Git Product home page Git Product logo

nopanic's Introduction

No Panic

The coolest and easiest Vue App to track your current position and send it to your trusted contacts through SMS.

Built with love using Firebase (Firestore and Firebase Hosting) and Vonage Communication API's for the SMS capabilities. You have to configure your own secrets for the google cloud functions, firestore and firebase hosting if you decide to deploy it there.

Otherwise you may create the Docker image and run it where you are more confortable!

The Vue side of things!

Install dependencies

npm install

Compiles and hot-reloads for development

npm run serve

Compiles and minifies for production

npm run build

Run your tests

npm run test

Lints and fixes files

npm run lint

Google MAPS API Key

Create a new API Key of Google Maps to be able to consume the service, and copy the API Key. Then create a file .env in the root project directory, the content must be like

VUE_APP_MAPS_API_KEY="API_KEY"

Configuring Firebase

After you create your project in Firebase you need to enable authentication, aatabase, functions and optionally hosting.

Adding your app to Firebase

  • In your project folder go to Project Configuration -> General tab -> Add an app, you'll be able to specify the name of the app and if you want to use Firebase Hosting.
  • Once created, search for Firebase SDK snippet and select the Configuration radio button
  • Copy the configuration and paste it in ./src/utils/firebase.js

Authentication

  • Go to Authentication from the sidebar menu
  • Click on the Access Methodstab and enable Google (you can add as many providers as you wish but you will have to configure them separately)
  • Go to Authorized Domains and add the domain name you wish to use

Database

  • Go to Database and click on start to use the service

Functions

  • You may do as with previous services to enable it or it will get enabled when using the Firebase CLI

Hosting

  • You may do as with previous services to enable it or it will get enabled when using the Firebase CLI

Install the Firebase CLI

For detailed install instructions go to: https://firebase.google.com/docs/web/setup#install-cli_deploy

  • Install the CLI
npm install -g firebase-tools
  • Sign into Google. Run the following command:
firebase login

Deployment

Deploy the function in Firebase Cloud Functions

The function for this app is in ./functions/main.py

  • CD to the ./functions/ directory
  • Login in Gcloud with the CLI
  • Get the credentials from Nexmo, we need the Api Key, Api Secret and Nexmo Number.
  • Then you need to deploy the function using
gcloud functions deploy send_sms --set-env-vars NEXMO_API_KEY='',NEXMO_API_SECRET='',NEXMO_NUMBER='' --runtime python37 --trigger-http --project [PROJECT_ID]

Deploy the application using Firebase hosting

  • Login the Firebase with the CLI
  • Compile the aplication using the command
npm run build
  • Deploy the application using the CLI
firebase deploy --only hosting

Deploy with Docker

  • Install Docker in your environment
  • Create the Docker image, using
docker build -t <username/repository:tag> .
  • Upload the image to the registry you are using (i.e: Dockerhub)
  • To run the app in your production server you may use the following command: (Remember the port mapping is <HOST_PORT>:<CONTAINER_PORT>. The image configuration of this application exposes the port 80 of the container)
docker run -p 80:80 --name <container_name> <username/repository:tag>

Deploy the Docker image using Kubernetes in GCP (GKE)

A good option to host and run our app is using Google Cloud Platform, in which we can store our Docker images and run the application inside a single VM or using Kubernetes, GKE is very easy to start with and ensures we have scalability and many more resources at hand.

There are a few things we need to set up before deploying our app to GKE. The current description is to be ran locally, but can be run from the Console in GCP without installing the CLI (because is already installed).

