turkdevops / angular-cli Goto Github PK
View Code? Open in Web Editor NEWThis project forked from angular/angular-cli
CLI tool for Angular
Home Page: https://cli.angular.io
License: MIT License
This project forked from angular/angular-cli
CLI tool for Angular
Home Page: https://cli.angular.io
License: MIT License
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.0.8.tgz
Path to dependency file: angular-cli/node_modules/dompurify/package.json
Path to vulnerable library: angular-cli/node_modules/dompurify/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: 11.2.x
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.
Publish Date: 2020-10-07
URL: CVE-2020-26870
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26870
Release Date: 2020-10-07
Fix Resolution: 2.0.17
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with Mend here
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution: browserslist - 4.16.5
Step up your Open Source Security Game with Mend here
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-08
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.3.3
Step up your Open Source Security Game with Mend here
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/socket.io/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Publish Date: 2021-01-19
URL: CVE-2020-28481
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481
Release Date: 2021-01-19
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (karma): 6.3.18
Step up your Open Source Security Game with Mend here
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
Found in HEAD commit: 42226b16f150933b32ae8dacd2e30b740cd65f79
Found in base branch: master
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 6.3.18
Step up your Open Source Security Game with Mend here
URI.js is a Javascript library for working with URLs.
Library home page: https://registry.npmjs.org/urijs/-/urijs-1.19.5.tgz
Path to dependency file: angular-cli/node_modules/urijs/package.json
Path to vulnerable library: angular-cli/node_modules/urijs/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: 11.2.x
URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
Publish Date: 2021-02-22
URL: CVE-2021-27516
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27516
Release Date: 2021-02-22
Fix Resolution: 1.19.6
Step up your Open Source Security Game with WhiteSource here
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.23.tgz
Path to dependency file: angular-cli/node_modules/ua-parser-js/package.json
Path to vulnerable library: angular-cli/node_modules/ua-parser-js/package.json
Dependency Hierarchy:
Found in HEAD commit: 42226b16f150933b32ae8dacd2e30b740cd65f79
Found in base branch: 11.2.x
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
Publish Date: 2021-03-17
URL: CVE-2021-27292
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/faisalman/ua-parser-js/releases/tag/0.7.24
Release Date: 2021-03-17
Fix Resolution: ua-parser-js - 0.7.24
Step up your Open Source Security Game with WhiteSource here
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/hosted-git-info/package.json,/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-3.0.4.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in HEAD commit: 42226b16f150933b32ae8dacd2e30b740cd65f79
Found in base branch: master
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution (hosted-git-info): 3.0.8
Direct dependency fix Resolution (@angular/cli): 13.3.3
Step up your Open Source Security Game with Mend here
Fetch-based http client for use with npm registry APIs
Library home page: https://registry.npmjs.org/npm-registry-fetch/-/npm-registry-fetch-4.0.3.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/npm-registry-fetch/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
npm-registry-fetch before 4.0.5 and 8.1.1 is vulnerable to an information exposure vulnerability through log files.
Publish Date: 2020-07-07
URL: WS-2020-0127
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1544
Release Date: 2020-07-07
Fix Resolution (npm-registry-fetch): 4.0.5
Direct dependency fix Resolution (@angular/cli): 13.3.3
Step up your Open Source Security Game with Mend here
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1
Step up your Open Source Security Game with WhiteSource here
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Origin: yargs/yargs-parser@63810ca
Release Date: 2020-03-16
Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1
Step up your Open Source Security Game with Mend here
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Path to dependency file: angular-cli/tests/legacy-cli/e2e/assets/8.0-project/node_modules/serialize-javascript/package.json
Path to vulnerable library: angular-cli/tests/legacy-cli/e2e/assets/8.0-project/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: 11.2.x
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Publish Date: 2019-12-05
URL: CVE-2019-16769
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769
Release Date: 2019-12-05
Fix Resolution: v2.1.1
Step up your Open Source Security Game with WhiteSource here
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-svg/package.json,/integration/angular_cli/node_modules/is-svg/package.json
Dependency Hierarchy:
Found in HEAD commit: 42226b16f150933b32ae8dacd2e30b740cd65f79
Found in base branch: master
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Publish Date: 2021-03-12
URL: CVE-2021-28092
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092
Release Date: 2021-03-12
Fix Resolution (is-svg): 4.2.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.3.3
Step up your Open Source Security Game with Mend here
JavaScript library for DOM operations
Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz
Path to vulnerable library: /node_modules/verdaccio/docker-examples/v4/multi-registry-uplink/server2/storage/jquery/jquery-3.3.1.tgz,/node_modules/verdaccio/docker-examples/v4/multi-registry-uplink/server1/storage/jquery/jquery-3.3.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 3339b0ce4dc0bccc3d3c2a6113bb3f40e91a5b27
Found in base branch: master
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
Step up your Open Source Security Game with Mend here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/@angular/dev-infra-private/node_modules/selenium-webdriver/lib/test/data/mousePositionTracker.html
Path to vulnerable library: /node_modules/@angular/dev-infra-private/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js,/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js,/node_modules/@angular/dev-infra-private/node_modules/protractor/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Publish Date: 2013-03-08
