nexmo-community / anonymous-voice-proxy-glitch-server Goto Github PK
View Code? Open in Web Editor NEWExample code for anonymous voice proxy blog post [JavaScript / Express / Glitch]
License: MIT License
anonymous-voice-proxy-glitch-server's Introduction
anonymous-voice-proxy-glitch-server's People
Contributors
Stargazers
Watchers
anonymous-voice-proxy-glitch-server's Issues
express-4.16.3.tgz: 2 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - express-4.16.3.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.16.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (express version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2022-24999 |  High |
7.5 | qs-6.5.1.tgz | Transitive | 4.17.0 | ✅ |
| CVE-2024-29041 |  Medium |
6.1 | express-4.16.3.tgz | Direct | 4.19.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-24999
Vulnerable Library - qs-6.5.1.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- express-4.16.3.tgz (Root Library)
- ❌ qs-6.5.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.5.3
Direct dependency fix Resolution (express): 4.17.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-29041
Vulnerable Library - express-4.16.3.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.16.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ express-4.16.3.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect(). The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
Publish Date: 2024-03-25
URL: CVE-2024-29041
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-rv95-896h-c2vc
Release Date: 2024-03-25
Fix Resolution: 4.19.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.