Installing gcloud CLI

In the documentation you can find how to install the CLI in other OS https://cloud.google.com/sdk/docs/quickstarts?hl=es-419 . Also make sure to have installed Python 2.7 or greater. Follow the next commands to install the CLI

$ cd /opt
## this is the package with binaries for 64 bits
$ sudo curl -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-231.0.0-linux-x86_64.tar.gz
$ sudo tar zxvf [ARCHIVE_FILE] google-cloud-sdk
$ sudo ./google-cloud-sdk/install.sh
## you may check if is successfully
$ gcloud --version

Now you need to login, and you will be asked for the project to use as default, the list of your projects will be displayed on the console

$ gcloud init

Then it's a good practice to specify the region and zone, if you want to know which zone is better for your project please check the documentation: https://cloud.google.com/compute/docs/regions-zones/?hl=es-419#choosing_a_region_and_zone . In this case I'll be using us-east1-b

$ gcloud config set compute/zone us-east1-b

Install the command tool to manage Kubernetes

$ gcloud components install kubectl

Add the app image to Container Registry

Before pulling or pushing images to Container Registry you need to configure Docker to use gcloud to authenticate requests to Container Registry.

$ gcloud auth configure-docker

Before pushing your newly created image to Container Registry you need to tag your image to be able to be pushed to your project registry.

$ docker tag <IMAGE-ID> gcr.io/<PROJECT-ID>/<IMAGE_NAME>:<TAG>

Now you may push the image to the Registry

 docker push gcr.io/<PROJECT-ID>/<IMAGE_NAME>:<TAG>

Creating the cluster in GKE

Now that you have your image in the Container Registry you may use Kubernetes to run your application. A cluster consists of at least one cluster master machine and multiple worker machines called nodes. Nodes are virtual machines that run the Kubernetes processes. Create your cluster with the following command, it may take a few minutes

$ gcloud container clusters create <CLUSTER_NAME>

To interact with your cluster you need to authenticate with it, using this command

$ gcloud container clusters get-credentials <CLUSTER_NAME>

GKE uses Kubernetes objects to create and manage your cluster's resources. Kubernetes provides the Deployment object for deploying stateless applications like web servers. Run the following command

$ kubectl create deployment <DEPLOYMENT_NAME> --image=gcr.io/<PROJECT-ID>/<IMAGE_NAME>:<TAG> --port 80

After deploying the application, you need to expose it to the Internet so that users can access it. --port initializes public port 80 to the Internet and --target-port routes the traffic to port 80 of the application

$ kubectl expose deployment <DEPLOYMENT_NAME> --type LoadBalancer --port 80 --target-port 80

You may inspect the Service running the command

kubectl get service <DEPLOYMENT_NAME>

And you may see the EXTERNAL-IP from which you may access your application.

nopanic's People

Contributors

superdiana avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

nopanic's Issues

firebase_admin-5.3.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 5.5) - autoclosed

Vulnerable Library - firebase_admin-5.3.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-1941 Medium 5.5 protobuf-4.21.5-cp37-abi3-manylinux2014_x86_64.whl Transitive N/A

Details

CVE-2022-1941

Vulnerable Library - protobuf-4.21.5-cp37-abi3-manylinux2014_x86_64.whl

No project description provided

Library home page: https://files.pythonhosted.org/packages/a8/93/1d71d31bc80e569412c808a23c53df87c935ed3dbd787056bcd5b2929cbe/protobuf-4.21.5-cp37-abi3-manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • firebase_admin-5.3.0-py3-none-any.whl (Root Library)
    • google_api_core-2.10.0-py3-none-any.whl
      • protobuf-4.21.5-cp37-abi3-manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Publish Date: 2022-09-22

URL: CVE-2022-1941

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cloud.google.com/support/bulletins#GCP-2022-019

Release Date: 2022-09-22

Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6

Flask-2.2.2-py3-none-any.whl: 3 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - Flask-2.2.2-py3-none-any.whl

A simple framework for building complex web applications.

Library home page: https://files.pythonhosted.org/packages/0f/43/15f4f9ab225b0b25352412e8daa3d0e3d135fcf5e127070c74c3632c8b4c/Flask-2.2.2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Flask version) Remediation Available
CVE-2023-25577 High 7.5 Werkzeug-2.2.2-py3-none-any.whl Transitive N/A*
CVE-2023-30861 High 7.5 Flask-2.2.2-py3-none-any.whl Direct flask - 2.2.5,2.3.2
CVE-2023-23934 Low 3.5 Werkzeug-2.2.2-py3-none-any.whl Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2023-25577

Vulnerable Library - Werkzeug-2.2.2-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Flask-2.2.2-py3-none-any.whl (Root Library)
    • Werkzeug-2.2.2-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.

