turkdevops / chalk Goto Github PK

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: chalk/package.json

Path to vulnerable library: chalk/node_modules/xo/node_modules/glob-parent/package.json

Dependency Hierarchy:

• xo-0.39.1.tgz (Root Library)
  • globby-9.2.0.tgz
    • fast-glob-2.2.7.tgz
      • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd

Found in base branch: main

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

• ava-3.15.0.tgz (Root Library)
  • update-notifier-5.1.0.tgz
    • latest-version-5.1.0.tgz
      • package-json-6.5.0.tgz
        • ❌ got-9.6.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution (got): 11.8.6

Direct dependency fix Resolution (ava): 4.0.0

Vulnerable Library - electron-0.4.1.tgz

A simple command-line interface framework for node.js.

Library home page: https://registry.npmjs.org/electron/-/electron-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• matcha-0.7.0.tgz (Root Library)
  • ❌ electron-0.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd

Found in base branch: main

Vulnerability Details

The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7, Electron is vulnerable to Exposure of Sensitive Information. When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.This issue has been patched in versions: 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7. Users are recommended to upgrade to the latest stable version of Electron. If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents as a workaround.

Publish Date: 2022-11-08

URL: CVE-2022-36077

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-p2jh-44qj-pf2v

Release Date: 2022-11-08

Fix Resolution: electron - 18.3.7,19.0.11,20.0.1

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: chalk/package.json

Path to vulnerable library: chalk/node_modules/xo/node_modules/glob-parent/package.json

Dependency Hierarchy:

• xo-0.39.1.tgz (Root Library)
  • globby-9.2.0.tgz
    • fast-glob-2.2.7.tgz
      • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd

Found in base branch: main

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.

Publish Date: 2021-01-27

URL: WS-2021-0154

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2

Release Date: 2021-01-27

Fix Resolution: glob-parent - 5.1.2

Vulnerable Libraries - json5-2.2.0.tgz, json5-1.0.1.tgz

Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd

Found in base branch: main

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 2.2.2

Direct dependency fix Resolution (xo): 0.43.0

Fix Resolution (json5): 1.0.2

Direct dependency fix Resolution (xo): 0.43.0

Vulnerable Library - electron-0.4.1.tgz

A simple command-line interface framework for node.js.

Library home page: https://registry.npmjs.org/electron/-/electron-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• matcha-0.7.0.tgz (Root Library)
  • ❌ electron-0.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd

Found in base branch: main

Vulnerability Details

In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.

Publish Date: 2020-07-07

URL: CVE-2020-15096

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-6vrv-94jv-crrg

Release Date: 2020-07-10

Fix Resolution: electron - 6.1.11,8.2.4,9.0.0-beta.21

Vulnerable Library - electron-0.4.1.tgz

A simple command-line interface framework for node.js.

Library home page: https://registry.npmjs.org/electron/-/electron-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• matcha-0.7.0.tgz (Root Library)
  • ❌ electron-0.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd

Found in base branch: main

Vulnerability Details

GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.

Publish Date: 2018-01-24

URL: CVE-2018-1000006

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000006

Release Date: 2018-01-24

Fix Resolution: 1.8.2-beta.5

Vulnerable Library - electron-0.4.1.tgz

A simple command-line interface framework for node.js.

Library home page: https://registry.npmjs.org/electron/-/electron-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• matcha-0.7.0.tgz (Root Library)
  • ❌ electron-0.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd

Found in base branch: main

Vulnerability Details

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Publish Date: 2020-07-07

URL: CVE-2020-4075

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-f9mq-jph6-9mhm

Release Date: 2020-07-13

Fix Resolution: 7.2.4,8.2.4,9.0.0-beta.21

Vulnerable Library - electron-0.4.1.tgz

A simple command-line interface framework for node.js.

Library home page: https://registry.npmjs.org/electron/-/electron-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• matcha-0.7.0.tgz (Root Library)
  • ❌ electron-0.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd

Found in base branch: main

Vulnerability Details

Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the sandbox option is enabled.

Publish Date: 2018-06-07

URL: CVE-2017-16151

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/539

Release Date: 2018-04-26

Fix Resolution: 1.7.8

Vulnerable Library - electron-0.4.1.tgz

A simple command-line interface framework for node.js.

Library home page: https://registry.npmjs.org/electron/-/electron-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• matcha-0.7.0.tgz (Root Library)
  • ❌ electron-0.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd

Found in base branch: main

Vulnerability Details

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both contextIsolation and contextBridge are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Publish Date: 2020-07-07

URL: CVE-2020-4077

CVSS 3 Score Details (9.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h9jc-284h-533g

Release Date: 2020-07-13

Fix Resolution: 7.2.4,8.2.4,9.0.0-beta.21

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

• nyc-15.1.0.tgz (Root Library)
  • glob-7.2.0.tgz
    • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Vulnerable Library - electron-0.4.1.tgz

A simple command-line interface framework for node.js.

Library home page: https://registry.npmjs.org/electron/-/electron-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• matcha-0.7.0.tgz (Root Library)
  • ❌ electron-0.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd

Found in base branch: main

Vulnerability Details

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Publish Date: 2020-07-07

URL: CVE-2020-4076

CVSS 3 Score Details (9.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-m93v-9qjc-3g79

Release Date: 2020-07-13

Fix Resolution: electron - 7.2.4,8.2.4,9.0.0-beta.21

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Dependency Hierarchy:

• coveralls-3.1.1.tgz (Root Library)
  • ❌ request-2.88.2.tgz (Vulnerable Library)

Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd

Found in base branch: main

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Vulnerable Library - yaml-1.10.2.tgz

JavaScript parser and stringifier for YAML

Library home page: https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/yaml/package.json

Dependency Hierarchy:

• xo-0.42.0.tgz (Root Library)
  • cosmiconfig-7.0.1.tgz
    • ❌ yaml-1.10.2.tgz (Vulnerable Library)

Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd

Found in base branch: main

Vulnerability Details

Uncaught Exception in GitHub repository eemeli/yaml prior to 2.2.2.

Publish Date: 2023-04-24

URL: CVE-2023-2251

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-f9xv-q969-pqx4

Release Date: 2023-04-24

Fix Resolution (yaml): 2.0.0-0

Direct dependency fix Resolution (xo): 0.54.0

Vulnerable Library - http-cache-semantics-4.1.0.tgz

Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies

Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/http-cache-semantics/package.json

Dependency Hierarchy:

• ava-3.15.0.tgz (Root Library)
  • update-notifier-5.1.0.tgz
    • latest-version-5.1.0.tgz
      • package-json-6.5.0.tgz
        • got-9.6.0.tgz
          • cacheable-request-6.1.0.tgz
            • ❌ http-cache-semantics-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd

Found in base branch: main

Vulnerability Details

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Publish Date: 2023-01-31

URL: CVE-2022-25881

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-25881

Release Date: 2023-01-31

Fix Resolution (http-cache-semantics): 4.1.1

Direct dependency fix Resolution (ava): 4.0.0

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

• ava-3.15.0.tgz (Root Library)
  • chokidar-3.5.2.tgz
    • ❌ glob-parent-5.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd

Found in base branch: main

Vulnerability Details

The package glob-parent from 6.0.0 and before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1