Git Product home page Git Product logo

discord-phishing-backend's Introduction

discord-phishing-backend

Discord Phishing API list with Redis and Docker

Access to API

API Endpoints

Authorization

Some API requests require the use of a generated API key. To set API key, please add AUTHORIZATION to your .env file. If not the default API key is secret. To authenticate an API request, you should provide your API key in the Authorization header.

Method Endpoint Description Require Authorzation Header?
GET /all Get all data (includes blacklist links and domains) No
GET /links Get all blacklist domains No
GET /check?url={query} Check if a url is in blacklist No
GET /trace-redirect?url={query} Trace redirect a url (shorten link) No
POST /adddomain Add domain to blacklist (Require url in body) Yes
POST /addlink Add link to blacklist (Require url in body) Yes

Installation

Without Docker

Redis

  • Download and setup redis

Project

  1. Clone the project
  2. Rename example.env to .env
  3. Change REDIS_HOST to your host (usually localhost)
  4. Change others variable to fit your environment (REDIS_PORT, REDIS_PASSWORD, PORT, TIMEZONE)
  5. Install package using npm install or yarn install
  6. Run npm start

With Docker

  1. Clone the project
  2. Rename example.env to .env
  3. Change others variable to fit your environment (PORT, TIMEZONE)
  4. Run docker-compose up -d to run the container

discord-phishing-backend's People

Contributors

mend-bolt-for-github[bot] avatar phamleduy04 avatar phamleduy04-bot avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

fuyukouxu

discord-phishing-backend's Issues

express-4.17.3.tgz: 1 vulnerabilities (highest severity is: 5.5) - autoclosed

Vulnerable Library - express-4.17.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Found in HEAD commit: ab83cbd152608d7871f8838b8dc909e131e22ebd

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-44907 Medium 5.5 qs-6.9.7.tgz Transitive N/A

Details

CVE-2021-44907

Vulnerable Library - qs-6.9.7.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.9.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

  • express-4.17.3.tgz (Root Library)
    • qs-6.9.7.tgz (Vulnerable Library)

Found in HEAD commit: ab83cbd152608d7871f8838b8dc909e131e22ebd

Found in base branch: main

Vulnerability Details

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.

Publish Date: 2022-03-17

URL: CVE-2021-44907

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-44907

Release Date: 2022-03-17

Fix Resolution: GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105;cloudscribe.templates - 5.2.0;KnstAsyncApiUI - 1.0.2-pre;Romano.Vue - 1.0.1;Yarnpkg.Yarn - 0.26.1;VueJS.NetCore - 1.1.1;NativeScript.Sidekick.Standalone.Shell - 1.9.1-v2018050205;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;dotnetng.template - 1.0.0.2;Fable.Template.Elmish.React - 0.1.6;Fable.Snowpack.Template - 2.1.0;Yarn.MSBuild - 0.22.0,0.24.6

Step up your Open Source Security Game with WhiteSource here

platform-fastify-9.1.4.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - platform-fastify-9.1.4.tgz

Found in HEAD commit: 80a00985b1024c3038c75664236fee26c38157b8

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (platform-fastify version) Remediation Available
CVE-2022-39288 High 7.5 fastify-4.7.0.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-39288

Vulnerable Library - fastify-4.7.0.tgz

Fast and low overhead web framework, for Node.js

Library home page: https://registry.npmjs.org/fastify/-/fastify-4.7.0.tgz

Dependency Hierarchy:

  • platform-fastify-9.1.4.tgz (Root Library)
    • fastify-4.7.0.tgz (Vulnerable Library)

Found in HEAD commit: 80a00985b1024c3038c75664236fee26c38157b8

Found in base branch: main

Vulnerability Details

fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit fbb07e8d and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers.

Publish Date: Oct 10, 2022 9:15:00 PM

URL: CVE-2022-39288

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39288

Release Date: Oct 10, 2022 9:15:00 PM

Fix Resolution: fastify - 4.8.1

Step up your Open Source Security Game with Mend here

platform-fastify-9.3.9.tgz: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - platform-fastify-9.3.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (platform-fastify version) Remediation Possible**
CVE-2022-25883 High 7.5 semver-7.3.8.tgz Transitive 10.2.8

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-25883

Vulnerable Library - semver-7.3.8.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-7.3.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • platform-fastify-9.3.9.tgz (Root Library)
    • fastify-4.13.0.tgz
      • semver-7.3.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 7.5.2

