vbc_calls_into_salesforce's People
Contributors
Watchers
vbc_calls_into_salesforce's Issues
express-4.14.1.tgz: 6 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - express-4.14.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Found in HEAD commit: 5ec683556849934f85a1626f96efe2d9f7ba7748
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (express version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-24999 |  High |
7.5 | qs-6.2.0.tgz | Transitive | 4.15.0 | |
| CVE-2017-1000048 | High |
7.5 | qs-6.2.0.tgz | Transitive | 4.15.0 | |
| CVE-2017-20165 | High |
7.5 | debug-2.2.0.tgz | Transitive | 4.15.5 | |
| CVE-2017-16138 | High |
7.5 | mime-1.3.4.tgz | Transitive | 4.16.0 | |
| CVE-2017-16119 | High |
7.5 | fresh-0.3.0.tgz | Transitive | 4.15.5 | |
| CVE-2017-16137 |  Medium |
5.3 | debug-2.2.0.tgz | Transitive | 4.15.5 |
Details
CVE-2022-24999
Vulnerable Library - qs-6.2.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy:
- express-4.14.1.tgz (Root Library)
❌ qs-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: 5ec683556849934f85a1626f96efe2d9f7ba7748
Found in base branch: main
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.2.4
Direct dependency fix Resolution (express): 4.15.0
CVE-2017-1000048
Vulnerable Library - qs-6.2.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy:
- express-4.14.1.tgz (Root Library)
❌ qs-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: 5ec683556849934f85a1626f96efe2d9f7ba7748
Found in base branch: main
Vulnerability Details
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-17
URL: CVE-2017-1000048
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048
Release Date: 2017-07-13
Fix Resolution (qs): 6.2.3
Direct dependency fix Resolution (express): 4.15.0
CVE-2017-20165
Vulnerable Library - debug-2.2.0.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/debug/package.json
Dependency Hierarchy:
- express-4.14.1.tgz (Root Library)
❌ debug-2.2.0.tgz (Vulnerable Library)
Found in HEAD commit: 5ec683556849934f85a1626f96efe2d9f7ba7748
Found in base branch: main
Vulnerability Details
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.
Publish Date: 2023-01-09
URL: CVE-2017-20165
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-9vvw-cc9w-f27h
Release Date: 2023-01-09
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (express): 4.15.5
CVE-2017-16138
Vulnerable Library - mime-1.3.4.tgz
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mime/package.json
Dependency Hierarchy:
- express-4.14.1.tgz (Root Library)
- send-0.14.2.tgz
❌ mime-1.3.4.tgz (Vulnerable Library)
- send-0.14.2.tgz
Found in HEAD commit: 5ec683556849934f85a1626f96efe2d9f7ba7748
Found in base branch: main
Vulnerability Details
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Mend Note: Converted from WS-2017-0330, on 2022-11-08.
