mmukul / devopstrainingcourse Goto Github PK
View Code? Open in Web Editor NEWDevOps Training Program
devopstrainingcourse's People
Contributors
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Stargazers
Watchers
devopstrainingcourse's Issues
jest-dom-5.16.2.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - jest-dom-5.16.2.tgz
Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json
Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/decode-uri-component/package.json
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (jest-dom version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-38900 |  High |
7.5 | decode-uri-component-0.2.0.tgz | Transitive | 5.16.3 | ❌ |
Details
CVE-2022-38900
Vulnerable Library - decode-uri-component-0.2.0.tgz
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json
Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/decode-uri-component/package.json
Dependency Hierarchy:
- jest-dom-5.16.2.tgz (Root Library)
- css-3.0.0.tgz
- source-map-resolve-0.6.0.tgz
- ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)
- source-map-resolve-0.6.0.tgz
- css-3.0.0.tgz
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (@testing-library/jest-dom): 5.16.3
Step up your Open Source Security Game with Mend here
jquery-1.11.1.min.js: 4 vulnerabilities (highest severity is: 6.1) - autoclosed
Vulnerable Library - jquery-1.11.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js
Path to dependency file: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Path to vulnerable library: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (jquery version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2020-11023 |  Medium |
6.1 | jquery-1.11.1.min.js | Direct | jquery - 3.5.0;jquery-rails - 4.4.0 | ❌ |
| CVE-2020-11022 | Medium |
6.1 | jquery-1.11.1.min.js | Direct | jQuery - 3.5.0 | ❌ |
| CVE-2019-11358 | Medium |
6.1 | jquery-1.11.1.min.js | Direct | jquery - 3.4.0 | ❌ |
| CVE-2015-9251 |  Low |
3.7 | jquery-1.11.1.min.js | Direct | jQuery - 3.0.0 | ❌ |
Details
CVE-2020-11023
Vulnerable Library - jquery-1.11.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js
Path to dependency file: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Path to vulnerable library: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Dependency Hierarchy:
- ❌ jquery-1.11.1.min.js (Vulnerable Library)
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with Mend here
CVE-2020-11022
Vulnerable Library - jquery-1.11.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js
Path to dependency file: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Path to vulnerable library: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Dependency Hierarchy:
- ❌ jquery-1.11.1.min.js (Vulnerable Library)
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with Mend here
CVE-2019-11358
Vulnerable Library - jquery-1.11.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js
Path to dependency file: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Path to vulnerable library: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Dependency Hierarchy:
- ❌ jquery-1.11.1.min.js (Vulnerable Library)
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
Step up your Open Source Security Game with Mend here
CVE-2015-9251
Vulnerable Library - jquery-1.11.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js
Path to dependency file: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Path to vulnerable library: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Dependency Hierarchy:
- ❌ jquery-1.11.1.min.js (Vulnerable Library)
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
Step up your Open Source Security Game with Mend here
react-scripts-5.0.0.tgz: 8 vulnerabilities (highest severity is: 9.8) - autoclosed
Vulnerable Library - react-scripts-5.0.0.tgz
Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json
Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/babel-loader/node_modules/loader-utils/package.json
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (react-scripts version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-37601 | High |
9.8 | loader-utils-1.4.0.tgz | Transitive | 5.0.1 | ❌ |
| CVE-2022-29078 | High |
9.8 | ejs-3.1.6.tgz | Transitive | 5.0.1 | ❌ |
| CVE-2021-43138 | High |
7.8 | detected in multiple dependencies | Transitive | 5.0.1 | ❌ |
| CVE-2022-25858 | High |
7.5 | terser-5.10.0.tgz | Transitive | 5.0.1 | ❌ |
| CVE-2022-37603 | High |
7.5 | detected in multiple dependencies | Transitive | 5.0.1 | ❌ |
| CVE-2022-3517 | High |
7.5 | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
| CVE-2022-37599 | High |
7.5 | loader-utils-2.0.2.tgz | Transitive | 5.0.1 | ❌ |
| CVE-2021-3803 | High |
7.5 | nth-check-1.0.2.tgz | Transitive | 5.0.1 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-37601
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json
Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/babel-loader/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-5.0.0.tgz (Root Library)
- babel-loader-8.2.3.tgz
