mohib-hub / concord Goto Github PK

Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/set-value@95e9d99

Release Date: 2019-07-24

Fix Resolution: 2.0.1,3.0.1

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/concord/console2/package.json

Path to vulnerable library: /concord/console2/node_modules/semantic-ui-calendar-react/node_modules/lodash/package.json,/tmp/ws-scm/concord/console2/node_modules/semantic-ui-calendar-react/node_modules/lodash/package.json

Dependency Hierarchy:

• ❌ lodash-4.17.15.tgz (Vulnerable Library)

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - node-forge-0.9.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/node-forge/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-dev-server-3.10.2.tgz
    • selfsigned-1.10.7.tgz
      • ❌ node-forge-0.9.0.tgz (Vulnerable Library)

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md

Release Date: 2020-09-13

Fix Resolution: node-forge - 0.10.0

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/elliptic/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-4.41.5.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.0.4.tgz
          • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Vulnerability Details

all versions of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/semantic-ui-calendar-react/node_modules/lodash/package.json,concord/console2/node_modules/semantic-ui-calendar-react/node_modules/lodash/package.json

Dependency Hierarchy:

• ❌ lodash-4.17.15.tgz (Vulnerable Library)

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: concord/console2/node_modules/sockjs/examples/express/index.html

Path to vulnerable library: concord/console2/node_modules/sockjs/examples/express/index.html,concord/console2/node_modules/sockjs/examples/multiplex/index.html,concord/console2/node_modules/sockjs/examples/hapi/html/index.html,concord/console2/node_modules/sockjs/examples/echo/index.html,concord/console2/node_modules/sockjs/examples/express-3.x/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Library - resteasy-client-3.1.4.Final.jar

Resteasy

Path to dependency file: concord/server/impl/pom.xml

Path to vulnerable library: /tmp/ws-ua_20200427143311_SKNJZT/downloadResource_PWLLDD/20200427143715/resteasy-client-3.1.4.Final.jar,/tmp/ws-ua_20200427143311_SKNJZT/downloadResource_PWLLDD/20200427143715/resteasy-client-3.1.4.Final.jar

Dependency Hierarchy:

• resteasy-guice-3.1.4.Final.jar (Root Library)
  • ❌ resteasy-client-3.1.4.Final.jar (Vulnerable Library)

Vulnerability Details

A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.

Publish Date: 2020-09-18

URL: CVE-2020-25633

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1879042#c13

Release Date: 2020-09-17

Fix Resolution: 4.5.7.Final

Vulnerable Library - handlebars-4.1.2.min.js

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/4.1.2/handlebars.min.js

Path to dependency file: concord/examples/forms_wizard/forms/userWarning/index.html

Path to vulnerable library: concord/examples/forms_wizard/forms/userWarning/index.html,concord/examples/forms_wizard/forms/userData/index.html,concord/examples/form_l10n/forms/myOtherForm/index.html,concord/examples/custom_form/forms/myForm/index.html,concord/examples/dynamic_form_values/forms/myForm/index.html

Dependency Hierarchy:

• ❌ handlebars-4.1.2.min.js (Vulnerable Library)

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1164

Release Date: 2019-12-20

Fix Resolution: 4.3.0

Vulnerable Libraries - acorn-6.4.0.tgz, acorn-5.7.3.tgz

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-08

Fix Resolution: 7.1.1

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/semantic-ui-calendar-react/node_modules/lodash/package.json,concord/console2/node_modules/semantic-ui-calendar-react/node_modules/lodash/package.json

Dependency Hierarchy:

• ❌ lodash-4.17.15.tgz (Vulnerable Library)

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/babel-cli/node_modules/braces/package.json

Dependency Hierarchy:

• babel-cli-6.26.0.tgz (Root Library)
  • chokidar-1.7.0.tgz
    • anymatch-1.3.2.tgz
      • micromatch-2.3.11.tgz
        • ❌ braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Braces before 1.4.2 and 2.17.2 is vulnerable to ReDoS. It used a regular expression (^{(,+(?:({,+})),|,(?:({,+})),+)}) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long.

