vukan-markovic / book_trading_club Goto Github PK

Vulnerabilities

DepShield reports that this application's usage of lodash.restparam:3.6.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.restparam:3.6.1 is a transitive dependency introduced by the following direct dependency(s):

• npm:6.4.1
        └─ lodash.restparam:3.6.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

WS-2018-0209 - Medium Severity Vulnerability

Vulnerable Library - morgan-1.6.1.tgz

HTTP request logger middleware for node.js

Library home page: https://registry.npmjs.org/morgan/-/morgan-1.6.1.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /Book_trading_club/node_modules/morgan/package.json

Dependency Hierarchy:

• ❌ morgan-1.6.1.tgz (Vulnerable Library)

Vulnerability Details

morgan before 1.9.1 is vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack.

Publish Date: 2018-11-25

URL: WS-2018-0209

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/735

Release Date: 2019-04-08

Fix Resolution: 1.9.1

Step up your Open Source Security Game with WhiteSource here

Vulnerabilities

DepShield reports that this application's usage of lodash._bindcallback:3.0.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._bindcallback:3.0.1 is a transitive dependency introduced by the following direct dependency(s):

• npm:6.4.1
        └─ lodash._bindcallback:3.0.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of mime:1.3.4 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

mime:1.3.4 is a transitive dependency introduced by the following direct dependency(s):

• express:4.14.1
        └─ send:0.14.2
              └─ mime:1.3.4

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.foreach:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.foreach:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• mongoose-unique-validator:1.0.6
        └─ lodash.foreach:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.isboolean:3.0.3 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.isboolean:3.0.3 is a transitive dependency introduced by the following direct dependency(s):

• jsonwebtoken:8.4.0
        └─ lodash.isboolean:3.0.3

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.isstring:4.0.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.isstring:4.0.1 is a transitive dependency introduced by the following direct dependency(s):

• jsonwebtoken:8.4.0
        └─ lodash.isstring:4.0.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of uglify-js:2.3.6 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2015-8857] The uglify-js package before 2.4.24 for Node.js does not properly account for no...
• (CVSS 8.3) CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
• (CVSS 7.5) [CVE-2015-8858] Resource Management Errors

Occurrences

uglify-js:2.3.6 is a transitive dependency introduced by the following direct dependency(s):

• hbs:3.1.1
        └─ handlebars:3.0.0
              └─ uglify-js:2.3.6

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.includes:4.3.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.includes:4.3.0 is a transitive dependency introduced by the following direct dependency(s):

• jsonwebtoken:8.4.0
        └─ lodash.includes:4.3.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

WS-2017-0330 - Medium Severity Vulnerability

Vulnerable Library - mime-1.3.4.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/mime/package.json

Dependency Hierarchy:

• express-4.14.1.tgz (Root Library)
  • send-0.14.2.tgz
    • ❌ mime-1.3.4.tgz (Vulnerable Library)

Vulnerability Details

Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.

Publish Date: 2017-09-27

URL: WS-2017-0330

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: broofa/mime@1df903f

Release Date: 2019-04-03

Fix Resolution: 1.4.1,2.0.3

Step up your Open Source Security Game with WhiteSource here

Vulnerabilities

DepShield reports that this application's usage of lodash.isplainobject:4.0.6 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.isplainobject:4.0.6 is a transitive dependency introduced by the following direct dependency(s):

• jsonwebtoken:8.4.0
        └─ lodash.isplainobject:4.0.6

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash._cacheindexof:3.0.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._cacheindexof:3.0.2 is a transitive dependency introduced by the following direct dependency(s):

• npm:6.4.1
        └─ lodash._cacheindexof:3.0.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

WS-2018-0210 - Low Severity Vulnerability

Vulnerable Library - lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/lodash/package.json

Dependency Hierarchy:

• awesome-typescript-loader-5.2.1.tgz (Root Library)
  • ❌ lodash-4.17.10.tgz (Vulnerable Library)

Vulnerability Details

In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2018-11-25

URL: WS-2018-0210

CVSS 2 Score Details (3.5)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: lodash/lodash@90e6199

Release Date: 2018-08-31

Fix Resolution: Replace or update the following files: lodash.js, test.js

Step up your Open Source Security Game with WhiteSource here

Vulnerabilities

DepShield reports that this application's usage of lodash._baseindexof:3.1.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._baseindexof:3.1.0 is a transitive dependency introduced by the following direct dependency(s):

• npm:6.4.1
        └─ lodash._baseindexof:3.1.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.union:4.6.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.union:4.6.0 is a transitive dependency introduced by the following direct dependency(s):

• npm:6.4.1
        └─ lodash.union:4.6.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.isinteger:4.0.4 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.isinteger:4.0.4 is a transitive dependency introduced by the following direct dependency(s):