Publish Date: 2018-06-07
URL: CVE-2017-16138
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-06-07
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (express): 4.16.0
CVE-2017-16119
Vulnerable Library - fresh-0.3.0.tgz
HTTP response freshness testing
Library home page: https://registry.npmjs.org/fresh/-/fresh-0.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fresh/package.json
Dependency Hierarchy:
- express-4.14.1.tgz (Root Library)
❌ fresh-0.3.0.tgz (Vulnerable Library)
Found in HEAD commit: 5ec683556849934f85a1626f96efe2d9f7ba7748
Found in base branch: main
Vulnerability Details
Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Publish Date: 2018-06-07
URL: CVE-2017-16119
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/526
Release Date: 2018-04-26
Fix Resolution (fresh): 0.5.2
Direct dependency fix Resolution (express): 4.15.5
CVE-2017-16137
Vulnerable Library - debug-2.2.0.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/debug/package.json
Dependency Hierarchy:
- express-4.14.1.tgz (Root Library)
❌ debug-2.2.0.tgz (Vulnerable Library)
Found in HEAD commit: 5ec683556849934f85a1626f96efe2d9f7ba7748
Found in base branch: main
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-04-26
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (express): 4.15.5
jsforce-1.9.3.tgz: 6 vulnerabilities (highest severity is: 9.8)
Vulnerable Library - jsforce-1.9.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json-schema/package.json
Found in HEAD commit: 5ec683556849934f85a1626f96efe2d9f7ba7748
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (jsforce version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2021-3918 |  Critical |
9.8 | json-schema-0.2.3.tgz | Transitive | 1.10.0 | |
| CVE-2022-24999 | High |
7.5 | qs-6.5.2.tgz | Transitive | 1.10.0 | |
| CVE-2021-23337 | High |
7.2 | lodash-4.17.19.tgz | Transitive | 1.10.0 | |
| CVE-2023-28155 | Medium |
6.1 | request-2.88.2.tgz | Transitive | N/A* | |
| CVE-2023-0842 | Medium |
5.3 | xml2js-0.4.23.tgz | Transitive | 1.11.1 | |
| CVE-2020-28500 | Medium |
5.3 | lodash-4.17.19.tgz | Transitive | 1.10.0 |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2021-3918
Vulnerable Library - json-schema-0.2.3.tgz
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json-schema/package.json
Dependency Hierarchy:
- jsforce-1.9.3.tgz (Root Library)
- request-2.88.2.tgz
- http-signature-1.2.0.tgz
- jsprim-1.4.1.tgz
❌ json-schema-0.2.3.tgz (Vulnerable Library)
- jsprim-1.4.1.tgz
- http-signature-1.2.0.tgz
- request-2.88.2.tgz
Found in HEAD commit: 5ec683556849934f85a1626f96efe2d9f7ba7748
Found in base branch: main
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (jsforce): 1.10.0
CVE-2022-24999
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/node_modules/qs/package.json
Dependency Hierarchy:
- jsforce-1.9.3.tgz (Root Library)
- request-2.88.2.tgz
❌ qs-6.5.2.tgz (Vulnerable Library)
- request-2.88.2.tgz
Found in HEAD commit: 5ec683556849934f85a1626f96efe2d9f7ba7748
Found in base branch: main
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.5.3
Direct dependency fix Resolution (jsforce): 1.10.0
CVE-2021-23337
Vulnerable Library - lodash-4.17.19.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
- jsforce-1.9.3.tgz (Root Library)
❌ lodash-4.17.19.tgz (Vulnerable Library)
Found in HEAD commit: 5ec683556849934f85a1626f96efe2d9f7ba7748
Found in base branch: main
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (jsforce): 1.10.0
CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
- jsforce-1.9.3.tgz (Root Library)
❌ request-2.88.2.tgz (Vulnerable Library)
Found in HEAD commit: 5ec683556849934f85a1626f96efe2d9f7ba7748
Found in base branch: main
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVE-2023-0842
Vulnerable Library - xml2js-0.4.23.tgz
Simple XML to JavaScript object converter.
Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xml2js/package.json
Dependency Hierarchy:
- jsforce-1.9.3.tgz (Root Library)
❌ xml2js-0.4.23.tgz (Vulnerable Library)
Found in HEAD commit: 5ec683556849934f85a1626f96efe2d9f7ba7748
Found in base branch: main
Vulnerability Details
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
Publish Date: 2023-04-05
URL: CVE-2023-0842
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-0842
Release Date: 2023-04-05
Fix Resolution (xml2js): 0.5.0
Direct dependency fix Resolution (jsforce): 1.11.1
CVE-2020-28500
Vulnerable Library - lodash-4.17.19.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
- jsforce-1.9.3.tgz (Root Library)
❌ lodash-4.17.19.tgz (Vulnerable Library)
Found in HEAD commit: 5ec683556849934f85a1626f96efe2d9f7ba7748
Found in base branch: main
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (jsforce): 1.10.0
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.