Vulnerable Library - serverless-1.47.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/flat/package.json
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (serverless version) |
Remediation Available |
CVE-2020-12265 |
High |
9.8 |
detected in multiple dependencies |
Transitive |
1.48.0 |
✅ |
CVE-2020-36632 |
High |
9.8 |
flat-4.1.0.tgz |
Transitive |
1.48.0 |
✅ |
CVE-2020-28472 |
High |
9.8 |
aws-sdk-2.492.0.tgz |
Transitive |
1.48.0 |
✅ |
CVE-2021-44906 |
High |
9.8 |
detected in multiple dependencies |
Transitive |
1.48.0 |
✅ |
CVE-2020-7788 |
High |
9.8 |
ini-1.3.5.tgz |
Transitive |
1.48.0 |
✅ |
CVE-2021-42581 |
High |
9.1 |
ramda-0.25.0.tgz |
Transitive |
3.0.0 |
✅ |
CVE-2021-43138 |
High |
7.8 |
async-2.6.2.tgz |
Transitive |
3.0.0 |
✅ |
CVE-2019-20149 |
High |
7.5 |
kind-of-6.0.2.tgz |
Transitive |
1.48.0 |
✅ |
WS-2019-0310 |
High |
7.5 |
https-proxy-agent-2.2.2.tgz |
Transitive |
1.48.0 |
✅ |
CVE-2022-38900 |
High |
7.5 |
decode-uri-component-0.2.0.tgz |
Transitive |
1.48.0 |
✅ |
CVE-2021-43307 |
High |
7.5 |
semver-regex-1.0.0.tgz |
Transitive |
2.1.0 |
✅ |
CVE-2021-3807 |
High |
7.5 |
detected in multiple dependencies |
Transitive |
3.0.0 |
✅ |
CVE-2022-25901 |
High |
7.5 |
cookiejar-2.1.2.tgz |
Transitive |
N/A* |
❌ |
CVE-2022-3517 |
High |
7.5 |
minimatch-3.0.4.tgz |
Transitive |
N/A* |
❌ |
WS-2020-0044 |
High |
7.5 |
decompress-4.2.0.tgz |
Transitive |
1.48.0 |
✅ |
CVE-2022-31129 |
High |
7.5 |
moment-2.24.0.tgz |
Transitive |
2.0.0 |
✅ |
CVE-2021-3795 |
High |
7.5 |
semver-regex-1.0.0.tgz |
Transitive |
2.1.0 |
✅ |
CVE-2022-24785 |
High |
7.5 |
moment-2.24.0.tgz |
Transitive |
2.0.0 |
✅ |
CVE-2022-48285 |
High |
7.3 |
jszip-3.2.2.tgz |
Transitive |
1.48.0 |
✅ |
CVE-2020-8116 |
High |
7.3 |
dot-prop-4.2.0.tgz |
Transitive |
1.48.0 |
✅ |
CVE-2021-23337 |
High |
7.2 |
lodash-4.17.19.tgz |
Transitive |
1.48.0 |
✅ |
CVE-2020-8244 |
Medium |
6.5 |
bl-1.2.2.tgz |
Transitive |
1.48.0 |
✅ |
CVE-2022-0235 |
Medium |
6.1 |
detected in multiple dependencies |
Transitive |
2.71.0 |
✅ |
CVE-2020-7598 |
Medium |
5.6 |
detected in multiple dependencies |
Transitive |
1.48.0 |
✅ |
CVE-2020-28500 |
Medium |
5.3 |
lodash-4.17.19.tgz |
Transitive |
1.48.0 |
✅ |
CVE-2021-23413 |
Medium |
5.3 |
jszip-3.2.2.tgz |
Transitive |
1.48.0 |
✅ |
CVE-2022-33987 |
Medium |
5.3 |
got-6.7.1.tgz |
Transitive |
3.19.0 |
✅ |
CVE-2020-15168 |
Medium |
5.3 |
detected in multiple dependencies |
Transitive |
1.70.0 |
✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
Partial details (24 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2020-12265
Vulnerable Libraries - decompress-4.2.0.tgz, decompress-tar-4.1.1.tgz
decompress-4.2.0.tgz
Extracting archives made easy
Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/decompress/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- download-5.0.3.tgz
- ❌ decompress-4.2.0.tgz (Vulnerable Library)
decompress-tar-4.1.1.tgz
decompress tar plugin
Library home page: https://registry.npmjs.org/decompress-tar/-/decompress-tar-4.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/decompress-tar/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- download-5.0.3.tgz
- decompress-4.2.0.tgz
- ❌ decompress-tar-4.1.1.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.
