mohib-hub / ignite Goto Github PK

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/configstore/node_modules/dot-prop/package.json

Dependency Hierarchy:

• webpack-serve-2.0.3.tgz (Root Library)
  • update-notifier-2.5.0.tgz
    • configstore-3.1.2.tgz
      • ❌ dot-prop-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: ade094b70b6953c275aa16a8b62557eedf10feb7

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

Vulnerable Library - property-expr-1.5.1.tgz

tiny util for getting and setting deep object props safely

Library home page: https://registry.npmjs.org/property-expr/-/property-expr-1.5.1.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/property-expr/package.json

Dependency Hierarchy:

• lint-staged-8.2.1.tgz (Root Library)
  • yup-0.27.0.tgz
    • ❌ property-expr-1.5.1.tgz (Vulnerable Library)

Vulnerability Details

The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function.

Publish Date: 2020-08-18

URL: CVE-2020-7707

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7707

Release Date: 2020-07-21

Fix Resolution: property-expr - 2.0.3

Vulnerable Library - jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: Ignite/node_modules/tinycolor2/test/index.html

Path to vulnerable library: Ignite/node_modules/tinycolor2/test/../demo/jquery-1.9.1.js,Ignite/node_modules/tinycolor2/demo/jquery-1.9.1.js

Dependency Hierarchy:

• ❌ jquery-1.9.1.js (Vulnerable Library)

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/elliptic/package.json

Dependency Hierarchy:

• webpack-4.42.0.tgz (Root Library)
  • node-libs-browser-2.2.1.tgz
    • crypto-browserify-3.12.0.tgz
      • browserify-sign-4.0.4.tgz
        • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Vulnerability Details

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Publish Date: 2021-02-02

URL: CVE-2020-28498

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498

Release Date: 2021-02-02

Fix Resolution: v6.5.4

Vulnerable Library - node-fetch-2.5.0.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.5.0.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/node-fetch/package.json

Dependency Hierarchy:

• auto-5.0.1.tgz (Root Library)
  • ❌ node-fetch-2.5.0.tgz (Vulnerable Library)

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-07-21

Fix Resolution: 2.6.1,3.0.0-beta.9

Vulnerable Library - mem-3.0.1.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-3.0.1.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/webpack-serve/node_modules/mem/package.json

Dependency Hierarchy:

• webpack-serve-2.0.3.tgz (Root Library)
  • ❌ mem-3.0.1.tgz (Vulnerable Library)

Found in HEAD commit: ade094b70b6953c275aa16a8b62557eedf10feb7

Vulnerability Details

In 'mem' before v4.0.0 there is a Denial of Service (DoS) vulnerability as a result of a failure in removal old values from the cache.

Publish Date: 2018-08-27

URL: WS-2019-0307

CVSS 3 Score Details (5.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1084

Release Date: 2019-12-01

Fix Resolution: mem - 4.0.0

Vulnerability Details

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Publish Date: 2020-05-01

URL: WS-2020-0068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/package/yargs-parser

Release Date: 2020-05-04

Fix Resolution: https://www.npmjs.com/package/yargs-parser/v/18.1.2,https://www.npmjs.com/package/yargs-parser/v/15.0.1

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: /tmp/ws-scm/Ignite/package.json

Path to vulnerable library: /tmp/ws-scm/Ignite/node_modules/jest-config/node_modules/braces/package.json

Dependency Hierarchy:

• babel-jest-23.6.0.tgz (Root Library)
  • babel-plugin-istanbul-4.1.6.tgz
    • test-exclude-4.2.3.tgz
      • micromatch-2.3.11.tgz
        • ❌ braces-1.8.5.tgz (Vulnerable Library)

Found in HEAD commit: ade094b70b6953c275aa16a8b62557eedf10feb7

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-03-25

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Vulnerable Libraries - yargs-parser-10.1.0.tgz, yargs-parser-11.1.1.tgz, yargs-parser-9.0.2.tgz

Found in HEAD commit: ade094b70b6953c275aa16a8b62557eedf10feb7

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

Vulnerable Library - jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: Ignite/node_modules/tinycolor2/test/index.html

Path to vulnerable library: Ignite/node_modules/tinycolor2/test/../demo/jquery-1.9.1.js,Ignite/node_modules/tinycolor2/demo/jquery-1.9.1.js

Dependency Hierarchy:

• ❌ jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: ade094b70b6953c275aa16a8b62557eedf10feb7

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Vulnerable Library - jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: Ignite/node_modules/tinycolor2/test/index.html

Path to vulnerable library: Ignite/node_modules/tinycolor2/test/../demo/jquery-1.9.1.js,Ignite/node_modules/tinycolor2/demo/jquery-1.9.1.js

Dependency Hierarchy:

• ❌ jquery-1.9.1.js (Vulnerable Library)

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Vulnerable Library - gitlog-3.2.0.tgz

Git log parser for Node.JS

Library home page: https://registry.npmjs.org/gitlog/-/gitlog-3.2.0.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/gitlog/package.json

Dependency Hierarchy:

• auto-5.0.1.tgz (Root Library)
  • ❌ gitlog-3.2.0.tgz (Vulnerable Library)

Vulnerability Details

The gitlog function in src/index.ts in gitlog before 4.0.4 has a command injection vulnerability.