Publish Date: 2023-02-14

URL: CVE-2023-25577

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-25577

Release Date: 2023-02-14

Fix Resolution: Werkzeug - 2.2.3

CVE-2023-30861

Vulnerable Library - Flask-2.2.2-py3-none-any.whl

A simple framework for building complex web applications.

Library home page: https://files.pythonhosted.org/packages/0f/43/15f4f9ab225b0b25352412e8daa3d0e3d135fcf5e127070c74c3632c8b4c/Flask-2.2.2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Flask-2.2.2-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.

  1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
  2. The application sets session.permanent = True
  3. The application does not access or modify the session at any point during a request.
  4. SESSION_REFRESH_EACH_REQUEST enabled (the default).
  5. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.

This happens because vulnerable versions of Flask only set the Vary: Cookie header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.

Publish Date: 2023-05-02

URL: CVE-2023-30861

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-30861

Release Date: 2023-05-02

Fix Resolution: flask - 2.2.5,2.3.2

⛑️ Automatic Remediation is available for this issue

CVE-2023-23934

Vulnerable Library - Werkzeug-2.2.2-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Flask-2.2.2-py3-none-any.whl (Root Library)
    • Werkzeug-2.2.2-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie =__Host-test=bad as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.

Publish Date: 2023-02-14

URL: CVE-2023-23934

CVSS 3 Score Details (3.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Adjacent
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934

Release Date: 2023-02-14

Fix Resolution: Werkzeug - 2.2.3

⛑️ Automatic Remediation is available for this issue.

nexmo-2.5.2-py2.py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - nexmo-2.5.2-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (nexmo version) Remediation Available
CVE-2022-23491 High 7.5 certifi-2022.9.24-py3-none-any.whl Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-23491

Vulnerable Library - certifi-2022.9.24-py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/1d/38/fa96a426e0c0e68aabc68e896584b83ad1eec779265a028e156ce509630e/certifi-2022.9.24-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • nexmo-2.5.2-py2.py3-none-any.whl (Root Library)
    • requests-2.28.1-py3-none-any.whl
      • certifi-2022.9.24-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution: certifi - 2022.12.07

firebase-6.2.2.tgz: 15 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - firebase-6.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/ini/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (firebase version) Remediation Available
CVE-2020-7768 Critical 9.8 grpc-1.20.3.tgz Transitive 7.9.1-canary.0396117e
CVE-2021-44906 Critical 9.8 detected in multiple dependencies Transitive 6.2.3-0
CVE-2020-7788 Critical 9.8 ini-1.3.5.tgz Transitive 6.2.3-0
CVE-2020-7774 Critical 9.8 y18n-3.2.1.tgz Transitive 6.2.3-0
CVE-2021-37701 High 8.6 tar-4.4.8.tgz Transitive 6.2.3-0
CVE-2021-37712 High 8.6 tar-4.4.8.tgz Transitive 6.2.3-0
CVE-2021-37713 High 8.6 tar-4.4.8.tgz Transitive 6.2.3-0
CVE-2021-32804 High 8.1 tar-4.4.8.tgz Transitive 6.2.3-0
CVE-2021-32803 High 8.1 tar-4.4.8.tgz Transitive 6.2.3-0
CVE-2022-25878 High 7.5 detected in multiple dependencies Transitive 7.9.1-canary.0396117e
CVE-2022-3517 High 7.5 minimatch-3.0.4.tgz Transitive N/A*
CVE-2022-0235 Medium 6.1 node-fetch-1.7.3.tgz Transitive 7.9.1-canary.0396117e
CVE-2020-7598 Medium 5.6 detected in multiple dependencies Transitive 6.2.3-0
CVE-2020-15168 Medium 5.3 node-fetch-1.7.3.tgz Transitive 7.9.1-canary.0396117e
CVE-2020-7765 Medium 5.3 util-0.2.20.tgz Transitive 6.2.3-canary.7043422

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2020-7768

Vulnerable Library - grpc-1.20.3.tgz

gRPC Library for Node

Library home page: https://registry.npmjs.org/grpc/-/grpc-1.20.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • firestore-1.4.2.tgz
      • grpc-1.20.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.