Publish Date: 2020-04-26
URL: CVE-2020-12265
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12265
Release Date: 2020-04-26
Fix Resolution (decompress): 4.2.1
Direct dependency fix Resolution (serverless): 1.48.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-36632
Vulnerable Library - flat-4.1.0.tgz
Take a nested Javascript object and flatten it, or unflatten an object with delimited keys
Library home page: https://registry.npmjs.org/flat/-/flat-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/flat/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- enterprise-plugin-1.2.0.tgz
- ❌ flat-4.1.0.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 is able to address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.
Publish Date: 2022-12-25
URL: CVE-2020-36632
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2j2x-2gpw-g8fm
Release Date: 2022-12-25
Fix Resolution (flat): 4.1.1
Direct dependency fix Resolution (serverless): 1.48.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-28472
Vulnerable Library - aws-sdk-2.492.0.tgz
AWS SDK for JavaScript
Library home page: https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.492.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/serverless/node_modules/aws-sdk/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- ❌ aws-sdk-2.492.0.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2021-01-19
URL: CVE-2020-28472
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28472
Release Date: 2021-01-19
Fix Resolution (aws-sdk): 2.814.0
Direct dependency fix Resolution (serverless): 1.48.0
⛑️ Automatic Remediation is available for this issue
CVE-2021-44906
Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (serverless): 1.48.0
Fix Resolution (minimist): 0.2.2
Direct dependency fix Resolution (serverless): 1.48.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-7788
Vulnerable Library - ini-1.3.5.tgz
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ini/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- rc-1.2.8.tgz
- ❌ ini-1.3.5.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution (ini): 1.3.6
Direct dependency fix Resolution (serverless): 1.48.0
⛑️ Automatic Remediation is available for this issue
CVE-2021-42581
Vulnerable Library - ramda-0.25.0.tgz
A practical functional library for JavaScript programmers.
Library home page: https://registry.npmjs.org/ramda/-/ramda-0.25.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ramda/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- enterprise-plugin-1.2.0.tgz
- platform-sdk-1.0.2.tgz
- ❌ ramda-0.25.0.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "proto") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes.
Publish Date: 2022-05-10
URL: CVE-2021-42581
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42581
Release Date: 2022-05-10
Fix Resolution (ramda): 0.27.1
Direct dependency fix Resolution (serverless): 3.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2021-43138
Vulnerable Library - async-2.6.2.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/archiver/node_modules/async/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- archiver-1.3.0.tgz
- ❌ async-2.6.2.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (serverless): 3.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2019-20149
Vulnerable Library - kind-of-6.0.2.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/kind-of/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- nanomatch-1.2.13.tgz
- ❌ kind-of-6.0.2.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2019-12-30
Fix Resolution (kind-of): 6.0.3
Direct dependency fix Resolution (serverless): 1.48.0
⛑️ Automatic Remediation is available for this issue
WS-2019-0310
Vulnerable Library - https-proxy-agent-2.2.2.tgz
An HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/https-proxy-agent/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- ❌ https-proxy-agent-2.2.2.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
"in 'https-proxy-agent', before v2.2.3, there is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.
Publish Date: 2019-10-07
URL: WS-2019-0310
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1184
Release Date: 2019-10-07
Fix Resolution (https-proxy-agent): 2.2.3
Direct dependency fix Resolution (serverless): 1.48.0
⛑️ Automatic Remediation is available for this issue
CVE-2022-38900
Vulnerable Library - decode-uri-component-0.2.0.tgz
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/decode-uri-component/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- nanomatch-1.2.13.tgz
- snapdragon-0.8.2.tgz
- source-map-resolve-0.5.2.tgz
- ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (serverless): 1.48.0
⛑️ Automatic Remediation is available for this issue
CVE-2021-43307
Vulnerable Library - semver-regex-1.0.0.tgz
Regular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver-regex/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- ❌ semver-regex-1.0.0.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
Publish Date: 2022-06-02
URL: CVE-2021-43307
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/
Release Date: 2022-06-02
Fix Resolution (semver-regex): 3.1.4
Direct dependency fix Resolution (serverless): 2.1.0
⛑️ Automatic Remediation is available for this issue
CVE-2021-3807
Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz
ansi-regex-4.1.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/strip-ansi/node_modules/ansi-regex/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- inquirer-6.5.0.tgz
- strip-ansi-5.2.0.tgz
- ❌ ansi-regex-4.1.0.tgz (Vulnerable Library)
ansi-regex-3.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ansi-regex/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- inquirer-6.5.0.tgz
- string-width-2.1.1.tgz
- strip-ansi-4.0.0.tgz
- ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (serverless): 3.0.0
Fix Resolution (ansi-regex): 3.0.1
Direct dependency fix Resolution (serverless): 1.48.0
⛑️ Automatic Remediation is available for this issue
CVE-2022-25901
Vulnerable Library - cookiejar-2.1.2.tgz
simple persistent cookiejar system
Library home page: https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/cookiejar/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- json-refs-2.1.7.tgz
- path-loader-1.0.10.tgz
- superagent-3.8.3.tgz
- ❌ cookiejar-2.1.2.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
Publish Date: 2023-01-18
URL: CVE-2022-25901
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2023-01-18
Fix Resolution: cookiejar - 2.1.4
CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- enterprise-plugin-1.2.0.tgz
- node-dir-0.1.17.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
WS-2020-0044
Vulnerable Library - decompress-4.2.0.tgz
Extracting archives made easy
Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/decompress/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- download-5.0.3.tgz
- ❌ decompress-4.2.0.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
decompress in all its versions is vulnerable to arbitrary file write. the package fails to prevent an extraction of files with relative paths which allows attackers to write to any folder in the system.
