nexmo / amazon-transcribe-call Goto Github PK

Shows how to use the Amazon Transcribe API to transcribe a phone conversation recorded with the Nexmo Voice API.

License: MIT License

JavaScript 91.18% Dockerfile 3.10% Shell 5.72%

voice nexmo telephone aws-transcribe nodejs subtitles

amazon-transcribe-call's Introduction

Vonage Server SDK for Node.js

This is the Node.JS Server SDK for Vonage APIs. To use it you will need a Vonage account. Sign up for free at vonage.com.

For full API documentation refer to developer.vonage.com.

Installation
Constructor
Promises
Testing
Examples
References

Installation

With NPM

npm install @vonage/server-sdk

With Yarn

yarn add @vonage/server-sdk

Constructor

const { Vonage } = require('@vonage/server-sdk');

const vonage = new Vonage(credentials, options);

Where credentials is any option from @vonage/auth, and options is any option from @vonage/server-client

Promises

Most methods that interact with the Vonage API uses Promises. You can either resolve these yourself, or use await to wait for a response.

const resp = await vonage.sms.send({
    to: '15552220000',
    from: '15559992222',
    text: 'This is a test',
});

Testing

Run:

npm run test

Or to continually watch and run tests as you change the code:

npm run test-watch

Examples

See the Vonage Node Quickstarts repo.

References

You can find more information for each product below:

Supported APIs

The following is a list of Vonage APIs and whether the Node Server SDK provides support for them:

API	API Release Status	Supported?
Account API	General Availability	✅
Alerts API	General Availability	✅
Application API	General Availability	✅
Audit API	Beta	✅
Conversation API	Beta	❌
Dispatch API	Beta	❌
External Accounts API	Beta	❌
Media API	Beta	❌
Messages API	Beta	✅
Number Insight V2 API	Beta	✅
Number Insights API	General Availability	✅
Number Management API	General Availability	✅
Pricing API	General Availability	✅
Proactive Connect API	Beta	✅
Redact API	Developer Preview	✅
Reports API	Beta	❌
SMS API	General Availability	✅
Sub Accounts	Beta	✅
Users	General Availability	✅
Verify API	General Availability	✅
Verify v2 API	General Availability	✅
Video API	General Availability	✅
Voice API	General Availability	✅

V2 Migrations

While most of the V2 functions have been ported into their own package, some of the functions have not been ported or were removed. Below is a list of those changes:

V2 Function	Status	Note
`vonage.conversion`	REMOVED
`vonage.conversation`	Not Implemented	This was only released as a beta package
`vonage.app`	Moved	Moved to Applications
`vonage.files`	Moved	Move to ServerClient
`vonage.message`	Moved	Moved to SMS
`vonage.generateJwt`	Moved	Was moved to JWT
`vonage.generateSignature`	Moved	Was moved to SMS and Voice
`vonage.calls`	Moved	Was moved to Voice
`vonage.credentials`	Updated	Options can be found in Server Client
`vonage.options`	Updated	Options can be found in Server Client
`vonage.options.httpClient`	Removed
`vonage.options.userAgent`	Moved	Options can be found in Server Client

For more information, check out each packages migration guide.

amazon-transcribe-call's People

Contributors

Stargazers

Watchers

Forkers

nuxero deepak16686 ejasonbarretto rakhithjk cristina-gabriela

amazon-transcribe-call's Issues

serverless-1.47.0.tgz: 28 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - serverless-1.47.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/flat/package.json