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
- babel-loader-8.2.3.tgz
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 5.0.1
Step up your Open Source Security Game with Mend here
CVE-2022-29078
Vulnerable Library - ejs-3.1.6.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.6.tgz
Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json
Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/ejs/package.json
Dependency Hierarchy:
- react-scripts-5.0.0.tgz (Root Library)
- workbox-webpack-plugin-6.4.2.tgz
- workbox-build-6.4.2.tgz
- rollup-plugin-off-main-thread-2.2.3.tgz
- ❌ ejs-3.1.6.tgz (Vulnerable Library)
- rollup-plugin-off-main-thread-2.2.3.tgz
- workbox-build-6.4.2.tgz
- workbox-webpack-plugin-6.4.2.tgz
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Publish Date: 2022-04-25
URL: CVE-2022-29078
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~
Release Date: 2022-04-25
Fix Resolution (ejs): 3.1.7
Direct dependency fix Resolution (react-scripts): 5.0.1
Step up your Open Source Security Game with Mend here
CVE-2021-43138
Vulnerable Libraries - async-0.9.2.tgz, async-2.6.3.tgz
async-0.9.2.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-0.9.2.tgz
Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json
Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/jake/node_modules/async/package.json
Dependency Hierarchy:
- react-scripts-5.0.0.tgz (Root Library)
- workbox-webpack-plugin-6.4.2.tgz
- workbox-build-6.4.2.tgz
- rollup-plugin-off-main-thread-2.2.3.tgz
- ejs-3.1.6.tgz
- jake-10.8.2.tgz
- ❌ async-0.9.2.tgz (Vulnerable Library)
- jake-10.8.2.tgz
- ejs-3.1.6.tgz
- rollup-plugin-off-main-thread-2.2.3.tgz
- workbox-build-6.4.2.tgz
- workbox-webpack-plugin-6.4.2.tgz
async-2.6.3.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json
Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/async/package.json
Dependency Hierarchy:
- react-scripts-5.0.0.tgz (Root Library)
- webpack-dev-server-4.7.4.tgz
- portfinder-1.0.28.tgz
- ❌ async-2.6.3.tgz (Vulnerable Library)
- portfinder-1.0.28.tgz
- webpack-dev-server-4.7.4.tgz
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (react-scripts): 5.0.1
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (react-scripts): 5.0.1
Step up your Open Source Security Game with Mend here
CVE-2022-25858
Vulnerable Library - terser-5.10.0.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-5.10.0.tgz
Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json
Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/terser/package.json
Dependency Hierarchy:
- react-scripts-5.0.0.tgz (Root Library)
- terser-webpack-plugin-5.3.1.tgz
- ❌ terser-5.10.0.tgz (Vulnerable Library)
- terser-webpack-plugin-5.3.1.tgz
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 5.15.0
Direct dependency fix Resolution (react-scripts): 5.0.1
Step up your Open Source Security Game with Mend here
CVE-2022-37603
Vulnerable Libraries - loader-utils-3.2.0.tgz, loader-utils-2.0.2.tgz, loader-utils-1.4.0.tgz
loader-utils-3.2.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-3.2.0.tgz
Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json
Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/react-dev-utils/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-5.0.0.tgz (Root Library)
- react-dev-utils-12.0.0.tgz
- ❌ loader-utils-3.2.0.tgz (Vulnerable Library)
- react-dev-utils-12.0.0.tgz
loader-utils-2.0.2.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz
Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json
Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-5.0.0.tgz (Root Library)
- file-loader-6.2.0.tgz
- ❌ loader-utils-2.0.2.tgz (Vulnerable Library)
- file-loader-6.2.0.tgz
loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json
Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/babel-loader/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-5.0.0.tgz (Root Library)
- babel-loader-8.2.3.tgz
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
- babel-loader-8.2.3.tgz
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 3.2.1
Direct dependency fix Resolution (react-scripts): 5.0.1
Fix Resolution (loader-utils): 2.0.4
Direct dependency fix Resolution (react-scripts): 5.0.1
Fix Resolution (loader-utils): 2.0.4
Direct dependency fix Resolution (react-scripts): 5.0.1
Step up your Open Source Security Game with Mend here
CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json
Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/recursive-readdir/node_modules/minimatch/package.json
Dependency Hierarchy:
- react-scripts-5.0.0.tgz (Root Library)
- react-dev-utils-12.0.0.tgz
- recursive-readdir-2.2.2.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- recursive-readdir-2.2.2.tgz
- react-dev-utils-12.0.0.tgz
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend here
CVE-2022-37599
Vulnerable Library - loader-utils-2.0.2.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz
Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json
Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-5.0.0.tgz (Root Library)
- file-loader-6.2.0.tgz
