turkdevops / angular Goto Github PK

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: /aio/package.json

Path to vulnerable library: /aio/node_modules/trim/package.json

Dependency Hierarchy:

• remark-9.0.0.tgz (Root Library)
  • remark-parse-5.0.0.tgz
    • ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

URL: CVE-2020-7753

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-27

Fix Resolution (trim): 0.0.3

Direct dependency fix Resolution (remark): 13.0.0

Vulnerable Library - npmconf-2.0.9.tgz

The config thing npm uses

Library home page: https://registry.npmjs.org/npmconf/-/npmconf-2.0.9.tgz

Path to dependency file: angular/package.json

Path to vulnerable library: angular/node_modules/npmconf

Dependency Hierarchy:

• cldr-data-downloader-0.3.2.tgz (Root Library)
  • ❌ npmconf-2.0.9.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

Versions of npmconf before 2.1.3 allocate and write to disk uninitialized memory contents when a typed number is passed as input on Node.js 4.x.

Publish Date: 2018-05-16

URL: WS-2018-0114

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/653

Release Date: 2018-01-27

Fix Resolution: 2.1.3

Vulnerable Library - https-proxy-agent-1.0.0.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-1.0.0.tgz

Path to dependency file: angular/package.json

Path to vulnerable library: angular/node_modules/https-proxy-agent

Dependency Hierarchy:

• browserstacktunnel-wrapper-2.0.1.tgz (Root Library)
  • ❌ https-proxy-agent-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

Versions of https-proxy-agent before 2.2.0 are vulnerable to a denial of service. This is due to unsanitized options (proxy.auth) being passed to Buffer().

Publish Date: 2018-02-28

URL: WS-2018-0072

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/593

Release Date: 2018-01-27

Fix Resolution: 2.2.0

Vulnerable Library - fresh-0.5.0.tgz

HTTP response freshness testing

Library home page: https://registry.npmjs.org/fresh/-/fresh-0.5.0.tgz

Path to dependency file: /integration/hello_world__systemjs_umd/package.json

Path to vulnerable library: /integration/hello_world__systemjs_umd/node_modules/fresh/package.json,/integration/injectable-def/node_modules/fresh/package.json

Dependency Hierarchy:

• lite-server-2.2.2.tgz (Root Library)
  • browser-sync-2.23.6.tgz
    • serve-static-1.12.2.tgz
      • send-0.15.2.tgz
        • ❌ fresh-0.5.0.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16119

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/526

Release Date: 2018-06-07

Fix Resolution (fresh): 0.5.2

Direct dependency fix Resolution (lite-server): 2.3.0

Vulnerable Library - angular-1.5.11.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.5.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/angular-1.5@npm:angular/package.json

Dependency Hierarchy:

• ❌ angular-1.5.11.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

XSS vulnerability in angular.js (1.6.8 and before)

Publish Date: 2018-01-06

URL: WS-2018-0022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2018-01-06

Fix Resolution: 1.6.9

Vulnerable Library - acorn-6.1.1.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-6.1.1.tgz

Path to dependency file: /integration/side-effects/package.json

Path to vulnerable library: /integration/side-effects/package.json

Dependency Hierarchy:

• check-side-effects-0.0.21.tgz (Root Library)
  • rollup-1.11.3.tgz
    • ❌ acorn-6.1.1.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6chw-6frg-f759

Release Date: 2020-03-01

Fix Resolution (acorn): 6.4.1

Direct dependency fix Resolution (check-side-effects): 0.0.22

Vulnerable Library - mime-1.3.4.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz

Path to dependency file: /integration/injectable-def/package.json

Path to vulnerable library: /integration/injectable-def/node_modules/mime/package.json,/integration/hello_world__systemjs_umd/node_modules/mime/package.json

Dependency Hierarchy:

• lite-server-2.2.2.tgz (Root Library)
  • browser-sync-2.23.6.tgz
    • serve-static-1.12.2.tgz
      • send-0.15.2.tgz
        • ❌ mime-1.3.4.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-06-07

Fix Resolution (mime): 1.4.1

Direct dependency fix Resolution (lite-server): 2.3.0

Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/set-value@95e9d99

Release Date: 2019-07-24

Fix Resolution: 2.0.1,3.0.1

Vulnerable Libraries - grpc-js-0.6.16.tgz, grpc-js-0.6.18.tgz, grpc-js-0.7.5.tgz, grpc-js-1.0.5.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.

