polatengin / bern Goto Github PK

View Code? Open in Web Editor NEW

2.0 2.0 1.0 17.68 MB

Hackorona project

Home Page: https://hackorona.in.dev/

Dockerfile 3.01% HTML 30.45% TypeScript 44.60% JavaScript 2.93% SCSS 19.01%

angular devcontainer docker ionic json-server typescript

bern's Introduction

👋 Hi there

My name is Engin Polat, I'm based in Seattle area, beautiful city Sammamish 🌅

I'm a versatile Software Engineer with over 20 years of comprehensive experience, focused on working with challenging projects and learning while working.

🙋‍♂️ Pronouns: He/him

💼 Job

I'm working as a Senior Software Engineer in Microsoft

Why do I work for Microsoft

I work for Microsoft because it is a great place to work where I can use my skills and talents to make a difference. Microsoft offers excellent job satisfaction, a chance to work on cutting-edge technology, and a chance to make a real difference in the world.

I enjoy working on projects that are important to the company and that have a real impact on the world. I feel that my work is meaningful and that I am making a contribution to the company.

I like the constantly learning new things and working on new projects.

Microsoft is also a great place to work because of the people. The people at Microsoft are some of the smartest, most talented, and most driven people I have ever met. I feel fortunate to be able to work with such talented and passionate people.

What is my job in Microsoft

I'm working with the biggest enterprises and communities all around the world, trying to solve their most sophisticated problems with scalable and future-proof solutions 👍

🔭 I'm currently working on

Retrospective Extension for Azure DevOps (you can find it on Azure DevOps Marketplace)

Benchpress

Improving Azure support for Terratest

Contributing to Symphony project

Amplify project to extend Bash commands

Contributing to Bicep project

📫 How to reach me

You can find and get in touch with me on below accounts!

💪 I'm good at

Software Development
Quality code
Learning new paradigms
Staying positive
Jokes (at least I think so...)

👎 I'm not good at

Social Media
Instant decisions
Taking big risks
Working under pressure

💬 Ask me about

I'd like to get in touch with the following topics

Designing
- Resilient Systems
- Fault Tolerant Systems
- High Performant Backends
DevOps related any topic

bern's People

Contributors

Stargazers

Watchers

bern's Issues

CVE-2020-7693 (Medium) detected in sockjs-0.3.19.tgz

CVE-2020-7693 - Medium Severity Vulnerability

Vulnerable Library - sockjs-0.3.19.tgz

SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication

Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz

Path to dependency file: bern/src/courier/package.json

Path to vulnerable library: bern/src/courier/node_modules/sockjs/package.json

Dependency Hierarchy:

build-angular-0.901.0.tgz (Root Library)
- webpack-dev-server-3.10.3.tgz
  - ❌ sockjs-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: b57b4616097174bb3a59e8a6e4147c8da37d6486

Found in base branch: master

Vulnerability Details

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

Publish Date: 2020-07-09

URL: CVE-2020-7693

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: sockjs/sockjs-node#265

Release Date: 2020-07-09

Fix Resolution: sockjs - 0.3.20

Step up your Open Source Security Game with WhiteSource here

CVE-2012-6708 (Medium) detected in jquery-1.7.1.min.js

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: bern/src/courier/node_modules/sockjs/examples/express/index.html

Path to vulnerable library: bern/src/courier/node_modules/sockjs/examples/express/index.html,bern/src/courier/node_modules/sockjs/examples/multiplex/index.html,bern/src/courier/node_modules/sockjs/examples/hapi/html/index.html,bern/src/courier/node_modules/sockjs/examples/echo/index.html,bern/src/courier/node_modules/sockjs/examples/express-3.x/index.html

Dependency Hierarchy:

❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: cab6fc7d649af2428172a624fa1b626e4b4d61a9

Found in base branch: master

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11022 (Medium) detected in jquery-1.7.1.min.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: bern/src/courier/node_modules/sockjs/examples/express/index.html

Dependency Hierarchy:

❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: cab6fc7d649af2428172a624fa1b626e4b4d61a9

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.7.1.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: bern/src/courier/node_modules/sockjs/examples/express/index.html

Dependency Hierarchy:

❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: cab6fc7d649af2428172a624fa1b626e4b4d61a9

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7608 (Medium) detected in yargs-parser-11.1.1.tgz

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-11.1.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz

Path to dependency file: bern/src/courier/package.json

Path to vulnerable library: bern/src/courier/node_modules/yargs-parser/package.json

Dependency Hierarchy:

build-angular-0.901.0.tgz (Root Library)
- webpack-dev-server-3.10.3.tgz
  - yargs-12.0.5.tgz
    - ❌ yargs-parser-11.1.1.tgz (Vulnerable Library)