Direct dependency fix Resolution (@nestjs/platform-fastify): 10.2.8

Step up your Open Source Security Game with Mend here

undici-5.11.0.tgz: 2 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - undici-5.11.0.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.11.0.tgz

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (undici version) Remediation Available
CVE-2023-24807 High 7.5 undici-5.11.0.tgz Direct undici - 5.19.1
CVE-2023-23936 Medium 6.5 undici-5.11.0.tgz Direct undici - 5.19.1

Details

CVE-2023-24807

Vulnerable Library - undici-5.11.0.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.11.0.tgz

Dependency Hierarchy:

  • undici-5.11.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

Publish Date: 2023-02-16

URL: CVE-2023-24807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r6ch-mqf9-qc9w

Release Date: 2023-02-16

Fix Resolution: undici - 5.19.1

Step up your Open Source Security Game with Mend here

CVE-2023-23936

Vulnerable Library - undici-5.11.0.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.11.0.tgz

Dependency Hierarchy:

  • undici-5.11.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host string before passing to undici.

Publish Date: 2023-02-16

URL: CVE-2023-23936

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5r9g-qh6m-jxff

Release Date: 2023-02-16

Fix Resolution: undici - 5.19.1

Step up your Open Source Security Game with Mend here

Grammarly

@Dhkghj telegram msg me for your grammarly account thanku

undici-5.8.0.tgz: 2 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - undici-5.8.0.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.8.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-35949 High 9.8 undici-5.8.0.tgz Direct undici - 5.8.2
CVE-2022-35948 Medium 5.3 undici-5.8.0.tgz Direct 5.8.2

Details

CVE-2022-35949

Vulnerable Library - undici-5.8.0.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.8.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

  • undici-5.8.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) Instead of processing the request as http://example.org//127.0.0.1 (or http://example.org/http://127.0.0.1 when http://127.0.0.1 is used), it actually processes the request as http://127.0.0.1/ and sends it to http://127.0.0.1. If a developer passes in user input into path parameter of undici.request, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in [email protected]. The best workaround is to validate user input before passing it to the undici.request call.

Publish Date: 2022-08-12

URL: CVE-2022-35949

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35949

Release Date: 2022-08-12

Fix Resolution: undici - 5.8.2

Step up your Open Source Security Game with Mend here

CVE-2022-35948

Vulnerable Library - undici-5.8.0.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.8.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

  • undici-5.8.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

undici is an HTTP/1.1 client, written from scratch for Node.js.=< [email protected] users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header. Example: import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) The above snippet will perform two requests in a single request API call: 1) http://localhost:3000/ 2) http://localhost:3000/foo2 This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.

Publish Date: 2022-08-15

URL: CVE-2022-35948

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35948

Release Date: 2022-08-15

Fix Resolution: 5.8.2

Step up your Open Source Security Game with Mend here

undici-5.20.0.tgz: 4 vulnerabilities (highest severity is: 3.9)

Vulnerable Library - undici-5.20.0.tgz

Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (undici version) Remediation Possible**
CVE-2024-30260 Low 3.9 undici-5.20.0.tgz Direct undici - 5.28.4,6.11.1
CVE-2024-24758 Low 3.9 undici-5.20.0.tgz Direct 5.28.3
CVE-2023-45143 Low 3.5 undici-5.20.0.tgz Direct 5.26.2
CVE-2024-30261 Low 2.6 undici-5.20.0.tgz Direct undici - 5.28.4,6.11.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-30260

Vulnerable Library - undici-5.20.0.tgz

Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • undici-5.20.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request(). This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

Publish Date: 2024-04-04

URL: CVE-2024-30260

CVSS 3 Score Details (3.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-m4v8-wqvr-p9f7

Release Date: 2024-04-04

Fix Resolution: undici - 5.28.4,6.11.1

Step up your Open Source Security Game with Mend here

CVE-2024-24758

Vulnerable Library - undici-5.20.0.tgz

Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • undici-5.20.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authentication headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-02-16

URL: CVE-2024-24758

CVSS 3 Score Details (3.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-24758

Release Date: 2024-02-16

Fix Resolution: 5.28.3

Step up your Open Source Security Game with Mend here

CVE-2023-45143

Vulnerable Library - undici-5.20.0.tgz

Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • undici-5.20.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.