Publish Date: 2020-11-11

URL: CVE-2020-7768

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7768

Release Date: 2020-11-11

Fix Resolution (@grpc/grpc-js): 1.1.8

Direct dependency fix Resolution (firebase-tools): 9.0.0

Fix Resolution (@grpc/grpc-js): 1.1.8

Direct dependency fix Resolution (firebase-tools): 9.0.0

Fix Resolution (@grpc/grpc-js): 1.1.8

Direct dependency fix Resolution (firebase-tools): 9.0.0

Fix Resolution (@grpc/grpc-js): 1.1.8

Direct dependency fix Resolution (firebase-tools): 9.0.0

Vulnerable Libraries - tree-kill-1.2.1.tgz, tree-kill-1.2.0.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.

Publish Date: 2019-12-18

URL: CVE-2019-15599

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/701183

Release Date: 2019-12-18

Fix Resolution (tree-kill): 1.2.2

Direct dependency fix Resolution (concurrently): 3.2.0

Fix Resolution (tree-kill): 1.2.2

Direct dependency fix Resolution (concurrently): 3.5.0

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: angular/integration/cli-hello-world-ivy-compat/package.json

Path to vulnerable library: angular/integration/cli-hello-world-ivy-compat/node_modules/mixin-deep,angular/integration/cli-hello-world/node_modules/mixin-deep,angular/integration/platform-server/node_modules/mixin-deep,angular/integration/cli-hello-world-ivy-minimal/node_modules/mixin-deep

Dependency Hierarchy:

• webpack-2.7.0.tgz (Root Library)
  • watchpack-1.6.0.tgz
    • chokidar-2.0.4.tgz
      • readdirp-2.2.1.tgz
        • micromatch-3.1.10.tgz
          • snapdragon-0.8.2.tgz
            • base-0.11.2.tgz
              • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-07-11

Fix Resolution: 1.3.2,2.0.1

Vulnerable Libraries - handlebars-4.4.3.tgz, handlebars-4.4.2.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

Publish Date: 2020-09-30

URL: CVE-2019-20922

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2020-09-30

Fix Resolution (handlebars): 4.4.5

Direct dependency fix Resolution (karma-coverage-istanbul-reporter): 2.1.1

Fix Resolution (handlebars): 4.4.5

Direct dependency fix Resolution (karma-coverage-istanbul-reporter): 2.1.1

Vulnerable Library - bootstrap-3.3.7.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js

Path to dependency file: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html

Path to vulnerable library: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.js (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

Vulnerable Libraries - xmlbuilder-4.2.1.tgz, xmlbuilder-9.0.4.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

The package xmlbuilder-js before 9.0.5 is vulnerable to denial of service due to a regular expression issue.

Publish Date: 2018-02-08

URL: WS-2018-0625

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-02-08

Fix Resolution (xmlbuilder): 9.0.5

Direct dependency fix Resolution (protractor): 5.4.4

Vulnerable Libraries - lodash-4.11.1.tgz, lodash-3.10.1.tgz, lodash-4.12.0.tgz, lodash.template-3.6.2.tgz, lodash-1.0.2.tgz, lodash-4.17.5.tgz, lodash-4.17.4.tgz, lodash-4.17.11.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash.template): 4.5.0

Direct dependency fix Resolution (gulp): 4.0.0

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (gulp): 4.0.0

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (concurrently): 3.5.0

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (concurrently): 3.5.0

Vulnerable Library - adm-zip-0.4.4.tgz

A Javascript implementation of zip for nodejs. Allows user to create or extract zip files both in memory or to/from disk