Publish Date: 2020-11-11

URL: CVE-2020-7768

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7768

Release Date: 2020-11-11

Fix Resolution (grpc): 1.24.4

Direct dependency fix Resolution (firebase): 7.9.1-canary.0396117e

⛑️ Automatic Remediation is available for this issue

CVE-2021-44906

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/minimist/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • firestore-1.4.2.tgz
      • grpc-1.20.3.tgz
        • node-pre-gyp-0.13.0.tgz
          • rc-1.2.8.tgz
            • minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • firestore-1.4.2.tgz
      • grpc-1.20.3.tgz
        • node-pre-gyp-0.13.0.tgz
          • mkdirp-0.5.1.tgz
            • minimist-0.0.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (firebase): 6.2.3-0

Fix Resolution (minimist): 0.2.2

Direct dependency fix Resolution (firebase): 6.2.3-0

⛑️ Automatic Remediation is available for this issue

CVE-2020-7788

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/ini/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • firestore-1.4.2.tgz
      • grpc-1.20.3.tgz
        • node-pre-gyp-0.13.0.tgz
          • rc-1.2.8.tgz
            • ini-1.3.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (firebase): 6.2.3-0

⛑️ Automatic Remediation is available for this issue

CVE-2020-7774

Vulnerable Library - y18n-3.2.1.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/y18n/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • firestore-1.4.2.tgz
      • grpc-1.20.3.tgz
        • protobufjs-5.0.3.tgz
          • yargs-3.32.0.tgz
            • y18n-3.2.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 3.2.2

Direct dependency fix Resolution (firebase): 6.2.3-0

⛑️ Automatic Remediation is available for this issue

CVE-2021-37701

Vulnerable Library - tar-4.4.8.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/tar/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • firestore-1.4.2.tgz
      • grpc-1.20.3.tgz
        • node-pre-gyp-0.13.0.tgz
          • tar-4.4.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \ and / characters as path separators, however \ is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at FOO, followed by a symbolic link named foo, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the FOO directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.

Publish Date: 2021-08-31

URL: CVE-2021-37701

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9r2w-394v-53qc

Release Date: 2021-08-31

Fix Resolution (tar): 4.4.16

Direct dependency fix Resolution (firebase): 6.2.3-0

⛑️ Automatic Remediation is available for this issue

CVE-2021-37712

Vulnerable Library - tar-4.4.8.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/tar/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • firestore-1.4.2.tgz
      • grpc-1.20.3.tgz
        • node-pre-gyp-0.13.0.tgz
          • tar-4.4.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

Publish Date: 2021-08-31

URL: CVE-2021-37712

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qq89-hq3f-393p

Release Date: 2021-08-31

Fix Resolution (tar): 4.4.18

Direct dependency fix Resolution (firebase): 6.2.3-0

⛑️ Automatic Remediation is available for this issue

CVE-2021-37713

Vulnerable Library - tar-4.4.8.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/tar/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • firestore-1.4.2.tgz
      • grpc-1.20.3.tgz
        • node-pre-gyp-0.13.0.tgz
          • tar-4.4.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain .. path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory. Additionally, a .. portion of the path could occur immediately after the drive letter, such as C:../foo, and was not properly sanitized by the logic that checked for .. within the normalized and split portions of the path. This only affects users of node-tar on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.

Publish Date: 2021-08-31

URL: CVE-2021-37713

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5955-9wpr-37jh

Release Date: 2021-08-31

Fix Resolution (tar): 4.4.18

Direct dependency fix Resolution (firebase): 6.2.3-0

⛑️ Automatic Remediation is available for this issue

CVE-2021-32804

Vulnerable Library - tar-4.4.8.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/tar/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • firestore-1.4.2.tgz
      • grpc-1.20.3.tgz
        • node-pre-gyp-0.13.0.tgz
          • tar-4.4.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

Publish Date: 2021-08-03

URL: CVE-2021-32804

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3jfq-g458-7qm9

Release Date: 2021-08-03

Fix Resolution (tar): 4.4.14

Direct dependency fix Resolution (firebase): 6.2.3-0

⛑️ Automatic Remediation is available for this issue

CVE-2021-32803

Vulnerable Library - tar-4.4.8.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/tar/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • firestore-1.4.2.tgz
      • grpc-1.20.3.tgz
        • node-pre-gyp-0.13.0.tgz
          • tar-4.4.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.