Publish Date: 2023-10-12

URL: CVE-2023-45143

CVSS 3 Score Details (3.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wqq4-5wpv-mx2g

Release Date: 2023-10-12

Fix Resolution: 5.26.2

Step up your Open Source Security Game with Mend here

CVE-2024-30261

Vulnerable Library - undici-5.20.0.tgz

Library home page: https://registry.npmjs.org/undici/-/undici-5.20.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • undici-5.20.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

Publish Date: 2024-04-04

URL: CVE-2024-30261

CVSS 3 Score Details (2.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9qxr-qj54-h672

Release Date: 2024-04-04

Fix Resolution: undici - 5.28.4,6.11.1

Step up your Open Source Security Game with Mend here

compare-urls-2.0.0.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - compare-urls-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/normalize-url/package.json

Found in HEAD commit: 0e2156516539b27b3e26798a3c21eb9673e170a1

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-33502 High 7.5 normalize-url-2.0.1.tgz Transitive 3.0.0

Details

CVE-2021-33502

Vulnerable Library - normalize-url-2.0.1.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-2.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/normalize-url/package.json

Dependency Hierarchy:

  • compare-urls-2.0.0.tgz (Root Library)
    • normalize-url-2.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 0e2156516539b27b3e26798a3c21eb9673e170a1

Found in base branch: main

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution (normalize-url): 4.5.1

Direct dependency fix Resolution (compare-urls): 3.0.0

Step up your Open Source Security Game with WhiteSource here

undici-5.1.1.tgz: 1 vulnerabilities (highest severity is: 7.7) - autoclosed

Vulnerable Library - undici-5.1.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-32210 High 7.7 undici-5.1.1.tgz Direct 5.5.1

Details

CVE-2022-32210

Vulnerable Library - undici-5.1.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

  • undici-5.1.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

undici 4.8.2 before 5.5.1 is vulnerable to MITM. Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

Publish Date: 2022-06-02

URL: CVE-2022-32210

CVSS 3 Score Details (7.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pgw7-wx7w-2w33

Release Date: 2022-06-02

Fix Resolution: 5.5.1

Step up your Open Source Security Game with Mend here

moment-timezone-0.5.34.tgz: 2 vulnerabilities (highest severity is: 5.5) - autoclosed

Vulnerable Library - moment-timezone-0.5.34.tgz

Parse and display moments in any timezone.

Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.34.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment-timezone/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
WS-2022-0284 Medium 5.5 moment-timezone-0.5.34.tgz Direct 0.5.35
WS-2022-0280 Medium 5.5 moment-timezone-0.5.34.tgz Direct 0.5.35

Details

WS-2022-0284

Vulnerable Library - moment-timezone-0.5.34.tgz

Parse and display moments in any timezone.

Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.34.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment-timezone/package.json

Dependency Hierarchy:

  • moment-timezone-0.5.34.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Cleartext Transmission of Sensitive Information in moment-timezone

Publish Date: 2022-08-30

URL: WS-2022-0284

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-v78c-4p63-2j6c

Release Date: 2022-08-30

Fix Resolution: 0.5.35

Step up your Open Source Security Game with Mend here

WS-2022-0280

Vulnerable Library - moment-timezone-0.5.34.tgz

Parse and display moments in any timezone.

Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.34.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment-timezone/package.json

Dependency Hierarchy:

  • moment-timezone-0.5.34.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Command Injection in moment-timezone before 0.5.35.

Publish Date: 2022-08-30

URL: WS-2022-0280

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-56x4-j7p9-fcf9

Release Date: 2022-08-30

Fix Resolution: 0.5.35

Step up your Open Source Security Game with Mend here

@nestjs/platform-fastify-9.1.6.tgz: 1 vulnerabilities (highest severity is: 8.8) - autoclosed

Vulnerable Library - @nestjs/platform-fastify-9.1.6.tgz

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (@nestjs/platform-fastify version) Remediation Available
CVE-2022-41919 High 8.8 fastify-4.9.2.tgz Transitive 9.2.1

Details

CVE-2022-41919

Vulnerable Library - fastify-4.9.2.tgz

Fast and low overhead web framework, for Node.js

Library home page: https://registry.npmjs.org/fastify/-/fastify-4.9.2.tgz

Dependency Hierarchy:

  • @nestjs/platform-fastify-9.1.6.tgz (Root Library)
    • fastify-4.9.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack. This issue has been patched in version 4.10.2 and 3.29.4. As a workaround, implement Cross-Site Request Forgery protection using `@fastify/csrf'.