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (serverless version)	Remediation Available
CVE-2020-12265	High	9.8	detected in multiple dependencies	Transitive	1.48.0	✅
CVE-2020-36632	High	9.8	flat-4.1.0.tgz	Transitive	1.48.0	✅
CVE-2020-28472	High	9.8	aws-sdk-2.492.0.tgz	Transitive	1.48.0	✅
CVE-2021-44906	High	9.8	detected in multiple dependencies	Transitive	1.48.0	✅
CVE-2020-7788	High	9.8	ini-1.3.5.tgz	Transitive	1.48.0	✅
CVE-2021-42581	High	9.1	ramda-0.25.0.tgz	Transitive	3.0.0	✅
CVE-2021-43138	High	7.8	async-2.6.2.tgz	Transitive	3.0.0	✅
CVE-2019-20149	High	7.5	kind-of-6.0.2.tgz	Transitive	1.48.0	✅
WS-2019-0310	High	7.5	https-proxy-agent-2.2.2.tgz	Transitive	1.48.0	✅
CVE-2022-38900	High	7.5	decode-uri-component-0.2.0.tgz	Transitive	1.48.0	✅
CVE-2021-43307	High	7.5	semver-regex-1.0.0.tgz	Transitive	2.1.0	✅
CVE-2021-3807	High	7.5	detected in multiple dependencies	Transitive	3.0.0	✅
CVE-2022-25901	High	7.5	cookiejar-2.1.2.tgz	Transitive	N/A*	❌
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌
WS-2020-0044	High	7.5	decompress-4.2.0.tgz	Transitive	1.48.0	✅
CVE-2022-31129	High	7.5	moment-2.24.0.tgz	Transitive	2.0.0	✅
CVE-2021-3795	High	7.5	semver-regex-1.0.0.tgz	Transitive	2.1.0	✅
CVE-2022-24785	High	7.5	moment-2.24.0.tgz	Transitive	2.0.0	✅
CVE-2022-48285	High	7.3	jszip-3.2.2.tgz	Transitive	1.48.0	✅
CVE-2020-8116	High	7.3	dot-prop-4.2.0.tgz	Transitive	1.48.0	✅
CVE-2021-23337	High	7.2	lodash-4.17.19.tgz	Transitive	1.48.0	✅
CVE-2020-8244	Medium	6.5	bl-1.2.2.tgz	Transitive	1.48.0	✅
CVE-2022-0235	Medium	6.1	detected in multiple dependencies	Transitive	2.71.0	✅
CVE-2020-7598	Medium	5.6	detected in multiple dependencies	Transitive	1.48.0	✅
CVE-2020-28500	Medium	5.3	lodash-4.17.19.tgz	Transitive	1.48.0	✅
CVE-2021-23413	Medium	5.3	jszip-3.2.2.tgz	Transitive	1.48.0	✅
CVE-2022-33987	Medium	5.3	got-6.7.1.tgz	Transitive	3.19.0	✅
CVE-2020-15168	Medium	5.3	detected in multiple dependencies	Transitive	1.70.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

Partial details (24 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2020-12265

Vulnerable Libraries - decompress-4.2.0.tgz, decompress-tar-4.1.1.tgz

decompress-4.2.0.tgz

Extracting archives made easy

Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decompress/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- download-5.0.3.tgz
  - ❌ decompress-4.2.0.tgz (Vulnerable Library)

decompress-tar-4.1.1.tgz

decompress tar plugin

Library home page: https://registry.npmjs.org/decompress-tar/-/decompress-tar-4.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decompress-tar/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- download-5.0.3.tgz
  - decompress-4.2.0.tgz
    - ❌ decompress-tar-4.1.1.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.

Publish Date: 2020-04-26

URL: CVE-2020-12265

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12265

Release Date: 2020-04-26

Fix Resolution (decompress): 4.2.1

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-36632

Vulnerable Library - flat-4.1.0.tgz

Take a nested Javascript object and flatten it, or unflatten an object with delimited keys

Library home page: https://registry.npmjs.org/flat/-/flat-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/flat/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- enterprise-plugin-1.2.0.tgz
  - ❌ flat-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 is able to address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.

