rgordon95 / confusionang Goto Github PK

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• cli-1.6.8.tgz (Root Library)
  • ❌ lodash-4.17.11.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (@angular/cli): 1.7.0

Vulnerable Library - socket.io-2.0.4.tgz

node.js realtime framework server

Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.0.4.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/socket.io/package.json

Dependency Hierarchy:

• karma-2.0.5.tgz (Root Library)
  • ❌ socket.io-2.0.4.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Publish Date: 2021-01-19

URL: CVE-2020-28481

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481

Release Date: 2021-01-19

Fix Resolution (socket.io): 2.4.0

Direct dependency fix Resolution (karma): 5.0.8

Vulnerable Libraries - node-sass-4.12.0.tgz, node-sassv4.11.0

Found in base branch: assn4

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.

Publish Date: 2019-01-14

URL: CVE-2019-6286

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-07-23

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/mixin-deep/package.json

Dependency Hierarchy:

• cli-1.6.8.tgz (Root Library)
  • webpack-3.10.0.tgz
    • watchpack-1.6.0.tgz
      • chokidar-2.1.5.tgz
        • braces-2.3.2.tgz
          • snapdragon-0.8.2.tgz
            • base-0.11.2.tgz
              • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (mixin-deep): 1.3.2

Direct dependency fix Resolution (@angular/cli): 1.7.0

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: conFusionAng/node_modules/handlebars/package.json

Dependency Hierarchy:

• karma-coverage-istanbul-reporter-1.4.3.tgz (Root Library)
  • istanbul-api-1.3.7.tgz
    • istanbul-reports-1.5.1.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.

Publish Date: 2019-11-17

URL: WS-2019-0332

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-11-17

Fix Resolution: handlebars - 4.5.3

Vulnerable Libraries - node-sass-4.12.0.tgz, node-sassv4.11.0

Found in base branch: assn4

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6284

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-6284

Release Date: 2019-01-14

Fix Resolution (node-sass): 5.0.0

Direct dependency fix Resolution (@angular/cli): 6.0.0

Vulnerable Libraries - node-sass-4.12.0.tgz, node-sassv4.11.0

Found in base branch: assn4

Vulnerability Details

LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20822

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-04-23

Fix Resolution (node-sass): 4.13.1

Direct dependency fix Resolution (@angular/cli): 1.7.0

Vulnerable Libraries - node-sass-4.12.0.tgz, node-sassv4.11.0

Found in base branch: assn4

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11697

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution (node-sass): 4.14.0

Direct dependency fix Resolution (@angular/cli): 1.7.0

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-03-25

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Vulnerable Libraries - node-sass-4.12.0.tgz, node-sassv4.11.0

Found in base branch: assn4

Vulnerability Details

In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-12-03

URL: CVE-2018-19827

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-03

Fix Resolution: GR.PageRender.Razor - 1.8.0;Fable.Template.Elmish.React - 0.1.6

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /tmp/git/conFusionAng/node_modules/tar/package.json

Dependency Hierarchy:

• cli-1.6.8.tgz (Root Library)
  • node-sass-4.12.0.tgz
    • node-gyp-3.8.0.tgz
      • ❌ tar-2.2.1.tgz (Vulnerable Library)

Vulnerability Details

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Publish Date: 2019-04-05

URL: WS-2019-0047

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/803

Release Date: 2019-04-05

Fix Resolution: 4.4.2

Vulnerable Libraries - node-sass-4.12.0.tgz, node-sassv4.11.0

Found in base branch: assn4

Vulnerability Details

In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().