- ❌ loader-utils-2.0.2.tgz (Vulnerable Library)
- file-loader-6.2.0.tgz
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: 2022-10-11
URL: CVE-2022-37599
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-hhq3-ff78-jv3g
Release Date: 2022-10-11
Fix Resolution (loader-utils): 2.0.3
Direct dependency fix Resolution (react-scripts): 5.0.1
Step up your Open Source Security Game with Mend here
CVE-2021-3803
Vulnerable Library - nth-check-1.0.2.tgz
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json
Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/svgo/node_modules/nth-check/package.json
Dependency Hierarchy:
- react-scripts-5.0.0.tgz (Root Library)
- webpack-5.5.0.tgz
- plugin-svgo-5.5.0.tgz
- svgo-1.3.2.tgz
- css-select-2.1.0.tgz
- ❌ nth-check-1.0.2.tgz (Vulnerable Library)
- css-select-2.1.0.tgz
- svgo-1.3.2.tgz
- plugin-svgo-5.5.0.tgz
- webpack-5.5.0.tgz
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-17
Fix Resolution (nth-check): 2.0.1
Direct dependency fix Resolution (react-scripts): 5.0.1
Step up your Open Source Security Game with Mend here
bootstrap-3.2.0.min.js: 6 vulnerabilities (highest severity is: 6.1) - autoclosed
Vulnerable Library - bootstrap-3.2.0.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js
Path to dependency file: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Path to vulnerable library: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (bootstrap version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2019-8331 | Medium |
6.1 | bootstrap-3.2.0.min.js | Direct | bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1 | ❌ |
| CVE-2018-14040 | Medium |
6.1 | bootstrap-3.2.0.min.js | Direct | org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0 | ❌ |
| CVE-2018-20677 | Medium |
6.1 | bootstrap-3.2.0.min.js | Direct | Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0 | ❌ |
| CVE-2018-14042 | Medium |
6.1 | bootstrap-3.2.0.min.js | Direct | org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0 | ❌ |
| CVE-2018-20676 | Medium |
6.1 | bootstrap-3.2.0.min.js | Direct | bootstrap - 3.4.0 | ❌ |
| CVE-2016-10735 | Medium |
6.1 | bootstrap-3.2.0.min.js | Direct | bootstrap - 3.4.0, 4.0.0-beta.2 | ❌ |
Details
CVE-2019-8331
Vulnerable Library - bootstrap-3.2.0.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js
Path to dependency file: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Path to vulnerable library: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Dependency Hierarchy:
- ❌ bootstrap-3.2.0.min.js (Vulnerable Library)
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Step up your Open Source Security Game with Mend here
CVE-2018-14040
Vulnerable Library - bootstrap-3.2.0.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js
Path to dependency file: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Path to vulnerable library: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Dependency Hierarchy:
- ❌ bootstrap-3.2.0.min.js (Vulnerable Library)
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
Step up your Open Source Security Game with Mend here
CVE-2018-20677
Vulnerable Library - bootstrap-3.2.0.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js
Path to dependency file: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Path to vulnerable library: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Dependency Hierarchy:
- ❌ bootstrap-3.2.0.min.js (Vulnerable Library)
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2018-14042
Vulnerable Library - bootstrap-3.2.0.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js
Path to dependency file: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Path to vulnerable library: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Dependency Hierarchy:
- ❌ bootstrap-3.2.0.min.js (Vulnerable Library)
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
Step up your Open Source Security Game with Mend here
CVE-2018-20676
Vulnerable Library - bootstrap-3.2.0.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js
Path to dependency file: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Path to vulnerable library: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Dependency Hierarchy:
- ❌ bootstrap-3.2.0.min.js (Vulnerable Library)
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
Step up your Open Source Security Game with Mend here
CVE-2016-10735
Vulnerable Library - bootstrap-3.2.0.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js
Path to dependency file: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Path to vulnerable library: /devsecops_class/Demos/webapp-demo/src/main/webapp/index.jsp
Dependency Hierarchy:
- ❌ bootstrap-3.2.0.min.js (Vulnerable Library)
Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc
Found in base branch: main
Vulnerability Details
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Publish Date: 2019-01-09
URL: CVE-2016-10735
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2
Step up your Open Source Security Game with Mend here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.