Publish Date: 2022-12-25

URL: CVE-2020-36632

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2j2x-2gpw-g8fm

Release Date: 2022-12-25

Fix Resolution (flat): 4.1.1

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-28472

Vulnerable Library - aws-sdk-2.492.0.tgz

AWS SDK for JavaScript

Library home page: https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.492.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/serverless/node_modules/aws-sdk/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- ❌ aws-sdk-2.492.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2021-01-19

URL: CVE-2020-28472

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28472

Release Date: 2021-01-19

Fix Resolution (aws-sdk): 2.814.0

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-44906

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- ❌ minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- mkdirp-0.5.1.tgz
  - ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (serverless): 1.48.0

Fix Resolution (minimist): 0.2.2

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-7788

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ini/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- rc-1.2.8.tgz
  - ❌ ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-42581

Vulnerable Library - ramda-0.25.0.tgz

A practical functional library for JavaScript programmers.

Library home page: https://registry.npmjs.org/ramda/-/ramda-0.25.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ramda/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- enterprise-plugin-1.2.0.tgz
  - platform-sdk-1.0.2.tgz
    - ❌ ramda-0.25.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "proto") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes.

Publish Date: 2022-05-10

URL: CVE-2021-42581

CVSS 3 Score Details (9.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42581

Release Date: 2022-05-10

Fix Resolution (ramda): 0.27.1

Direct dependency fix Resolution (serverless): 3.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-43138

Vulnerable Library - async-2.6.2.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/archiver/node_modules/async/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- archiver-1.3.0.tgz
  - ❌ async-2.6.2.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (serverless): 3.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2019-20149

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/kind-of/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- nanomatch-1.2.13.tgz
  - ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation is available for this issue

WS-2019-0310

Vulnerable Library - https-proxy-agent-2.2.2.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/https-proxy-agent/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- ❌ https-proxy-agent-2.2.2.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

"in 'https-proxy-agent', before v2.2.3, there is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.

Publish Date: 2019-10-07

URL: WS-2019-0310

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1184

Release Date: 2019-10-07

Fix Resolution (https-proxy-agent): 2.2.3

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-38900

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decode-uri-component/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- nanomatch-1.2.13.tgz
  - snapdragon-0.8.2.tgz
    - source-map-resolve-0.5.2.tgz
      - ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution (decode-uri-component): 0.2.1

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-43307

Vulnerable Library - semver-regex-1.0.0.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- ❌ semver-regex-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

Publish Date: 2022-06-02

URL: CVE-2021-43307

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/

Release Date: 2022-06-02

Fix Resolution (semver-regex): 3.1.4

Direct dependency fix Resolution (serverless): 2.1.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-3807

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/strip-ansi/node_modules/ansi-regex/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- inquirer-6.5.0.tgz
  - strip-ansi-5.2.0.tgz
    - ❌ ansi-regex-4.1.0.tgz (Vulnerable Library)

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ansi-regex/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- inquirer-6.5.0.tgz
  - string-width-2.1.1.tgz
    - strip-ansi-4.0.0.tgz
      - ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (serverless): 3.0.0

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-25901

Vulnerable Library - cookiejar-2.1.2.tgz

simple persistent cookiejar system

Library home page: https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cookiejar/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- json-refs-2.1.7.tgz
  - path-loader-1.0.10.tgz
    - superagent-3.8.3.tgz
      - ❌ cookiejar-2.1.2.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

Publish Date: 2023-01-18

URL: CVE-2022-25901

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-01-18

Fix Resolution: cookiejar - 2.1.4

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- enterprise-plugin-1.2.0.tgz
  - node-dir-0.1.17.tgz
    - ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

WS-2020-0044

Vulnerable Library - decompress-4.2.0.tgz

Extracting archives made easy

Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decompress/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- download-5.0.3.tgz
  - ❌ decompress-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

decompress in all its versions is vulnerable to arbitrary file write. the package fails to prevent an extraction of files with relative paths which allows attackers to write to any folder in the system.