Publish Date: 2020-07-21

URL: CVE-2018-1109

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1547272

Release Date: 2020-07-21

Fix Resolution: 2.3.1

Vulnerable Library - http-proxy-1.18.0.tgz

HTTP proxying for the masses

Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.0.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/http-proxy/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-dev-server-3.10.2.tgz
    • http-proxy-middleware-0.19.1.tgz
      • ❌ http-proxy-1.18.0.tgz (Vulnerable Library)

Vulnerability Details

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

Publish Date: 2020-05-14

URL: WS-2020-0091

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1486

Release Date: 2020-05-26

Fix Resolution: http-proxy - 1.18.1

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /tmp/ws-scm/concord/console2/package.json

Path to vulnerable library: /tmp/ws-scm/concord/console2/node_modules/extglob/node_modules/kind-of/package.json

Dependency Hierarchy:

• babel-cli-6.26.0.tgz (Root Library)
  • chokidar-1.7.0.tgz
    • anymatch-1.3.2.tgz
      • micromatch-2.3.11.tgz
        • braces-1.8.5.tgz
          • expand-range-1.8.2.tgz
            • fill-range-2.2.4.tgz
              • randomatic-3.1.1.tgz
                • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

Publish Date: 2020-03-18

URL: WS-2019-0381

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/kind-of@975c13a

Release Date: 2020-03-18

Fix Resolution: kind-of - 6.0.3

Vulnerable Libraries - yargs-parser-11.1.1.tgz, yargs-parser-13.1.1.tgz

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: yargs/yargs-parser@63810ca

Release Date: 2020-06-05

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: concord/console2/node_modules/sockjs/examples/express/index.html

Path to vulnerable library: concord/console2/node_modules/sockjs/examples/express/index.html,concord/console2/node_modules/sockjs/examples/multiplex/index.html,concord/console2/node_modules/sockjs/examples/hapi/html/index.html,concord/console2/node_modules/sockjs/examples/echo/index.html,concord/console2/node_modules/sockjs/examples/express-3.x/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - handlebars-4.1.2.min.js

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/4.1.2/handlebars.min.js

Path to dependency file: /tmp/ws-scm/concord/examples/forms_wizard/forms/userWarning/index.html

Path to vulnerable library: /concord/examples/forms_wizard/forms/userWarning/index.html,/concord/examples/forms_wizard/forms/userData/index.html,/concord/examples/form_l10n/forms/myOtherForm/index.html,/concord/examples/custom_form/forms/myForm/index.html,/concord/examples/dynamic_form_values/forms/myForm/index.html

Dependency Hierarchy:

• ❌ handlebars-4.1.2.min.js (Vulnerable Library)

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

Prototype Pollution vulnerability found in handlebars.js before 4.5.3. Attacker may use Remote-Code-Execution exploits.

Publish Date: 2020-01-08

URL: WS-2019-0369

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/wycats/handlebars.js/blob/master/release-notes.md#v453---november-18th-2019

Release Date: 2020-01-08

Fix Resolution: handlebars - 4.5.3

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/mixin-deep/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-4.41.5.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-07-11

Fix Resolution: 1.3.2,2.0.1

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Library - serialize-javascript-2.1.2.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • terser-webpack-plugin-2.3.4.tgz
    • ❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-01

Fix Resolution: serialize-javascript - 3.1.0

Vulnerable Library - jetty-io-9.4.26.v20200117.jar

The Eclipse Jetty Project

Library home page: http://www.eclipse.org/jetty

Path to dependency file: concord/docker-images/agent/pom.xml

Path to vulnerable library: /tmp/ws-ua_20200427143311_SKNJZT/downloadResource_PWLLDD/20200427143716/jetty-io-9.4.26.v20200117.jar

Dependency Hierarchy:

• concord-queue-client-1.48.2-SNAPSHOT.jar (Root Library)
  • jetty-client-9.4.26.v20200117.jar
    • ❌ jetty-io-9.4.26.v20200117.jar (Vulnerable Library)

Vulnerability Details

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

Publish Date: 2021-04-01

URL: CVE-2021-28165

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-26vr-8j45-3r4w

Release Date: 2021-04-01

Fix Resolution: org.eclipse.jetty:jetty-io:9.4.39, org.eclipse.jetty:jetty-io:10.0.2, org.eclipse.jetty:jetty-io:11.0.2

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/elliptic/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-4.41.5.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.0.4.tgz
          • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Vulnerability Details

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Publish Date: 2021-02-02

URL: CVE-2020-28498

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498

Release Date: 2021-02-02

Fix Resolution: v6.5.4

Vulnerable Library - bcprov-ext-jdk15on-1.64.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 11. Note: this package includes the NTRU encryption algorithms.