Publish Date: 2020-03-08
URL: WS-2020-0044
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-08
Fix Resolution (decompress): 4.2.1
Direct dependency fix Resolution (serverless): 1.48.0
⛑️ Automatic Remediation is available for this issue
CVE-2022-31129
Vulnerable Library - moment-2.24.0.tgz
Parse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.24.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/moment/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- ❌ moment-2.24.0.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Publish Date: 2022-07-06
URL: CVE-2022-31129
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-wc69-rhjr-hc9g
Release Date: 2022-07-06
Fix Resolution (moment): 2.29.4
Direct dependency fix Resolution (serverless): 2.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2021-3795
Vulnerable Library - semver-regex-1.0.0.tgz
Regular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver-regex/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- ❌ semver-regex-1.0.0.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
semver-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3795
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-15
Fix Resolution (semver-regex): 3.1.3
Direct dependency fix Resolution (serverless): 2.1.0
⛑️ Automatic Remediation is available for this issue
CVE-2022-24785
Vulnerable Library - moment-2.24.0.tgz
Parse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.24.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/moment/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- ❌ moment-2.24.0.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
Publish Date: 2022-04-04
URL: CVE-2022-24785
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-8hfj-j24r-96c4
Release Date: 2022-04-04
Fix Resolution (moment): 2.29.2
Direct dependency fix Resolution (serverless): 2.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2022-48285
Vulnerable Library - jszip-3.2.2.tgz
Create, read and edit .zip files with JavaScript http://stuartk.com/jszip
Library home page: https://registry.npmjs.org/jszip/-/jszip-3.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jszip/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- ❌ jszip-3.2.2.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.
Publish Date: 2023-01-29
URL: CVE-2022-48285
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2023-01-29
Fix Resolution (jszip): 3.8.0
Direct dependency fix Resolution (serverless): 1.48.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-8116
Vulnerable Library - dot-prop-4.2.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dot-prop/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- update-notifier-2.5.0.tgz
- configstore-3.1.2.tgz
- ❌ dot-prop-4.2.0.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution (dot-prop): 4.2.1
Direct dependency fix Resolution (serverless): 1.48.0
⛑️ Automatic Remediation is available for this issue
CVE-2021-23337
Vulnerable Library - lodash-4.17.19.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- ❌ lodash-4.17.19.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (serverless): 1.48.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-8244
Vulnerable Library - bl-1.2.2.tgz
Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!
Library home page: https://registry.npmjs.org/bl/-/bl-1.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bl/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- archiver-1.3.0.tgz
- tar-stream-1.6.2.tgz
- ❌ bl-1.2.2.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Publish Date: 2020-08-30
URL: CVE-2020-8244
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-pp7h-53gx-mx7r
Release Date: 2020-08-30
Fix Resolution (bl): 1.2.3
Direct dependency fix Resolution (serverless): 1.48.0
⛑️ Automatic Remediation is available for this issue
CVE-2022-0235
Vulnerable Libraries - node-fetch-2.6.0.tgz, node-fetch-1.7.3.tgz
node-fetch-2.6.0.tgz
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@serverless/enterprise-plugin/node_modules/node-fetch/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- enterprise-plugin-1.2.0.tgz
- ❌ node-fetch-2.6.0.tgz (Vulnerable Library)
node-fetch-1.7.3.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-fetch/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (serverless): 2.71.0
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (serverless): 2.71.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-7598
Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
- serverless-1.47.0.tgz (Root Library)
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb
Found in base branch: main
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 1.2.3
Direct dependency fix Resolution (serverless): 1.48.0
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (serverless): 1.48.0
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.