Library home page: https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.4.tgz

Path to dependency file: angular/package.json

Path to vulnerable library: angular/node_modules/adm-zip

Dependency Hierarchy:

• cldr-data-downloader-0.3.2.tgz (Root Library)
  • ❌ adm-zip-0.4.4.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

adm-zip versions before 0.4.9 are vulnerable to Arbitrary File Write due to extraction of a specifically crafted archive that contains path traversal filenames

Publish Date: 2018-04-22

URL: WS-2019-0231

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/994

Release Date: 2019-09-09

Fix Resolution: 0.4.9

Vulnerable Library - moment-2.10.6.min.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.10.6/moment.min.js

Path to dependency file: angular/aio/node_modules/validate.js/examples.html

Path to vulnerable library: angular/aio/node_modules/validate.js/examples.html

Dependency Hierarchy:

• ❌ moment-2.10.6.min.js (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2016-4055

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4055

Release Date: 2017-01-23

Fix Resolution: 2.11.2

Vulnerable Library - moment-2.10.6.min.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.10.6/moment.min.js

Path to dependency file: angular/aio/node_modules/validate.js/examples.html

Path to vulnerable library: angular/aio/node_modules/validate.js/examples.html

Dependency Hierarchy:

• ❌ moment-2.10.6.min.js (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

Regular expression denial of service vulnerability in the moment package, by using a specific 40 characters long string in the "format" method.

Publish Date: 2016-10-24

URL: WS-2016-0075

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: moment/moment#3525

Release Date: 2016-10-24

Fix Resolution: 2.15.2

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /integration/cli-hello-world-lazy-rollup/package.json

Path to vulnerable library: /integration/cli-hello-world-lazy-rollup/node_modules/kind-of/package.json,/integration/ng_update_migrations/node_modules/kind-of/package.json,/integration/cli-hello-world-ivy-compat/node_modules/kind-of/package.json,/integration/cli-hello-world/node_modules/kind-of/package.json,/integration/platform-server/node_modules/kind-of/package.json,/integration/cli-hello-world-ivy-minimal/node_modules/kind-of/package.json,/integration/cli-hello-world-lazy/node_modules/kind-of/package.json,/integration/cli-hello-world-ivy-i18n/node_modules/kind-of/package.json

Dependency Hierarchy:

• @angular-devkit/build-angular@file:../../node_modules/-0.900.0-rc.11.tgz (Root Library)
  • webpack-4.41.2.tgz
    • micromatch-3.1.10.tgz
      • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2020-08-24

Fix Resolution: 6.0.3

Vulnerable Libraries - jquery-2.2.4.js, jquery-3.0.0.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Vulnerable Library - node-fetch-2.6.0.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz

Dependency Hierarchy:

• ❌ node-fetch-2.6.0.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-09-17

Fix Resolution: 2.6.1

Vulnerable Library - object-path-0.9.2.tgz

Access deep properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz

Path to dependency file: /integration/dynamic-compiler/package.json

Path to vulnerable library: /integration/dynamic-compiler/node_modules/object-path/package.json,/integration/ng_elements/node_modules/object-path/package.json,/integration/hello_world__systemjs_umd/node_modules/object-path/package.json,/integration/hello_world__closure/node_modules/object-path/package.json,/integration/ngcc/node_modules/object-path/package.json,/integration/injectable-def/node_modules/object-path/package.json,/integration/i18n/node_modules/object-path/package.json

Dependency Hierarchy:

• lite-server-2.2.2.tgz (Root Library)
  • browser-sync-2.26.7.tgz
    • eazy-logger-3.0.2.tgz
      • tfunk-3.1.0.tgz
        • ❌ object-path-0.9.2.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.

Publish Date: 2020-10-19

URL: CVE-2020-15256

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cwx2-736x-mf6w

Release Date: 2020-10-19

Fix Resolution (object-path): 0.11.5

Direct dependency fix Resolution (lite-server): 2.3.0

Vulnerable Libraries - ms-0.7.3.tgz, ms-0.7.1.tgz, ms-1.0.0.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-04-12

URL: WS-2017-0247

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: vercel/ms#89

Release Date: 2017-04-12

Fix Resolution: 2.1.1

Vulnerable Library - tunnel-agent-0.4.3.tgz

HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.

Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tunnel-agent/package.json

Dependency Hierarchy:

• jpm-1.3.1.tgz (Root Library)
  • sign-addon-0.2.0.tgz
    • request-2.75.0.tgz
      • ❌ tunnel-agent-0.4.3.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.

Publish Date: 2017-03-05

URL: WS-2018-0076

CVSS 3 Score Details (5.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/598

Release Date: 2017-03-05

Fix Resolution: 0.6.0

Vulnerable Library - bootstrap-3.3.7.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js

Path to dependency file: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html

Path to vulnerable library: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.js (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#26630

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

Vulnerable Libraries - debug-3.2.6.tgz, debug-4.1.1.tgz, debug-2.6.7.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-gxpj-cx7g-858c

Release Date: 2018-04-26

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1100.0

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (@angular/localize): 9.0.0

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (jasmine): 3.6.2

Vulnerable Library - ecstatic-3.3.2.tgz

A simple static file server middleware

Library home page: https://registry.npmjs.org/ecstatic/-/ecstatic-3.3.2.tgz

Path to dependency file: angular/package.json

Path to vulnerable library: angular/node_modules/ecstatic/package.json,angular/integration/bazel/node_modules/ecstatic/package.json

Dependency Hierarchy:

• http-server-0.11.1.tgz (Root Library)
  • ❌ ecstatic-3.3.2.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

Versions of ecstatic prior to 4.1.2 fails to validate redirects, allowing attackers to craft requests that result in an HTTP 301 redirect to any other domains.

Publish Date: 2019-04-27

URL: WS-2019-0066

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/830/versions

Release Date: 2019-05-02

Fix Resolution: 4.1.2

Vulnerable Library - deep-extend-0.4.2.tgz

Recursive object extending

Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.2.tgz

Path to dependency file: /integration/hello_world__systemjs_umd/package.json

Path to vulnerable library: /integration/hello_world__systemjs_umd/node_modules/deep-extend/package.json,/integration/cli-hello-world/node_modules/deep-extend/package.json,/integration/injectable-def/node_modules/deep-extend/package.json

Dependency Hierarchy:

• @angular-devkit/build-angular@file:../../node_modules/-0.900.0-rc.11.tgz (Root Library)
  • webpack-4.41.2.tgz
    • watchpack-1.6.0.tgz
      • chokidar-2.0.3.tgz
        • fsevents-1.1.3.tgz
          • node-pre-gyp-0.6.39.tgz
            • rc-1.2.6.tgz
              • ❌ deep-extend-0.4.2.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

Publish Date: 2018-07-03

URL: CVE-2018-3750

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750

Release Date: 2018-07-03

Fix Resolution: 0.5.1

Vulnerable Library - bootstrap-3.3.7.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js

Path to dependency file: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html

Path to vulnerable library: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.js (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#26630

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

Vulnerable Libraries - minimist-0.0.10.tgz, minimist-1.2.0.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (protractor): 5.4.4

Vulnerable Libraries - handlebars-4.4.3.tgz, handlebars-4.4.2.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Publish Date: 2020-09-30

URL: CVE-2019-20920

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2020-10-15

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (karma-coverage-istanbul-reporter): 2.1.1

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (karma-coverage-istanbul-reporter): 2.1.1

Vulnerable Library - angular-1.5.11.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.5.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/angular-1.5@npm:angular/package.json

Dependency Hierarchy:

• ❌ angular-1.5.11.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

Both Firefox and Safari are vulnerable to XSS if we use an inert document created via document.implementation.createHTMLDocument().