Publish Date: 2020-03-08

URL: WS-2020-0044

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-08

Fix Resolution (decompress): 4.2.1

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-31129

Vulnerable Library - moment-2.24.0.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.24.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- ❌ moment-2.24.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Publish Date: 2022-07-06

URL: CVE-2022-31129

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wc69-rhjr-hc9g

Release Date: 2022-07-06

Fix Resolution (moment): 2.29.4

Direct dependency fix Resolution (serverless): 2.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-3795

Vulnerable Library - semver-regex-1.0.0.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- ❌ semver-regex-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

semver-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3795

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-15

Fix Resolution (semver-regex): 3.1.3

Direct dependency fix Resolution (serverless): 2.1.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-24785

Vulnerable Library - moment-2.24.0.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.24.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- ❌ moment-2.24.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Publish Date: 2022-04-04

URL: CVE-2022-24785

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8hfj-j24r-96c4

Release Date: 2022-04-04

Fix Resolution (moment): 2.29.2

Direct dependency fix Resolution (serverless): 2.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-48285

Vulnerable Library - jszip-3.2.2.tgz

Create, read and edit .zip files with JavaScript http://stuartk.com/jszip

Library home page: https://registry.npmjs.org/jszip/-/jszip-3.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jszip/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- ❌ jszip-3.2.2.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.

Publish Date: 2023-01-29

URL: CVE-2022-48285

CVSS 3 Score Details (7.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-01-29

Fix Resolution (jszip): 3.8.0

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-8116

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/dot-prop/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- update-notifier-2.5.0.tgz
  - configstore-3.1.2.tgz
    - ❌ dot-prop-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 3 Score Details (7.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution (dot-prop): 4.2.1

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-23337

Vulnerable Library - lodash-4.17.19.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- ❌ lodash-4.17.19.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-8244

Vulnerable Library - bl-1.2.2.tgz

Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!

Library home page: https://registry.npmjs.org/bl/-/bl-1.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/bl/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- archiver-1.3.0.tgz
  - tar-stream-1.6.2.tgz
    - ❌ bl-1.2.2.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Publish Date: 2020-08-30

URL: CVE-2020-8244

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pp7h-53gx-mx7r

Release Date: 2020-08-30

Fix Resolution (bl): 1.2.3

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-0235

Vulnerable Libraries - node-fetch-2.6.0.tgz, node-fetch-1.7.3.tgz

node-fetch-2.6.0.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@serverless/enterprise-plugin/node_modules/node-fetch/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- enterprise-plugin-1.2.0.tgz
  - ❌ node-fetch-2.6.0.tgz (Vulnerable Library)

node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (serverless): 2.71.0

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (serverless): 2.71.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-7598

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- ❌ minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

serverless-1.47.0.tgz (Root Library)
- mkdirp-0.5.1.tgz
  - ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 1.2.3

Direct dependency fix Resolution (serverless): 1.48.0

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

Vonage Voyagers Application - Leverage serverless for the webhooks

Hi. I'm applying for Vonage Voyagers program so I'm opening this issue to suggest a improvement.

Deploying the webhooks would require to set up and maintain a server with node, which will charge even if there is no requests goin through. One way to solve this is to deploy webhooks using a serverless approach.

By deploying webhooks using AWS API Gateway + Lambda, AWS would only charge when they are executed and recordings can be stored on S3. Then, SES can be used to notify a user that the transcribe process is finished and it can include the download link.

I did something similar in the company I work for.

body-parser-1.19.0.tgz: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - body-parser-1.19.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (body-parser version)	Remediation Available
CVE-2022-24999	High	7.5	qs-6.7.0.tgz	Transitive	1.19.1	✅

Details

CVE-2022-24999

Vulnerable Library - qs-6.7.0.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

body-parser-1.19.0.tgz (Root Library)
- ❌ qs-6.7.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.7.3

Direct dependency fix Resolution (body-parser): 1.19.1

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

server-sdk-2.10.10.tgz: 7 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - server-sdk-2.10.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/node_modules/qs/package.json

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (server-sdk version)	Remediation Available
CVE-2021-3918	High	9.8	json-schema-0.2.3.tgz	Transitive	2.10.11	✅
CVE-2022-23539	High	8.1	jsonwebtoken-8.5.1.tgz	Transitive	N/A*	❌
CVE-2022-23540	High	7.6	jsonwebtoken-8.5.1.tgz	Transitive	N/A*	❌
CVE-2022-24999	High	7.5	qs-6.5.2.tgz	Transitive	2.10.11	✅
CVE-2022-23541	Medium	6.3	jsonwebtoken-8.5.1.tgz	Transitive	N/A*	❌
CVE-2023-28155	Medium	6.1	request-2.88.2.tgz	Transitive	N/A*	❌
CVE-2020-15366	Medium	5.6	ajv-6.10.2.tgz	Transitive	2.10.11	✅

