4
• github/codeql-action v3
• github/codeql-action v3
• github/codeql-action v3

.github/workflows/gh-publish.yml

• actions/checkout v4
• actions/setup-node v4

.github/workflows/npm-publish.yml

• actions/checkout v4
• actions/setup-node v4

.github/workflows/quality-control.yml

• actions/checkout v4
• actions/setup-node v4
• actions/checkout v4
• microsoft/playwright-github-action v1
• actions/setup-node v4

package.json

• electron ^31.0.0
• mime-types ^2.1.35
• uuid ^10.0.0
• yargs ^17.7.2
• @eslint/js ^9.4.0
• @tsconfig/node20 ^20.1.4
• @types/mime-types ^2.1.4
• @types/mocha ^10.0.6
• @types/node ^20.14.2
• @types/yargs ^17.0.32
• eslint ^9.4.0
• eslint-config-prettier ^9.1.0
• globals ^15.4.0
• mocha ^10.4.0
• prettier ^3.3.2
• ts-node ^10.9.2
• typescript ^5.4.5
• typescript-eslint ^8.0.0-alpha.30
• node 20.x || 22.x
• yarn 4.3.0

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

• electron-21.3.3.tgz (Root Library)
  • get-1.14.1.tgz
    • ❌ got-9.6.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0