URL: CVE-2011-4969
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969
Release Date: 2013-03-08
Fix Resolution: 1.6.3
Step up your Open Source Security Game with Mend here
Library home page: https://download.qt.io/official_releases/qt/
Found in HEAD commit: af8cc93d4e91785afa008f694c7e953122f7c8b7
Found in base branch: master
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2020-08-24
Fix Resolution: 6.0.3
Step up your Open Source Security Game with Mend here
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/ini/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution (ini): 1.3.6
Direct dependency fix Resolution (@angular/cli): 13.3.3
Step up your Open Source Security Game with Mend here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
Publish Date: 2021-02-22
URL: CVE-2021-27515
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515
Release Date: 2021-02-22
Fix Resolution: 1.5.0
Step up your Open Source Security Game with Mend here
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with Mend here
JavaScript library for DOM operations
Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz
Path to vulnerable library: /node_modules/verdaccio/docker-examples/v4/multi-registry-uplink/server2/storage/jquery/jquery-3.3.1.tgz,/node_modules/verdaccio/docker-examples/v4/multi-registry-uplink/server1/storage/jquery/jquery-3.3.1.tgz
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: 3.5.0
Step up your Open Source Security Game with Mend here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: angular-cli/integration/angular_cli/node_modules/lodash/package.json
Path to vulnerable library: angular-cli/integration/angular_cli/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: 11.2.x
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-23
Fix Resolution: lodash - 4.17.19
Step up your Open Source Security Game with WhiteSource here
evaluate statically-analyzable expressions
Library home page: https://registry.npmjs.org/static-eval/-/static-eval-2.1.0.tgz
Path to dependency file: angular-cli/node_modules/static-eval/package.json
Path to vulnerable library: angular-cli/node_modules/static-eval/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: renovate/angular
All versions of package static-eval are vulnerable to Arbitrary Code Execution using FunctionExpressions and TemplateLiterals. PoC: var evaluate = require('static-eval'); var parse = require('esprima').parse; var src="(function (x) { return ${eval("console.log(global.process.mainModule.constructor._load('child_process').execSync('ls').toString())")} })()" var ast = parse(src).body[0].expression; evaluate(ast)
Publish Date: 2021-02-11
URL: CVE-2021-23334
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
A W3C Standard XML DOM(Level2 CORE) implementation and parser(DOMParser/XMLSerializer).
Library home page: https://registry.npmjs.org/xmldom/-/xmldom-0.1.31.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmldom/package.json
Dependency Hierarchy:
Found in HEAD commit: 42226b16f150933b32ae8dacd2e30b740cd65f79
Found in base branch: master
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
Publish Date: 2021-03-12
URL: CVE-2021-21366
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h6q6-9hqw-rwfv
Release Date: 2021-03-12
Fix Resolution (xmldom): 0.5.0
Direct dependency fix Resolution (@bazel/jasmine): 3.2.3
Step up your Open Source Security Game with Mend here
kill trees of processes
Library home page: https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.1.tgz
Path to dependency file: angular-cli/tests/legacy-cli/e2e/assets/8.0-project/node_modules/tree-kill/package.json
Path to vulnerable library: angular-cli/tests/legacy-cli/e2e/assets/8.0-project/node_modules/tree-kill/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: 11.2.x
A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.
Publish Date: 2019-12-18
URL: CVE-2019-15599
Base Score Metrics:
Type: Upgrade version
Origin: https://hackerone.com/reports/701183
Release Date: 2019-12-18
Fix Resolution: tree-kill - 1.2.2
Step up your Open Source Security Game with WhiteSource here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md
Release Date: 2020-09-01
Fix Resolution (node-forge): 0.10.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.3.3
Step up your Open Source Security Game with Mend here
SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication
Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz
Path to dependency file: angular-cli/integration/angular_cli/node_modules/sockjs/package.json
Path to vulnerable library: angular-cli/integration/angular_cli/node_modules/sockjs/package.json,angular-cli/tests/legacy-cli/e2e/assets/8.0-project/node_modules/sockjs/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: 11.2.x
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
Publish Date: 2020-07-09
URL: CVE-2020-7693
Base Score Metrics:
Type: Upgrade version
Origin: sockjs/sockjs-node#265
Release Date: 2020-07-09
Fix Resolution: sockjs - 0.3.20
Step up your Open Source Security Game with WhiteSource here
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
all versions of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0424
Release Date: 2019-11-13
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.3.3
Step up your Open Source Security Game with Mend here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21, lodash-es - 4.17.21
Step up your Open Source Security Game with Mend here
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-8.0.0.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/ssri/package.json
Dependency Hierarchy:
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-5.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ssri/package.json
Dependency Hierarchy:
Found in HEAD commit: 42226b16f150933b32ae8dacd2e30b740cd65f79
Found in base branch: master
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-vx3p-948g-6vhq
Release Date: 2021-03-12
Fix Resolution (ssri): 8.0.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.3.3
Step up your Open Source Security Game with Mend here
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-fetch/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: 2020-09-10
URL: CVE-2020-15168
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: 2020-09-17
Fix Resolution: 2.6.1,3.0.0-beta.9
Step up your Open Source Security Game with Mend here