Library home page: https://www.bouncycastle.org/java.html

Path to dependency file: concord/k8s/agent-operator/pom.xml

Path to vulnerable library: 20200427143311_SKNJZT/downloadResource_PWLLDD/20200427143719/bcprov-ext-jdk15on-1.64.jar

Dependency Hierarchy:

• ❌ bcprov-ext-jdk15on-1.64.jar (Vulnerable Library)

Vulnerability Details

Bouncy Castle through 1.68 is vulnerable to Denial of Service (DoS). The Dump.class file utilizes the FileInputStream object when reading from user-provided files, but doesn't close these streams properly.

Publish Date: 2019-12-24

URL: WS-2019-0509

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: concord/console2/node_modules/sockjs/examples/express/index.html

Path to vulnerable library: concord/console2/node_modules/sockjs/examples/express/index.html,concord/console2/node_modules/sockjs/examples/multiplex/index.html,concord/console2/node_modules/sockjs/examples/hapi/html/index.html,concord/console2/node_modules/sockjs/examples/echo/index.html,concord/console2/node_modules/sockjs/examples/express-3.x/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: rails/jquery-rails@8f601cb

Release Date: 2020-05-19

Fix Resolution: jquery-rails - 2.2.0

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/elliptic/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-4.41.5.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.0.4.tgz
          • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/indutny/elliptic/tree/v6.5.3

Release Date: 2020-06-04

Fix Resolution: v6.5.3

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/extglob/node_modules/kind-of/package.json

Dependency Hierarchy:

• babel-cli-6.26.0.tgz (Root Library)
  • chokidar-1.7.0.tgz
    • anymatch-1.3.2.tgz
      • micromatch-2.3.11.tgz
        • braces-1.8.5.tgz
          • expand-range-1.8.2.tgz
            • fill-range-2.2.4.tgz
              • randomatic-3.1.1.tgz
                • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution: 6.0.3

Vulnerable Library - node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/node-fetch/package.json

Dependency Hierarchy:

• react-json-view-1.19.1.tgz (Root Library)
  • flux-3.1.3.tgz
    • fbjs-0.8.17.tgz
      • isomorphic-fetch-2.2.1.tgz
        • ❌ node-fetch-1.7.3.tgz (Vulnerable Library)

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-07-21

Fix Resolution: 2.6.1,3.0.0-beta.9

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/semantic-ui-calendar-react/node_modules/lodash/package.json,concord/console2/node_modules/semantic-ui-calendar-react/node_modules/lodash/package.json

Dependency Hierarchy:

• ❌ lodash-4.17.15.tgz (Vulnerable Library)

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-23

Fix Resolution: lodash - 4.17.19

Vulnerable Library - handlebars-4.1.2.min.js

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/4.1.2/handlebars.min.js

Path to dependency file: concord/examples/forms_wizard/forms/userWarning/index.html

Path to vulnerable library: concord/examples/forms_wizard/forms/userWarning/index.html,concord/examples/forms_wizard/forms/userData/index.html,concord/examples/form_l10n/forms/myOtherForm/index.html,concord/examples/custom_form/forms/myForm/index.html,concord/examples/dynamic_form_values/forms/myForm/index.html

Dependency Hierarchy:

• ❌ handlebars-4.1.2.min.js (Vulnerable Library)

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.