Publish Date: 2021-02-08

URL: CVE-2021-26541

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26541

Release Date: 2021-02-08

Fix Resolution: v4.0.4

Vulnerable Library - decompress-4.2.0.tgz

Extracting archives made easy

Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/decompress/package.json

Dependency Hierarchy:

• image-webpack-loader-4.6.0.tgz (Root Library)
  • imagemin-gifsicle-6.0.1.tgz
    • gifsicle-4.0.1.tgz
      • bin-build-3.0.0.tgz
        • ❌ decompress-4.2.0.tgz (Vulnerable Library)

Vulnerability Details

The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.

Publish Date: 2020-04-26

URL: CVE-2020-12265

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12265

Release Date: 2020-04-26

Fix Resolution: 4.2.1

Vulnerable Library - jpeg-js-0.3.7.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.3.7.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/@jimp/jpeg/node_modules/jpeg-js/package.json

Dependency Hierarchy:

• lqip-loader-2.2.0.tgz (Root Library)
  • lqip-2.1.0.tgz
    • node-vibrant-3.1.5.tgz
      • types-0.9.6.tgz
        • jpeg-0.9.6.tgz
          • ❌ jpeg-js-0.3.7.tgz (Vulnerable Library)

Vulnerability Details

Uncontrolled resource consumption in jpeg-js before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.

Publish Date: 2020-07-24

URL: CVE-2020-8175

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8175

Release Date: 2020-07-21

Fix Resolution: 0.4.0

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/Ignite/package.json

Path to vulnerable library: /tmp/ws-scm/Ignite/node_modules/lodash/package.json

Dependency Hierarchy:

• cli-7.2.0.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - mem-3.0.1.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-3.0.1.tgz

Path to dependency file: /tmp/ws-scm/Ignite/package.json

Path to vulnerable library: /tmp/ws-scm/Ignite/node_modules/webpack-serve/node_modules/mem/package.json

Dependency Hierarchy:

• webpack-serve-2.0.3.tgz (Root Library)
  • ❌ mem-3.0.1.tgz (Vulnerable Library)

Found in HEAD commit: ade094b70b6953c275aa16a8b62557eedf10feb7

Vulnerability Details

In nodejs-mem before version 4.0.0 there is a memory leak due to old results not being removed from the cache despite reaching maxAge. Exploitation of this can lead to exhaustion of memory and subsequent denial of service.

Publish Date: 2019-05-30

URL: WS-2018-0236

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1623744

Release Date: 2019-05-30

Fix Resolution: 4.0.0

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/lodash/package.json

Dependency Hierarchy:

• cli-7.2.0.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-23

Fix Resolution: lodash - 4.17.19

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/elliptic/package.json

Dependency Hierarchy:

• webpack-4.42.0.tgz (Root Library)
  • node-libs-browser-2.2.1.tgz
    • crypto-browserify-3.12.0.tgz
      • browserify-sign-4.0.4.tgz
        • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Vulnerability Details

all versions of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-01

Fix Resolution: serialize-javascript - 3.1.0

Vulnerable Library - decompress-4.2.0.tgz

Extracting archives made easy

Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/decompress/package.json

Dependency Hierarchy:

• image-webpack-loader-4.6.0.tgz (Root Library)
  • imagemin-gifsicle-6.0.1.tgz
    • gifsicle-4.0.1.tgz
      • bin-build-3.0.0.tgz
        • ❌ decompress-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: ade094b70b6953c275aa16a8b62557eedf10feb7

Vulnerability Details

decompress in all its versions is vulnerable to arbitrary file write. the package fails to prevent an extraction of files with relative paths which allows attackers to write to any folder in the system.