Publish Date: 2017-05-25

URL: WS-2017-0268

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2017-05-25

Fix Resolution: 1.6.5

Vulnerable Libraries - handlebars-4.4.3.tgz, handlebars-4.4.2.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.2 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-14

URL: WS-2019-0493

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-11-14

Fix Resolution: handlebars - 3.0.8,4.5.2

Vulnerable Libraries - handlebars-4.4.3.tgz, handlebars-4.4.2.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-19

URL: WS-2019-0492

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-11-19

Fix Resolution: handlebars - 3.0.8,4.5.3

Vulnerable Library - marked-0.7.0.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json,/aio/node_modules/marked/package.json

Dependency Hierarchy:

• firebase-tools-7.16.2.tgz (Root Library)
  • ❌ marked-0.7.0.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution (marked): 1.1.1

Direct dependency fix Resolution (firebase-tools): 10.1.2

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/integration/cli-hello-world-ivy-i18n/package.json

Dependency Hierarchy:

• build-angular-0.1100.0-rc.1.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • http-proxy-middleware-0.19.1.tgz
      • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.19

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1100.0

Vulnerable Libraries - fstream-1.0.11.tgz, fstream-0.1.31.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Publish Date: 2019-07-02

URL: CVE-2019-13173

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173

Release Date: 2020-08-24

Fix Resolution (fstream): 1.0.12

Direct dependency fix Resolution (browserstacktunnel-wrapper): 2.0.4

Vulnerable Library - adm-zip-0.4.7.tgz

A Javascript implementation of zip for nodejs. Allows user to create or extract zip files both in memory or to/from disk

Library home page: https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.7.tgz

Path to dependency file: /integration/injectable-def/package.json

Path to vulnerable library: /integration/injectable-def/node_modules/adm-zip/package.json

Dependency Hierarchy:

• protractor-5.4.3.tgz (Root Library)
  • webdriver-manager-12.0.6.tgz
    • ❌ adm-zip-0.4.7.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Publish Date: 2018-07-25

URL: CVE-2018-1002204

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1002204

Release Date: 2018-07-25

Fix Resolution (adm-zip): 0.4.9

Direct dependency fix Resolution (protractor): 5.4.4

Vulnerable Library - content-type-parser-1.0.2.tgz

Parse the value of the Content-Type header

Library home page: https://registry.npmjs.org/content-type-parser/-/content-type-parser-1.0.2.tgz

Path to dependency file: /aio/package.json

Path to vulnerable library: /aio/node_modules/content-type-parser/package.json

Dependency Hierarchy:

• jsdom-9.12.0.tgz (Root Library)
  • ❌ content-type-parser-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

all versions prior to 2.0.0 of content-type-parser npm package are vulnerable to ReDoS via the user agent parser. the vulnerability was fixed by reintroducing a new parser and deleting the old one.

Publish Date: 2017-12-10

URL: WS-2017-3757

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2017-12-10

Fix Resolution: v2.0.0

Vulnerable Library - bootstrap-3.3.7.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js

Path to dependency file: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html

Path to vulnerable library: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.js (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#28236

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /integration/hello_world__systemjs_umd/package.json

Path to vulnerable library: /integration/hello_world__systemjs_umd/node_modules/tar/package.json,/integration/injectable-def/node_modules/tar/package.json,/integration/cli-hello-world/node_modules/tar/package.json

Dependency Hierarchy:

• @angular-devkit/build-angular@file:../../node_modules/-0.900.0-rc.11.tgz (Root Library)
  • webpack-4.41.2.tgz
    • watchpack-1.6.0.tgz
      • chokidar-2.0.3.tgz
        • fsevents-1.1.3.tgz
          • node-pre-gyp-0.6.39.tgz
            • ❌ tar-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2019-04-30

Fix Resolution: 2.2.2,4.4.2

Vulnerable Library - stringstream-0.0.5.tgz

Encode and decode streams into string streams

Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz

Path to dependency file: /integration/injectable-def/package.json

Path to vulnerable library: /integration/injectable-def/node_modules/stringstream/package.json,/integration/cli-hello-world/node_modules/stringstream/package.json

Dependency Hierarchy:

• @angular-devkit/build-angular@file:../../node_modules/-0.900.0-rc.11.tgz (Root Library)
  • webpack-4.41.2.tgz
    • watchpack-1.6.0.tgz
      • chokidar-2.0.3.tgz
        • fsevents-1.1.3.tgz
          • node-pre-gyp-0.6.39.tgz
            • request-2.81.0.tgz
              • ❌ stringstream-0.0.5.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).