Found in HEAD commit: cab6fc7d649af2428172a624fa1b626e4b4d61a9

Found in base branch: master

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

Step up your Open Source Security Game with WhiteSource here

WS-2020-0070 (High) detected in lodash-4.17.15.tgz

WS-2020-0070 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/bern/src/courier/package.json

Path to vulnerable library: /tmp/ws-scm/bern/src/mock-api/node_modules/lodash/package.json,/bern/src/mock-api/node_modules/lodash/package.json

Dependency Hierarchy:

❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: cab6fc7d649af2428172a624fa1b626e4b4d61a9

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

WS-2020-0091 (High) detected in http-proxy-1.18.0.tgz

WS-2020-0091 - High Severity Vulnerability

Vulnerable Library - http-proxy-1.18.0.tgz

HTTP proxying for the masses

Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.0.tgz

Path to dependency file: /tmp/ws-scm/bern/src/courier/package.json

Path to vulnerable library: /tmp/ws-scm/bern/src/courier/node_modules/http-proxy/package.json

Dependency Hierarchy:

build-angular-0.901.0.tgz (Root Library)
- webpack-dev-server-3.10.3.tgz
  - http-proxy-middleware-0.19.1.tgz
    - ❌ http-proxy-1.18.0.tgz (Vulnerable Library)

Found in HEAD commit: b57b4616097174bb3a59e8a6e4147c8da37d6486

Vulnerability Details

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

Publish Date: 2020-05-14

URL: WS-2020-0091

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1486

Release Date: 2020-05-26

Fix Resolution: http-proxy - 1.18.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7660 (High) detected in serialize-javascript-2.1.2.tgz

CVE-2020-7660 - High Severity Vulnerability

Vulnerable Library - serialize-javascript-2.1.2.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz

Path to dependency file: bern/src/courier/package.json

Path to vulnerable library: bern/src/courier/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

build-angular-0.901.0.tgz (Root Library)
- copy-webpack-plugin-5.1.1.tgz
  - ❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)

Found in HEAD commit: b57b4616097174bb3a59e8a6e4147c8da37d6486

Found in base branch: master

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-01

Fix Resolution: serialize-javascript - 3.1.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11023 (Medium) detected in jquery-1.7.1.min.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: bern/src/courier/node_modules/sockjs/examples/express/index.html

Dependency Hierarchy:

❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 5ecc6f8d35e05869cef43296ce02ba71458dc441

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

WS-2020-0127 (Low) detected in npm-registry-fetch-8.0.0.tgz

WS-2020-0127 - Low Severity Vulnerability

Vulnerable Library - npm-registry-fetch-8.0.0.tgz

Fetch-based http client for use with npm registry APIs

Library home page: https://registry.npmjs.org/npm-registry-fetch/-/npm-registry-fetch-8.0.0.tgz

Path to dependency file: /tmp/ws-scm/bern/src/courier/package.json

Path to vulnerable library: /tmp/ws-scm/bern/src/courier/node_modules/npm-registry-fetch/package.json

Dependency Hierarchy:

cli-9.1.0.tgz (Root Library)
- pacote-11.1.4.tgz
  - ❌ npm-registry-fetch-8.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b57b4616097174bb3a59e8a6e4147c8da37d6486

Vulnerability Details

npm-registry-fetch before 4.0.5 and 8.1.1 is vulnerable to an information exposure vulnerability through log files.

Publish Date: 2020-07-07

URL: WS-2020-0127

CVSS 3 Score Details (3.4)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: N/A
- Attack Complexity: N/A
- Privileges Required: N/A
- User Interaction: N/A
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1544

Release Date: 2020-07-14

Fix Resolution: npm-registry-fetch - 4.0.5,8.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7720 (High) detected in node-forge-0.9.0.tgz

CVE-2020-7720 - High Severity Vulnerability

Vulnerable Library - node-forge-0.9.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz

Path to dependency file: bern/src/courier/package.json

Path to vulnerable library: bern/src/courier/node_modules/node-forge/package.json

Dependency Hierarchy:

build-angular-0.901.0.tgz (Root Library)
- webpack-dev-server-3.10.3.tgz
  - selfsigned-1.10.7.tgz
    - ❌ node-forge-0.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 5ecc6f8d35e05869cef43296ce02ba71458dc441

Found in base branch: master

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

CVSS 3 Score Details (7.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md

Release Date: 2020-09-13

Fix Resolution: node-forge - 0.10.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7656 (Medium) detected in jquery-1.7.1.min.js

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: bern/src/courier/node_modules/sockjs/examples/express/index.html

Dependency Hierarchy:

❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: b57b4616097174bb3a59e8a6e4147c8da37d6486

Found in base branch: master

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: rails/jquery-rails@8f601cb

Release Date: 2020-05-19

Fix Resolution: jquery-rails - 2.2.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-15366 (Medium) detected in ajv-6.12.0.tgz

CVE-2020-15366 - Medium Severity Vulnerability

Vulnerable Library - ajv-6.12.0.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.0.tgz