Details

CVE-2021-3918

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

server-sdk-2.10.10.tgz (Root Library)
- request-2.88.2.tgz
  - http-signature-1.2.0.tgz
    - jsprim-1.4.1.tgz
      - ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (@vonage/server-sdk): 2.10.11

⛑️ Automatic Remediation is available for this issue

CVE-2022-23539

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

server-sdk-2.10.10.tgz (Root Library)
- ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

Publish Date: 2022-12-23

URL: CVE-2022-23539

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cf7-32gw-wr33

Release Date: 2022-12-23

Fix Resolution: jsonwebtoken - 9.0.0

CVE-2022-23540

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

server-sdk-2.10.10.tgz (Root Library)
- ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Publish Date: 2022-12-22

URL: CVE-2022-23540

CVSS 3 Score Details (7.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23540

Release Date: 2022-12-22

Fix Resolution: jsonwebtoken - 9.0.0

CVE-2022-24999

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/node_modules/qs/package.json

Dependency Hierarchy:

server-sdk-2.10.10.tgz (Root Library)
- request-2.88.2.tgz
  - ❌ qs-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (@vonage/server-sdk): 2.10.11

⛑️ Automatic Remediation is available for this issue

CVE-2022-23541

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

server-sdk-2.10.10.tgz (Root Library)
- ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.

Publish Date: 2022-12-22

URL: CVE-2022-23541

CVSS 3 Score Details (6.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hjrf-2m68-5959

Release Date: 2022-12-22

Fix Resolution: jsonwebtoken - 9.0.0

CVE-2023-28155

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Dependency Hierarchy:

server-sdk-2.10.10.tgz (Root Library)
- ❌ request-2.88.2.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2020-15366

Vulnerable Library - ajv-6.10.2.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ajv/package.json

Dependency Hierarchy:

server-sdk-2.10.10.tgz (Root Library)
- request-2.88.2.tgz
  - har-validator-5.1.3.tgz
    - ❌ ajv-6.10.2.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-15

Fix Resolution (ajv): 6.12.3

Direct dependency fix Resolution (@vonage/server-sdk): 2.10.11

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

aws-sdk-2.488.0.tgz: 2 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - aws-sdk-2.488.0.tgz

AWS SDK for JavaScript

Library home page: https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.488.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/aws-sdk/package.json

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (aws-sdk version)	Remediation Available
CVE-2020-28472	High	9.8	aws-sdk-2.488.0.tgz	Direct	2.814.0	✅
CVE-2023-0842	Medium	5.5	xml2js-0.4.19.tgz	Transitive	N/A*	❌

Details

CVE-2020-28472

Vulnerable Library - aws-sdk-2.488.0.tgz

AWS SDK for JavaScript

Library home page: https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.488.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/aws-sdk/package.json

Dependency Hierarchy:

❌ aws-sdk-2.488.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

Publish Date: 2021-01-19

URL: CVE-2020-28472

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28472

Release Date: 2021-01-19

Fix Resolution: 2.814.0

⛑️ Automatic Remediation is available for this issue

CVE-2023-0842

Vulnerable Library - xml2js-0.4.19.tgz

Simple XML to JavaScript object converter.

Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xml2js/package.json

Dependency Hierarchy:

aws-sdk-2.488.0.tgz (Root Library)
- ❌ xml2js-0.4.19.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.

Publish Date: 2023-04-05

URL: CVE-2023-0842

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

⛑️ Automatic Remediation is available for this issue.

Show output

It's a demo :) When we get that transcription back, can we please log the words it thought we said??? I realise you need to read in the JSON and whatever but I think it would be a great feature!

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.