Publish Date: 2019-11-17

URL: WS-2019-0332

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Vulnerability Details

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Publish Date: 2020-05-01

URL: WS-2020-0068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/package/yargs-parser

Release Date: 2020-05-04

Fix Resolution: https://www.npmjs.com/package/yargs-parser/v/18.1.2,https://www.npmjs.com/package/yargs-parser/v/15.0.1

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Vulnerable Library - jetty-http-9.4.26.v20200117.jar

The Eclipse Jetty Project

Library home page: http://www.eclipse.org/jetty

Path to dependency file: concord/docker-images/agent/pom.xml

Path to vulnerable library: /tmp/ws-ua_20200427143311_SKNJZT/downloadResource_PWLLDD/20200427143716/jetty-http-9.4.26.v20200117.jar

Dependency Hierarchy:

• concord-queue-client-1.48.2-SNAPSHOT.jar (Root Library)
  • jetty-client-9.4.26.v20200117.jar
    • ❌ jetty-http-9.4.26.v20200117.jar (Vulnerable Library)

Vulnerability Details

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of ???quality??? (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Publish Date: 2021-02-26

URL: CVE-2020-27223

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-m394-8rww-3jr7

Release Date: 2021-02-26

Fix Resolution: org.eclipse.jetty:jetty-http:9.4.37.v20210219, org.eclipse.jetty:jetty-http:10.0.1, org.eclipse.jetty:jetty-http:11.0.1

Vulnerable Library - lodash-es-4.17.11.tgz

Lodash exported as ES modules.

Library home page: https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.11.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/lodash-es/package.json

Dependency Hierarchy:

• redux-logger-3.0.7.tgz (Root Library)
  • redux-3.7.2.tgz
    • ❌ lodash-es-4.17.11.tgz (Vulnerable Library)

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-08

Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0

Vulnerable Libraries - snakeyaml-1.13.jar, snakeyaml-1.24.jar

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640

Release Date: 2019-12-12

Fix Resolution: org.yaml:snakeyaml:1.26

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Vulnerable Libraries - jquery-3.3.1.min.js, jquery-3.2.1.min.js

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/babel-cli/node_modules/braces/package.json

Dependency Hierarchy:

• babel-cli-6.26.0.tgz (Root Library)
  • chokidar-1.7.0.tgz
    • anymatch-1.3.2.tgz
      • micromatch-2.3.11.tgz
        • ❌ braces-1.8.5.tgz (Vulnerable Library)

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2018-02-16

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Vulnerable Library - cron-utils-9.0.2.jar

A Java library to parse, migrate and validate crons as well as describe them in human readable language

Library home page: http://cron-parser.com/

Path to dependency file: concord/server/impl/pom.xml

Path to vulnerable library: 20200427143311_SKNJZT/downloadResource_PWLLDD/20200427143726/cron-utils-9.0.2.jar

Dependency Hierarchy:

• ❌ cron-utils-9.0.2.jar (Vulnerable Library)

Vulnerability Details

Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.

Publish Date: 2020-11-25

URL: CVE-2020-26238

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-pfj3-56hm-jwq5

Release Date: 2020-11-25

Fix Resolution: com.cronutils:cron-utils:9.1.3

Vulnerable Library - commons-codec-1.11.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Dependency Hierarchy:

• maven-resolver-transport-http-1.4.1.jar (Root Library)
  • httpclient-4.5.11.jar
    • ❌ commons-codec-1.11.jar (Vulnerable Library)

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: apache/commons-codec@48b6157

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

Vulnerable Library - handlebars-4.1.2.min.js

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/4.1.2/handlebars.min.js

Path to dependency file: concord/examples/forms_wizard/forms/userWarning/index.html

Path to vulnerable library: concord/examples/forms_wizard/forms/userWarning/index.html,concord/examples/forms_wizard/forms/userData/index.html,concord/examples/form_l10n/forms/myOtherForm/index.html,concord/examples/custom_form/forms/myForm/index.html,concord/examples/dynamic_form_values/forms/myForm/index.html

Dependency Hierarchy:

• ❌ handlebars-4.1.2.min.js (Vulnerable Library)

Found in HEAD commit: 7806eaf18a189ae2286f008983dbefd6aedd82c9

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-13

URL: WS-2019-0331

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.2

Vulnerable Library - sockjs-0.3.19.tgz

SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication

Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz

Path to dependency file: concord/console2/package.json

Path to vulnerable library: concord/console2/node_modules/sockjs/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-dev-server-3.10.2.tgz
    • ❌ sockjs-0.3.19.tgz (Vulnerable Library)

Vulnerability Details

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

Publish Date: 2020-07-09

URL: CVE-2020-7693

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: sockjs/sockjs-node#265

Release Date: 2020-07-09

Fix Resolution: sockjs - 0.3.20