Publish Date: 2018-12-04

URL: CVE-2018-19838

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-04

Fix Resolution (node-sass): 4.14.0

Direct dependency fix Resolution (@angular/cli): 1.7.0

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/handlebars/package.json

Dependency Hierarchy:

• karma-coverage-istanbul-reporter-1.4.3.tgz (Root Library)
  • istanbul-api-1.3.7.tgz
    • istanbul-reports-1.5.1.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Mend Note: Converted from WS-2019-0368, on 2022-11-08.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-w457-6q6x-cgp9

Release Date: 2019-12-20

Fix Resolution (handlebars): 4.3.0

Direct dependency fix Resolution (karma-coverage-istanbul-reporter): 2.0.0

Vulnerable Library - serialize-javascript-1.7.0.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.7.0.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• cli-1.6.8.tgz (Root Library)
  • copy-webpack-plugin-4.6.0.tgz
    • ❌ serialize-javascript-1.7.0.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-08

Fix Resolution (serialize-javascript): 3.1.0

Direct dependency fix Resolution (@angular/cli): 6.0.0

Vulnerable Library - hoek-2.16.3.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/hoek/package.json

Dependency Hierarchy:

• cli-1.6.8.tgz (Root Library)
  • less-2.7.3.tgz
    • request-2.81.0.tgz
      • hawk-3.1.3.tgz
        • ❌ hoek-2.16.3.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2018-03-30

Fix Resolution (hoek): 4.2.0

Direct dependency fix Resolution (@angular/cli): 6.0.0

Vulnerable Library - acorn-5.7.3.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.3.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/acorn/package.json

Dependency Hierarchy:

• cli-1.6.8.tgz (Root Library)
  • webpack-3.10.0.tgz
    • ❌ acorn-5.7.3.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6chw-6frg-f759

Release Date: 2020-03-01

Fix Resolution (acorn): 5.7.4

Direct dependency fix Resolution (@angular/cli): 1.7.0

Vulnerable Libraries - node-sass-4.12.0.tgz, node-sassv4.11.0

Found in base branch: assn4

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11694

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Library - https-proxy-agent-1.0.0.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-1.0.0.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/saucelabs/node_modules/https-proxy-agent/package.json

Dependency Hierarchy:

• protractor-5.1.2.tgz (Root Library)
  • saucelabs-1.3.0.tgz
    • ❌ https-proxy-agent-1.0.0.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).

Publish Date: 2018-06-07

URL: CVE-2018-3739

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3739

Release Date: 2018-04-26

Fix Resolution (https-proxy-agent): 2.2.0

Direct dependency fix Resolution (protractor): 5.3.2

Vulnerable Library - node-sassv4.11.0

🌈 Node.js bindings to libsass

Library home page: https://github.com/sass/node-sass.git

Library Source Files (125)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /conFusionAng/node_modules/node-sass/src/libsass/src/expand.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/color_maps.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_util.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/utf8/unchecked.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/output.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_values.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/util.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/emitter.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/lexer.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/test/test_node.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/plugins.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/include/sass/base.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/position.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/subset_map.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/operation.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/remove_placeholders.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/error_handling.hpp
• /conFusionAng/node_modules/node-sass/src/custom_importer_bridge.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/contrib/plugin.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/functions.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/test/test_superselector.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/eval.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/utf8_string.hpp
• /conFusionAng/node_modules/node-sass/src/sass_context_wrapper.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/error_handling.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/node.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/parser.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/subset_map.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/emitter.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/listize.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/ast.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_functions.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/memory/SharedPtr.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/output.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/check_nesting.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/functions.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/cssize.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/prelexer.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/paths.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/inspect.hpp
• /conFusionAng/node_modules/node-sass/src/sass_types/color.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/test/test_unification.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/values.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_util.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/source_map.hpp
• /conFusionAng/node_modules/node-sass/src/sass_types/list.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/check_nesting.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/json.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/units.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/units.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/context.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/utf8/checked.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/listize.hpp
• /conFusionAng/node_modules/node-sass/src/sass_types/string.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/prelexer.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/context.hpp
• /conFusionAng/node_modules/node-sass/src/sass_types/boolean.h
• /conFusionAng/node_modules/node-sass/src/libsass/include/sass2scss.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/eval.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/expand.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/factory.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/operators.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/boolean.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/source_map.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/value.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/utf8_string.cpp
• /conFusionAng/node_modules/node-sass/src/callback_bridge.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/file.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/node.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/environment.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/extend.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_context.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/operators.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/constants.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/ast_fwd_decl.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/parser.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/constants.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/list.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/cssize.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/include/sass/functions.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/util.cpp
• /conFusionAng/node_modules/node-sass/src/custom_function_bridge.cpp
• /conFusionAng/node_modules/node-sass/src/custom_importer_bridge.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/bind.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/inspect.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_functions.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/backtrace.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/extend.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/debugger.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/cencode.c
• /conFusionAng/node_modules/node-sass/src/libsass/src/base64vlq.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/number.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/color.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/c99func.c
• /conFusionAng/node_modules/node-sass/src/libsass/src/position.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/remove_placeholders.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_values.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/include/sass/values.h
• /conFusionAng/node_modules/node-sass/src/libsass/test/test_subset_map.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass2scss.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/null.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/ast.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/include/sass/context.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/to_c.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/to_value.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/color_maps.hpp
• /conFusionAng/node_modules/node-sass/src/sass_context_wrapper.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/script/test-leaks.pl
• /conFusionAng/node_modules/node-sass/src/libsass/src/lexer.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/memory/SharedPtr.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/to_c.hpp
• /conFusionAng/node_modules/node-sass/src/sass_types/map.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/to_value.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/b64/encode.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/file.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/environment.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/plugins.hpp
• /conFusionAng/node_modules/node-sass/src/binding.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_context.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/debug.hpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11693