Publish Date: 2020-03-08

URL: WS-2020-0044

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Vulnerable Library - serialize-javascript-1.9.1.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• copy-webpack-plugin-4.6.0.tgz (Root Library)
  • ❌ serialize-javascript-1.9.1.tgz (Vulnerable Library)

Found in HEAD commit: ade094b70b6953c275aa16a8b62557eedf10feb7

Vulnerability Details

The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Publish Date: 2019-12-05

URL: CVE-2019-16769

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769

Release Date: 2019-12-05

Fix Resolution: v2.1.1

Vulnerable Library - puppeteer-1.8.0.tgz

A high-level API to control headless Chrome over the DevTools Protocol

Library home page: https://registry.npmjs.org/puppeteer/-/puppeteer-1.8.0.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/puppeteer/package.json

Dependency Hierarchy:

• ❌ puppeteer-1.8.0.tgz (Vulnerable Library)

Found in HEAD commit: ade094b70b6953c275aa16a8b62557eedf10feb7

Vulnerability Details

Object lifetime issue in Blink in Google Chrome prior to 72.0.3626.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

Publish Date: 2019-06-27

URL: CVE-2019-5786

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html

Release Date: 2019-03-01

Fix Resolution: 72.0.3626.121

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/elliptic/package.json

Dependency Hierarchy:

• webpack-4.42.0.tgz (Root Library)
  • node-libs-browser-2.2.1.tgz
    • crypto-browserify-3.12.0.tgz
      • browserify-sign-4.0.4.tgz
        • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/indutny/elliptic/tree/v6.5.3

Release Date: 2020-06-04

Fix Resolution: v6.5.3

Vulnerable Library - bl-1.2.2.tgz

Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!

Library home page: https://registry.npmjs.org/bl/-/bl-1.2.2.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/bl/package.json

Dependency Hierarchy:

• image-webpack-loader-4.6.0.tgz (Root Library)
  • imagemin-gifsicle-6.0.1.tgz
    • gifsicle-4.0.1.tgz
      • bin-build-3.0.0.tgz
        • decompress-4.2.0.tgz
          • decompress-tar-4.1.1.tgz
            • tar-stream-1.6.2.tgz
              • ❌ bl-1.2.2.tgz (Vulnerable Library)

Vulnerability Details

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Publish Date: 2020-08-30

URL: CVE-2020-8244

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8244

Release Date: 2020-07-21

Fix Resolution: 2.2.1,3.0.1,4.0.3

Vulnerable Library - jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: Ignite/node_modules/tinycolor2/test/index.html

Path to vulnerable library: Ignite/node_modules/tinycolor2/test/../demo/jquery-1.9.1.js,Ignite/node_modules/tinycolor2/demo/jquery-1.9.1.js

Dependency Hierarchy:

• ❌ jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: ade094b70b6953c275aa16a8b62557eedf10feb7

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - merge-1.2.1.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.1.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/merge/package.json

Dependency Hierarchy:

• jest-23.6.0.tgz (Root Library)
  • jest-cli-23.6.0.tgz
    • jest-haste-map-23.6.0.tgz
      • sane-2.5.2.tgz
        • exec-sh-0.2.2.tgz
          • ❌ merge-1.2.1.tgz (Vulnerable Library)

Vulnerability Details

A Prototype Pollution vulnerability was found in merge before 2.1.0 via the merge.recursive function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2020-10-09

URL: WS-2020-0218

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: swordev/merge#38

Release Date: 2020-10-09

Fix Resolution: merge - 2.1.0

Vulnerable Library - highlight.js-9.18.1.tgz

Syntax highlighting with language autodetection.

Library home page: https://registry.npmjs.org/highlight.js/-/highlight.js-9.18.1.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/highlight.js/package.json

Dependency Hierarchy:

• ❌ highlight.js-9.18.1.tgz (Vulnerable Library)

Vulnerability Details

If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service). This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using highlightAuto to detect the language (and have any of these grammars registered) you are vulnerable.

Publish Date: 2020-12-04

URL: WS-2020-0208

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/highlightjs/highlight.js/tree/10.4.1

Release Date: 2020-12-04

Fix Resolution: 10.4.1

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.1.3.tgz

Found in HEAD commit: ade094b70b6953c275aa16a8b62557eedf10feb7

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Vulnerable Library - url-regex-3.2.0.tgz

Regular expression for matching URLs

Library home page: https://registry.npmjs.org/url-regex/-/url-regex-3.2.0.tgz

Path to dependency file: Ignite/package.json

Path to vulnerable library: Ignite/node_modules/url-regex/package.json

Dependency Hierarchy:

• lqip-loader-2.2.0.tgz (Root Library)
  • lqip-2.1.0.tgz
    • jimp-0.2.28.tgz
      • ❌ url-regex-3.2.0.tgz (Vulnerable Library)

Vulnerability Details

all versions of url-regex are vulnerable to Regular Expression Denial of Service. An attacker providing a very long string in String.test can cause a Denial of Service.

Publish Date: 2020-06-04

URL: CVE-2020-7661

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High