The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.2.1.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/engine.io/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution (engine.io): 4.0.0-alpha.0
Direct dependency fix Resolution (karma): 6.3.18
Step up your Open Source Security Game with Mend here
HTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.0.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/http-proxy/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-14
Fix Resolution (http-proxy): 1.18.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.3.3
Step up your Open Source Security Game with Mend here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/@angular/dev-infra-private/node_modules/selenium-webdriver/lib/test/data/mousePositionTracker.html
Path to vulnerable library: /node_modules/@angular/dev-infra-private/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js,/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js,/node_modules/@angular/dev-infra-private/node_modules/protractor/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-28
Fix Resolution: jquery - 1.9.0
Step up your Open Source Security Game with Mend here
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
Found in base branch: master
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 6.3.18
Step up your Open Source Security Game with Mend here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/@angular/dev-infra-private/node_modules/selenium-webdriver/lib/test/data/mousePositionTracker.html
Path to vulnerable library: /node_modules/@angular/dev-infra-private/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js,/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js,/node_modules/@angular/dev-infra-private/node_modules/protractor/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with Mend here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/@angular/dev-infra-private/node_modules/selenium-webdriver/lib/test/data/mousePositionTracker.html
Path to vulnerable library: /node_modules/@angular/dev-infra-private/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js,/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js,/node_modules/@angular/dev-infra-private/node_modules/protractor/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with Mend here
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (protractor): 5.4.4
Step up your Open Source Security Game with Mend here
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/y18n/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 4.0.1
Direct dependency fix Resolution (@angular/cli): 13.3.3
Step up your Open Source Security Game with Mend here
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-1.2.7.tgz
Path to dependency file: angular-cli/node_modules/marked/package.json
Path to vulnerable library: angular-cli/node_modules/marked/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: 11.2.x
Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0.
Publish Date: 2021-02-08
URL: CVE-2021-21306
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-4r62-v4vq-hr96
Release Date: 2021-02-08
Fix Resolution: v2.0.0
Step up your Open Source Security Game with WhiteSource here
socket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.2.0.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/socket.io-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
Publish Date: 2021-01-08
URL: CVE-2020-36049
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-xfhh-g9f5-x4m4
Release Date: 2021-01-08
Fix Resolution (socket.io-parser): 3.3.2
Direct dependency fix Resolution (karma): 6.3.18
Step up your Open Source Security Game with Mend here
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-11.0.5.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/package.json
Dependency Hierarchy:
Found in HEAD commit: 42226b16f150933b32ae8dacd2e30b740cd65f79
Found in base branch: master
Cross-Site Scripting (XSS) vulnerability was found in @angular/core before 11.1.1. HTML doesn't specify any way to escape comment end text inside the comment.
Publish Date: 2021-01-26
URL: WS-2021-0039
Base Score Metrics:
Step up your Open Source Security Game with Mend here
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/indutny/elliptic/tree/v6.5.3
Release Date: 2020-07-02
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.3.3
Step up your Open Source Security Game with Mend here
Library home page: https://download.qt.io/official_releases/qt/
Found in HEAD commit: 3339b0ce4dc0bccc3d3c2a6113bb3f40e91a5b27
Found in base branch: master
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2019-12-30
Fix Resolution: 6.0.3
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz
Path to vulnerable library: angular-cli/node_modules/verdaccio/docker-examples/v4/multi-registry-uplink/server2/storage/jquery/jquery-3.3.1.tgz,angular-cli/node_modules/verdaccio/docker-examples/v4/multi-registry-uplink/server1/storage/jquery/jquery-3.3.1.tgz
Dependency Hierarchy:
Found in HEAD commit: af8cc93d4e91785afa008f694c7e953122f7c8b7
Found in base branch: master
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz
Path to vulnerable library: /node_modules/verdaccio/docker-examples/v4/multi-registry-uplink/server2/storage/jquery/jquery-3.3.1.tgz,/node_modules/verdaccio/docker-examples/v4/multi-registry-uplink/server1/storage/jquery/jquery-3.3.1.tgz
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.0.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/ajv/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (@angular/cli): 13.3.3
Step up your Open Source Security Game with Mend here
Generic extension manager for WebSocket connections
Library home page: https://registry.npmjs.org/websocket-extensions/-/websocket-extensions-0.1.3.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/websocket-extensions/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
Publish Date: 2020-06-02
URL: CVE-2020-7662
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g78m-2chm-r7qv
Release Date: 2020-06-02
Fix Resolution (websocket-extensions): 0.1.4
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.3.3
Step up your Open Source Security Game with Mend here
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /integration/angular_cli/package.json
Path to vulnerable library: /integration/angular_cli/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: df8abeb8e49f7a19502084e835c603107b21e7a3
Found in base branch: master
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution (elliptic): 6.5.4
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.3.3
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.