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Libraries - node-sass-4.12.0.tgz, node-sassv4.11.0

Found in base branch: assn4

Vulnerability Details

In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.

Publish Date: 2018-12-04

URL: CVE-2018-19839

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-04

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Libraries - node-sass-4.12.0.tgz, node-sassv4.11.0

Found in base branch: assn4

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-03

URL: CVE-2018-19797

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-03

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Library - sockjs-0.3.19.tgz

SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication

Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/sockjs/package.json

Dependency Hierarchy:

• cli-1.6.8.tgz (Root Library)
  • webpack-dev-server-2.11.5.tgz
    • ❌ sockjs-0.3.19.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

Publish Date: 2020-07-09

URL: CVE-2020-7693

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-14

Fix Resolution (sockjs): 0.3.20

Direct dependency fix Resolution (@angular/cli): 6.0.0

Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz

Found in base branch: assn4

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (@angular/cli): 1.7.0

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (@angular/cli): 1.7.0

Vulnerable Library - node-sassv4.11.0

🌈 Node.js bindings to libsass

Library home page: https://github.com/sass/node-sass.git

Library Source Files (125)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /conFusionAng/node_modules/node-sass/src/libsass/src/expand.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/color_maps.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_util.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/utf8/unchecked.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/output.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_values.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/util.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/emitter.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/lexer.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/test/test_node.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/plugins.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/include/sass/base.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/position.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/subset_map.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/operation.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/remove_placeholders.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/error_handling.hpp
• /conFusionAng/node_modules/node-sass/src/custom_importer_bridge.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/contrib/plugin.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/functions.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/test/test_superselector.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/eval.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/utf8_string.hpp
• /conFusionAng/node_modules/node-sass/src/sass_context_wrapper.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/error_handling.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/node.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/parser.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/subset_map.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/emitter.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/listize.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/ast.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_functions.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/memory/SharedPtr.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/output.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/check_nesting.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/functions.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/cssize.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/prelexer.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/paths.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/inspect.hpp
• /conFusionAng/node_modules/node-sass/src/sass_types/color.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/test/test_unification.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/values.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_util.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/source_map.hpp
• /conFusionAng/node_modules/node-sass/src/sass_types/list.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/check_nesting.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/json.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/units.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/units.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/context.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/utf8/checked.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/listize.hpp
• /conFusionAng/node_modules/node-sass/src/sass_types/string.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/prelexer.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/context.hpp
• /conFusionAng/node_modules/node-sass/src/sass_types/boolean.h
• /conFusionAng/node_modules/node-sass/src/libsass/include/sass2scss.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/eval.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/expand.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/factory.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/operators.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/boolean.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/source_map.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/value.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/utf8_string.cpp
• /conFusionAng/node_modules/node-sass/src/callback_bridge.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/file.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/node.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/environment.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/extend.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_context.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/operators.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/constants.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/ast_fwd_decl.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/parser.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/constants.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/list.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/cssize.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/include/sass/functions.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/util.cpp
• /conFusionAng/node_modules/node-sass/src/custom_function_bridge.cpp
• /conFusionAng/node_modules/node-sass/src/custom_importer_bridge.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/bind.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/inspect.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_functions.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/backtrace.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/extend.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/debugger.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/cencode.c
• /conFusionAng/node_modules/node-sass/src/libsass/src/base64vlq.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/number.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/color.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/c99func.c
• /conFusionAng/node_modules/node-sass/src/libsass/src/position.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/remove_placeholders.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_values.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/include/sass/values.h
• /conFusionAng/node_modules/node-sass/src/libsass/test/test_subset_map.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass2scss.cpp
• /conFusionAng/node_modules/node-sass/src/sass_types/null.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/ast.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/include/sass/context.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/to_c.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/to_value.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/color_maps.hpp
• /conFusionAng/node_modules/node-sass/src/sass_context_wrapper.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/script/test-leaks.pl
• /conFusionAng/node_modules/node-sass/src/libsass/src/lexer.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/memory/SharedPtr.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/to_c.hpp
• /conFusionAng/node_modules/node-sass/src/sass_types/map.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/to_value.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/b64/encode.h
• /conFusionAng/node_modules/node-sass/src/libsass/src/file.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/environment.hpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/plugins.hpp
• /conFusionAng/node_modules/node-sass/src/binding.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/sass_context.cpp
• /conFusionAng/node_modules/node-sass/src/libsass/src/debug.hpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.2. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11695