Publish Date: 2021-08-03

URL: CVE-2021-32803

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r628-mhmh-qjhw

Release Date: 2021-08-03

Fix Resolution (tar): 4.4.15

Direct dependency fix Resolution (firebase): 6.2.3-0

⛑️ Automatic Remediation is available for this issue

CVE-2022-25878

Vulnerable Libraries - protobufjs-5.0.3.tgz, protobufjs-6.8.8.tgz

protobufjs-5.0.3.tgz

Protocol Buffers for JavaScript. Finally.

Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-5.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/protobufjs/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • firestore-1.4.2.tgz
      • grpc-1.20.3.tgz
        • protobufjs-5.0.3.tgz (Vulnerable Library)

protobufjs-6.8.8.tgz

Protocol Buffers for JavaScript (& TypeScript).

Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-6.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/protobufjs/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • firestore-1.4.2.tgz
      • proto-loader-0.5.1.tgz
        • protobufjs-6.8.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files

Publish Date: 2022-05-27

URL: CVE-2022-25878

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25878

Release Date: 2022-05-27

Fix Resolution (protobufjs): 6.10.3

Direct dependency fix Resolution (firebase): 7.9.1-canary.0396117e

Fix Resolution (protobufjs): 6.10.3

Direct dependency fix Resolution (firebase): 7.9.1-canary.0396117e

⛑️ Automatic Remediation is available for this issue

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/minimatch/package.json,/node_modules/minimatch/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • firestore-1.4.2.tgz
      • grpc-1.20.3.tgz
        • protobufjs-5.0.3.tgz
          • glob-7.1.4.tgz
            • minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2022-0235

Vulnerable Library - node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • functions-0.4.10.tgz
      • isomorphic-fetch-2.2.1.tgz
        • node-fetch-1.7.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (firebase): 7.9.1-canary.0396117e

⛑️ Automatic Remediation is available for this issue

CVE-2020-7598

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • firestore-1.4.2.tgz
      • grpc-1.20.3.tgz
        • node-pre-gyp-0.13.0.tgz
          • mkdirp-0.5.1.tgz
            • minimist-0.0.8.tgz (Vulnerable Library)

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/minimist/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • firestore-1.4.2.tgz
      • grpc-1.20.3.tgz
        • node-pre-gyp-0.13.0.tgz
          • rc-1.2.8.tgz
            • minimist-1.2.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (firebase): 6.2.3-0

Fix Resolution (minimist): 1.2.3

Direct dependency fix Resolution (firebase): 6.2.3-0

⛑️ Automatic Remediation is available for this issue

CVE-2020-15168

Vulnerable Library - node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • functions-0.4.10.tgz
      • isomorphic-fetch-2.2.1.tgz
        • node-fetch-1.7.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-09-17

Fix Resolution (node-fetch): 2.6.1

Direct dependency fix Resolution (firebase): 7.9.1-canary.0396117e

⛑️ Automatic Remediation is available for this issue

CVE-2020-7765

Vulnerable Library - util-0.2.20.tgz

_NOTE: This is specifically tailored for Firebase JS SDK usage, if you are not a member of the Firebase team, please avoid using this package_

Library home page: https://registry.npmjs.org/@firebase/util/-/util-0.2.20.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@firebase/util/package.json

Dependency Hierarchy:

  • firebase-6.2.2.tgz (Root Library)
    • util-0.2.20.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

Publish Date: 2020-11-16

URL: CVE-2020-7765

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7765

Release Date: 2020-11-16

Fix Resolution (@firebase/util): 0.3.3-2020922203858

Direct dependency fix Resolution (firebase): 6.2.3-canary.7043422

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.