Publish Date: 2022-11-22

URL: CVE-2022-41919

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3fjj-p79j-c9hh

Release Date: 2022-11-22

Fix Resolution (fastify): 4.10.2

Direct dependency fix Resolution (@nestjs/platform-fastify): 9.2.1

Step up your Open Source Security Game with Mend here

ws-8.12.1.tgz: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - ws-8.12.1.tgz

Library home page: https://registry.npmjs.org/ws/-/ws-8.12.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (ws version) Remediation Possible**
CVE-2024-37890 High 7.5 ws-8.12.1.tgz Direct 8.17.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-37890

Vulnerable Library - ws-8.12.1.tgz

Library home page: https://registry.npmjs.org/ws/-/ws-8.12.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • ws-8.12.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: 2024-06-17

URL: CVE-2024-37890

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: 2024-06-17

Fix Resolution: 8.17.1

Step up your Open Source Security Game with Mend here

undici-5.6.1.tgz: 2 vulnerabilities (highest severity is: 5.3) - autoclosed

Vulnerable Library - undici-5.6.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-31150 Medium 5.3 undici-5.6.1.tgz Direct undici - 5.8.0
CVE-2022-31151 Low 3.7 undici-5.6.1.tgz Direct undici - 5.8.0

Details

CVE-2022-31150

Vulnerable Library - undici-5.6.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

  • undici-5.6.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this issue.

Publish Date: 2022-07-19

URL: CVE-2022-31150

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31150

Release Date: 2022-07-19

Fix Resolution: undici - 5.8.0

Step up your Open Source Security Game with Mend here

CVE-2022-31151

Vulnerable Library - undici-5.6.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

  • undici-5.6.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. maxRedirections: 0 (the default).

Publish Date: 2022-07-21

URL: CVE-2022-31151

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q768-x9m6-m9qp

Release Date: 2022-07-21

Fix Resolution: undici - 5.8.0

Step up your Open Source Security Game with Mend here

nodemon-2.0.15.tgz: 1 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - nodemon-2.0.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Found in HEAD commit: ab83cbd152608d7871f8838b8dc909e131e22ebd

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-44906 High 9.8 minimist-1.2.5.tgz Transitive N/A

Details

CVE-2021-44906

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

  • nodemon-2.0.15.tgz (Root Library)
    • update-notifier-5.1.0.tgz
      • latest-version-5.1.0.tgz
        • package-json-6.5.0.tgz
          • registry-auth-token-4.2.1.tgz
            • rc-1.2.8.tgz
              • minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: ab83cbd152608d7871f8838b8dc909e131e22ebd

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-44906

Release Date: 2022-03-17

Fix Resolution: BumperLane.Public.Service.Contracts - 0.23.35.214-prerelease;cloudscribe.templates - 5.2.0;Virteom.Tenant.Mobile.Bluetooth - 0.21.29.159-prerelease;ShowingVault.DotNet.Sdk - 0.13.41.190-prerelease;Envisia.DotNet.Templates - 3.0.1;Yarnpkg.Yarn - 0.26.1;Virteom.Tenant.Mobile.Framework.UWP - 0.20.41.103-prerelease;Virteom.Tenant.Mobile.Framework.iOS - 0.20.41.103-prerelease;BumperLane.Public.Api.V2.ClientModule - 0.23.35.214-prerelease;VueJS.NetCore - 1.1.1;Dianoga - 4.0.0,3.0.0-RC02;Virteom.Tenant.Mobile.Bluetooth.iOS - 0.20.41.103-prerelease;Virteom.Public.Utilities - 0.23.37.212-prerelease;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;Virteom.Tenant.Mobile.Framework - 0.21.29.159-prerelease;Virteom.Tenant.Mobile.Bluetooth.Android - 0.20.41.103-prerelease;z4a-dotnet-scaffold - 1.0.0.2;Raml.Parser - 1.0.7;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;SitecoreMaster.TrueDynamicPlaceholders - 1.0.3;Virteom.Tenant.Mobile.Framework.Android - 0.20.41.103-prerelease;Fable.Template.Elmish.React - 0.1.6;BlazorPolyfill.Build - 6.0.100.2;Fable.Snowpack.Template - 2.1.0;BumperLane.Public.Api.Client - 0.23.35.214-prerelease;Yarn.MSBuild - 0.22.0,0.24.6;Blazor.TailwindCSS.BUnit - 1.0.2;Bridge.AWS - 0.3.30.36;tslint - 5.6.0;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.