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - https-proxy-agent-1.0.0.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-1.0.0.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: conFusionAng/node_modules/saucelabs/node_modules/https-proxy-agent/package.json

Dependency Hierarchy:

• protractor-5.1.2.tgz (Root Library)
  • saucelabs-1.3.0.tgz
    • ❌ https-proxy-agent-1.0.0.tgz (Vulnerable Library)

Vulnerability Details

Versions of https-proxy-agent before 2.2.0 are vulnerable to a denial of service. This is due to unsanitized options (proxy.auth) being passed to Buffer().

Publish Date: 2018-02-28

URL: WS-2018-0072

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/593

Release Date: 2018-02-28

Fix Resolution: 2.2.0

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: conFusionAng/node_modules/handlebars/package.json

Dependency Hierarchy:

• karma-coverage-istanbul-reporter-1.4.3.tgz (Root Library)
  • istanbul-api-1.3.7.tgz
    • istanbul-reports-1.5.1.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.2 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-14

URL: WS-2019-0493

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-11-14

Fix Resolution: handlebars - 3.0.8,4.5.2

Vulnerable Libraries - node-sass-4.12.0.tgz, node-sassv4.11.0

Found in base branch: assn4

Vulnerability Details

The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20821

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-04-23

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Libraries - node-sass-4.12.0.tgz, node-sassv4.11.0

Found in base branch: assn4

Vulnerability Details

LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp.

Publish Date: 2019-11-06

URL: CVE-2019-18797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-18797

Release Date: 2019-11-06

Fix Resolution (node-sass): 4.14.0

Direct dependency fix Resolution (@angular/cli): 1.7.0

Vulnerable Library - node-sassv4.11.0

🌈 Node.js bindings to libsass

Library home page: https://github.com/sass/node-sass.git

Found in base branch: assn4

Vulnerable Source Files (1)

/node_modules/node-sass/src/libsass/src/inspect.cpp

Vulnerability Details

** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters. NOTE: Upstream comments indicate this issue is closed as "won't fix" and "works as intended" by design.

Publish Date: 2018-12-03

URL: CVE-2018-19826

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - qs-6.2.3.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /tmp/git/conFusionAng/node_modules/loggly/node_modules/qs/package.json

Dependency Hierarchy:

• karma-2.0.5.tgz (Root Library)
  • log4js-2.11.0.tgz
    • loggly-1.1.1.tgz
      • request-2.75.0.tgz
        • ❌ qs-6.2.3.tgz (Vulnerable Library)

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: ljharb/qs@c709f6e

Release Date: 2017-03-06

Fix Resolution: Replace or update the following files: parse.js, parse.js, utils.js

Vulnerable Library - axios-0.15.3.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