Path to dependency file: bern/src/courier/package.json

Path to vulnerable library: bern/src/mock-api/node_modules/ajv/package.json,bern/src/mock-api/node_modules/ajv/package.json

Dependency Hierarchy:

build-angular-0.901.0.tgz (Root Library)
- ❌ ajv-6.12.0.tgz (Vulnerable Library)

Found in HEAD commit: b57b4616097174bb3a59e8a6e4147c8da37d6486

Found in base branch: master

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3

Release Date: 2020-07-15

Fix Resolution: ajv - 6.12.3

Step up your Open Source Security Game with WhiteSource here

CVE-2020-8116 (High) detected in dot-prop-3.0.0.tgz

CVE-2020-8116 - High Severity Vulnerability

Vulnerable Library - dot-prop-3.0.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-3.0.0.tgz

Path to dependency file: bern/src/courier/package.json

Path to vulnerable library: bern/src/courier/node_modules/compare-func/node_modules/dot-prop/package.json

Dependency Hierarchy:

cordova-android-8.1.0.tgz (Root Library)
- compare-func-1.3.2.tgz
  - ❌ dot-prop-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: cab6fc7d649af2428172a624fa1b626e4b4d61a9

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 3 Score Details (7.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-13822 (High) detected in elliptic-6.5.2.tgz

CVE-2020-13822 - High Severity Vulnerability

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: bern/src/courier/package.json

Path to vulnerable library: bern/src/courier/node_modules/elliptic/package.json

Dependency Hierarchy:

build-angular-0.901.0.tgz (Root Library)
- webpack-4.42.0.tgz
  - node-libs-browser-2.2.1.tgz
    - crypto-browserify-3.12.0.tgz
      - browserify-sign-4.0.4.tgz
        
        ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: b57b4616097174bb3a59e8a6e4147c8da37d6486

Found in base branch: master

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (7.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/indutny/elliptic/tree/v6.5.3

Release Date: 2020-06-04

Fix Resolution: v6.5.3

Step up your Open Source Security Game with WhiteSource here

WS-2019-0424 (Medium) detected in elliptic-6.5.2.tgz

WS-2019-0424 - Medium Severity Vulnerability

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: bern/src/courier/package.json

Path to vulnerable library: bern/src/courier/node_modules/elliptic/package.json

Dependency Hierarchy:

build-angular-0.901.0.tgz (Root Library)
- webpack-4.42.0.tgz
  - node-libs-browser-2.2.1.tgz
    - crypto-browserify-3.12.0.tgz
      - browserify-sign-4.0.4.tgz
        
        ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: b57b4616097174bb3a59e8a6e4147c8da37d6486

Found in base branch: master

Vulnerability Details

all versions of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7720 (High) detected in node-forge-0.9.0.tgz

CVE-2020-7720 - High Severity Vulnerability

Vulnerable Library - node-forge-0.9.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz

Path to dependency file: bern/src/courier/package.json

Path to vulnerable library: bern/src/courier/node_modules/node-forge/package.json

Dependency Hierarchy:

build-angular-0.901.0.tgz (Root Library)
- webpack-dev-server-3.10.3.tgz
  - selfsigned-1.10.7.tgz
    - ❌ node-forge-0.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 0ac00c63e6d272ff0780d28246b933ff3b1c634d

Found in base branch: master

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

CVSS 3 Score Details (7.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md

Release Date: 2020-09-13

Fix Resolution: node-forge - 0.10.0

Step up your Open Source Security Game with WhiteSource here

polatengin / bern Goto Github PK

bern's Introduction

👋 Hi there

💼 Job

Why do I work for Microsoft

What is my job in Microsoft

🔭 I'm currently working on

📫 How to reach me

💪 I'm good at

👎 I'm not good at

💬 Ask me about

bern's People

Contributors

Stargazers

Watchers

bern's Issues

CVE-2020-7693 - Medium Severity Vulnerability

CVE-2012-6708 - Medium Severity Vulnerability

CVE-2020-11022 - Medium Severity Vulnerability

CVE-2015-9251 - Medium Severity Vulnerability

CVE-2020-7608 - Medium Severity Vulnerability

WS-2020-0070 - High Severity Vulnerability

WS-2020-0091 - High Severity Vulnerability

CVE-2020-7660 - High Severity Vulnerability

CVE-2020-11023 - Medium Severity Vulnerability

WS-2020-0127 - Low Severity Vulnerability

CVE-2020-7720 - High Severity Vulnerability

CVE-2020-7656 - Medium Severity Vulnerability

CVE-2020-15366 - Medium Severity Vulnerability

CVE-2020-8116 - High Severity Vulnerability

CVE-2020-13822 - High Severity Vulnerability

WS-2019-0424 - Medium Severity Vulnerability

CVE-2020-7720 - High Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org