Publish Date: 2020-12-03

URL: CVE-2018-21270

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21270

Release Date: 2020-12-03

Fix Resolution: 0.0.6

Vulnerable Library - angular-1.5.11.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.5.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/angular-1.5@npm:angular/package.json

Dependency Hierarchy:

• ❌ angular-1.5.11.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

On Firefox there is a XSS vulnerability in case a malicious attacker can write into the xml:base attribute on an SVG anchor.

Publish Date: 2018-01-06

URL: WS-2018-0015

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2018-01-06

Fix Resolution: 1.6.9

Vulnerable Library - angular-1.5.11.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.5.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/angular-1.5@npm:angular/package.json

Dependency Hierarchy:

• ❌ angular-1.5.11.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

JSONP allows untrusted resource URLs, which provides a vector for attack by malicious actors.

Publish Date: 2016-09-20

URL: WS-2018-0001

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-28hp-fgcr-2r4h

Release Date: 2016-09-20

Fix Resolution: 1.6.0-rc.0

Vulnerable Libraries - diff-3.2.0.tgz, diff-1.4.0.tgz, diff-3.4.0.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (mocha): 5.0.3

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (tslint): 5.19.0

Vulnerable Library - pathval-1.1.0.tgz

Object value retrieval given a string path

Library home page: https://registry.npmjs.org/pathval/-/pathval-1.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• chai-4.2.0.tgz (Root Library)
  • ❌ pathval-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

pathval before version 1.1.1 is vulnerable to prototype pollution.

Publish Date: 2020-10-26

URL: CVE-2020-7751

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7751

Release Date: 2020-10-26

Fix Resolution (pathval): 1.1.1

Direct dependency fix Resolution (chai): 4.3.0

Vulnerable Libraries - ua-parser-js-0.7.12.tgz, ua-parser-js-0.7.17.tgz, ua-parser-js-0.7.21.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

Publish Date: 2020-09-16

URL: CVE-2020-7733

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7733

Release Date: 2020-09-16

Fix Resolution (ua-parser-js): 0.7.22

Direct dependency fix Resolution (lite-server): 2.3.0

Fix Resolution (ua-parser-js): 0.7.22

Direct dependency fix Resolution (lite-server): 2.3.0

Fix Resolution (ua-parser-js): 0.7.22

Direct dependency fix Resolution (karma): 5.2.3

Vulnerable Library - bootstrap-3.3.7.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js

Path to dependency file: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html

Path to vulnerable library: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.js (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

Vulnerable Libraries - axios-0.19.0.tgz, axios-0.18.1.tgz

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Publish Date: 2020-11-06

URL: CVE-2020-28168

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-11-06

Fix Resolution (axios): 0.21.1

Direct dependency fix Resolution (lite-server): 2.3.0

Fix Resolution (axios): 0.21.1

Direct dependency fix Resolution (firebase-tools): 8.0.0

Vulnerable Library - sshpk-1.13.1.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz

Path to dependency file: angular/integration/hello_world__systemjs_umd/package.json

Path to vulnerable library: angular/integration/hello_world__systemjs_umd/node_modules/sshpk/package.json,angular/integration/injectable-def/node_modules/sshpk/package.json

Dependency Hierarchy:

• protractor-5.4.3.tgz (Root Library)
  • webdriver-manager-12.1.7.tgz
    • request-2.88.0.tgz
      • http-signature-1.2.0.tgz
        • ❌ sshpk-1.13.1.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

Publish Date: 2018-04-25

URL: WS-2018-0084

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/606

Release Date: 2018-01-27

Fix Resolution: 1.14.1