• karma-2.0.5.tgz (Root Library)
  • log4js-2.11.0.tgz
    • ❌ axios-0.15.3.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Publish Date: 2019-05-07

URL: CVE-2019-10742

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-42xw-2xvc-qx8m

Release Date: 2019-05-07

Fix Resolution (axios): 0.18.1

Direct dependency fix Resolution (karma): 3.0.0

Vulnerable Library - adm-zip-0.4.4.tgz

A Javascript implementation of zip for nodejs. Allows user to create or extract zip files both in memory or to/from disk

Library home page: https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.4.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/webdriver-js-extender/node_modules/adm-zip/package.json

Dependency Hierarchy:

• protractor-5.1.2.tgz (Root Library)
  • webdriver-js-extender-1.0.0.tgz
    • selenium-webdriver-2.53.3.tgz
      • ❌ adm-zip-0.4.4.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Mend Note: Converted from WS-2019-0231, on 2021-08-17.

Publish Date: 2018-07-25

URL: CVE-2018-1002204

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1002204

Release Date: 2018-07-25

Fix Resolution (adm-zip): 0.4.9

Direct dependency fix Resolution (protractor): 5.4.0

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: conFusionAng/node_modules/handlebars/package.json

Dependency Hierarchy:

• karma-coverage-istanbul-reporter-1.4.3.tgz (Root Library)
  • istanbul-api-1.3.7.tgz
    • istanbul-reports-1.5.1.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

In "showdownjs/showdown", versions prior to v4.4.5 are vulnerable against Regular expression Denial of Service (ReDOS) once receiving specially-crafted templates.

Publish Date: 2019-10-20

URL: WS-2019-0318

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2019-10-20

Fix Resolution: handlebars - 4.4.5

Vulnerable Library - tunnel-agent-0.4.3.tgz

HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.

Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/loggly/node_modules/tunnel-agent/package.json

Dependency Hierarchy:

• karma-2.0.5.tgz (Root Library)
  • log4js-2.11.0.tgz
    • loggly-1.1.1.tgz
      • request-2.75.0.tgz
        • ❌ tunnel-agent-0.4.3.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.

Publish Date: 2017-03-05

URL: WS-2018-0076

CVSS 3 Score Details (5.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/598

Release Date: 2017-03-05

Fix Resolution (tunnel-agent): 0.6.0

Direct dependency fix Resolution (karma): 3.0.0

Vulnerable Library - js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/js-yaml/package.json

Dependency Hierarchy:

• tslint-5.9.1.tgz (Root Library)
  • ❌ js-yaml-3.7.0.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (tslint): 5.10.0

Vulnerable Library - ws-1.1.5.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-1.1.5.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: conFusionAng/node_modules/webdriver-js-extender/node_modules/ws/package.json

Dependency Hierarchy:

• protractor-5.1.2.tgz (Root Library)
  • webdriver-js-extender-1.0.0.tgz
    • selenium-webdriver-2.53.3.tgz
      • ❌ ws-1.1.5.tgz (Vulnerable Library)

Vulnerability Details

Affected version of ws (0.2.6 through 3.3.0 excluding 0.3.4-2, 0.3.5-2, 0.3.5-3, 0.3.5-4, 1.1.5, 2.0.0-beta.0, 2.0.0-beta.1 and 2.0.0-beta.2) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.

Publish Date: 2017-11-08

URL: WS-2017-0421

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: websockets/ws@c4fe466

Release Date: 2017-11-08

Fix Resolution: ws - 3.3.1

Vulnerable Library - axios-0.15.3.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

• karma-2.0.5.tgz (Root Library)
  • log4js-2.11.0.tgz
    • ❌ axios-0.15.3.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Publish Date: 2020-11-06

URL: CVE-2020-28168

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-11-06

Fix Resolution (axios): 0.21.1

Direct dependency fix Resolution (karma): 3.0.0

Vulnerable Libraries - node-sass-4.12.0.tgz, node-sassv4.11.0

Found in base branch: assn4

Vulnerability Details

A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.

Publish Date: 2018-05-26

URL: CVE-2018-11499

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-05-26

Fix Resolution (node-sass): 4.14.0

Direct dependency fix Resolution (@angular/cli): 1.7.0

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: conFusionAng/node_modules/handlebars/package.json

Dependency Hierarchy:

• karma-coverage-istanbul-reporter-1.4.3.tgz (Root Library)
  • istanbul-api-1.3.7.tgz
    • istanbul-reports-1.5.1.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-13

URL: WS-2019-0331

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.2

Vulnerable Library - timespan-2.3.0.tgz

A JavaScript TimeSpan library for node.js (and soon the browser)

Library home page: https://registry.npmjs.org/timespan/-/timespan-2.3.0.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/timespan/package.json

Dependency Hierarchy:

• karma-2.0.5.tgz (Root Library)
  • log4js-2.11.0.tgz
    • loggly-1.1.1.tgz
      • ❌ timespan-2.3.0.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

Publish Date: 2018-06-07

URL: CVE-2017-16115

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: conFusionAng/node_modules/handlebars/package.json

Dependency Hierarchy:

• karma-coverage-istanbul-reporter-1.4.3.tgz (Root Library)
  • istanbul-api-1.3.7.tgz
    • istanbul-reports-1.5.1.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-19

URL: WS-2019-0492

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-11-19

Fix Resolution: handlebars - 3.0.8,4.5.3

Vulnerable Library - serialize-javascript-1.7.0.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.7.0.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• cli-1.6.8.tgz (Root Library)
  • copy-webpack-plugin-4.6.0.tgz
    • ❌ serialize-javascript-1.7.0.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Publish Date: 2019-12-05

URL: CVE-2019-16769

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769

Release Date: 2019-12-05

Fix Resolution (serialize-javascript): 2.1.1

Direct dependency fix Resolution (@angular/cli): 6.0.0

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/randomatic/node_modules/kind-of/package.json

Dependency Hierarchy:

• cli-1.6.8.tgz (Root Library)
  • sass-loader-6.0.7.tgz
    • clone-deep-2.0.2.tgz
      • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (@angular/cli): 1.7.0

Vulnerable Libraries - node-sass-4.12.0.tgz, node-sassv4.11.0

Found in base branch: assn4

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6283

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-01-14

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Library - js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/js-yaml/package.json

Dependency Hierarchy:

• tslint-5.9.1.tgz (Root Library)
  • ❌ js-yaml-3.7.0.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (tslint): 5.10.0

Vulnerable Libraries - node-sass-4.12.0.tgz, node-sassv4.11.0

Found in base branch: assn4

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-17

URL: CVE-2018-20190

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-17

Fix Resolution: GR.PageRender.Razor - 1.8.0;Fable.Template.Elmish.React - 0.1.6

Vulnerable Library - cryptiles-2.0.5.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/cryptiles/package.json

Dependency Hierarchy:

• cli-1.6.8.tgz (Root Library)
  • less-2.7.3.tgz
    • request-2.81.0.tgz
      • hawk-3.1.3.tgz
        • ❌ cryptiles-2.0.5.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (@angular/cli): 6.0.0

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• cli-1.6.8.tgz (Root Library)
  • ❌ lodash-4.17.11.tgz (Vulnerable Library)

Found in base branch: assn4

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (@angular/cli): 1.7.0

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /conFusionAng/package.json

Path to vulnerable library: conFusionAng/node_modules/handlebars/package.json

Dependency Hierarchy:

• karma-coverage-istanbul-reporter-1.4.3.tgz (Root Library)
  • istanbul-api-1.3.7.tgz
    • istanbul-reports-1.5.1.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

In handlebars, versions prior to v4.5.3 are vulnerable to prototype pollution. Using a malicious template it's possbile to add or modify properties to the Object prototype. This can also lead to DOS and RCE in certain conditions.

Publish Date: 2019-11-18

URL: WS-2019-0333

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1325

Release Date: 2019-11-18

Fix Resolution: handlebars - 4.5.3

Vulnerable Library - node-sassv4.11.0

🌈 Node.js bindings to libsass

Library home page: https://github.com/sass/node-sass.git

Found in base branch: assn4

Vulnerable Source Files (1)

/node_modules/node-sass/src/libsass/src/sass_context.cpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11698

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: node-sass - 3.6.0