• jsonwebtoken:8.4.0
        └─ lodash.isinteger:4.0.4

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

CVE-2017-16137 - Medium Severity Vulnerability

Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/morgan/node_modules/debug/package.json

Dependency Hierarchy:

• awesome-typescript-loader-5.2.1.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • ❌ debug-2.2.0.tgz (Vulnerable Library)

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: debug-js/debug@42a6ae0

Release Date: 2017-09-21

Fix Resolution: Replace or update the following file: node.js

Step up your Open Source Security Game with WhiteSource here

WS-2017-0247 - Low Severity Vulnerability

Vulnerable Libraries - ms-0.7.1.tgz, ms-0.7.2.tgz

ms-0.7.1.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/snapdragon/node_modules/ms/package.json

Dependency Hierarchy:

• awesome-typescript-loader-5.2.1.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • debug-2.2.0.tgz
        • ❌ ms-0.7.1.tgz (Vulnerable Library)

ms-0.7.2.tgz

Tiny milisecond conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.2.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/send/node_modules/ms/package.json

Dependency Hierarchy:

• express-4.14.1.tgz (Root Library)
  • send-0.14.2.tgz
    • ❌ ms-0.7.2.tgz (Vulnerable Library)

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-05-15

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: vercel/ms@305f2dd

Release Date: 2017-04-12

Fix Resolution: Replace or update the following file: index.js

Step up your Open Source Security Game with WhiteSource here

CVE-2018-16487 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/lodash/package.json

Dependency Hierarchy:

• awesome-typescript-loader-5.2.1.tgz (Root Library)
  • ❌ lodash-4.17.10.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Step up your Open Source Security Game with WhiteSource here

Vulnerabilities

DepShield reports that this application's usage of lodash.get:4.4.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.get:4.4.2 is a transitive dependency introduced by the following direct dependency(s):

• mongoose:4.13.17
        └─ lodash.get:4.4.2

• mongoose-unique-validator:1.0.6
        └─ lodash.get:4.4.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

WS-2019-0047 - Medium Severity Vulnerability

Vulnerable Libraries - tar-4.4.1.tgz, tar-2.2.1.tgz

tar-4.4.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.1.tgz

Dependency Hierarchy:

• webpack-2.7.0.tgz (Root Library)
  • watchpack-1.6.0.tgz
    • chokidar-2.0.3.tgz
      • fsevents-1.2.4.tgz
        • node-pre-gyp-0.10.0.tgz
          • ❌ tar-4.4.1.tgz (Vulnerable Library)

tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/npm/node_modules/node-gyp/node_modules/tar/package.json

Dependency Hierarchy:

• npm-6.4.1.tgz (Root Library)
  • node-gyp-3.8.0.tgz
    • ❌ tar-2.2.1.tgz (Vulnerable Library)

Vulnerability Details

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Publish Date: 2019-04-05

URL: WS-2019-0047

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/803

Release Date: 2019-04-05

Fix Resolution: 4.4.2

Step up your Open Source Security Game with WhiteSource here

Vulnerabilities

DepShield reports that this application's usage of lodash._getnative:3.9.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._getnative:3.9.1 is a transitive dependency introduced by the following direct dependency(s):

• npm:6.4.1
        └─ lodash._createcache:3.1.2
              └─ lodash._getnative:3.9.1
        └─ lodash._getnative:3.9.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.once:4.1.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.once:4.1.1 is a transitive dependency introduced by the following direct dependency(s):

• jsonwebtoken:8.4.0
        └─ lodash.once:4.1.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

On registry https://registry.npmjs.org/, the "latest" version (v2.0.0) of dependency boostrap has the following deprecation notice:

Package no longer supported. Contact [email protected] for more info.

Marking the latest version of an npm package as deprecated results in the entire package being considered deprecated, so contact the package author you think this is a mistake.

Affected package file(s): package.json

If you don't care about this, you can close this issue and not be warned about boostrap's deprecation again. If you would like to completely disable all future deprecation warnings then add the following to your config:

"suppressNotifications": ["deprecationWarningIssues"]

🚨 You need to enable Continuous Integration on all branches of this repository. 🚨

To enable Greenkeeper, you need to make sure that a commit status is reported on all branches. This is required by Greenkeeper because it uses your CI build statuses to figure out when to notify you about breaking changes.

Since we didn’t receive a CI status on the greenkeeper/initial branch, it’s possible that you don’t have CI set up yet. We recommend using Travis CI, but Greenkeeper will work with every other CI service as well.

If you have already set up a CI for this repository, you might need to check how it’s configured. Make sure it is set to run on all new branches. If you don’t want it to run on absolutely every branch, you can whitelist branches starting with greenkeeper/.

Once you have installed and configured CI on this repository correctly, you’ll need to re-trigger Greenkeeper’s initial pull request. To do this, please delete the greenkeeper/initial branch in this repository, and then remove and re-add this repository to the Greenkeeper App’s white list on Github. You'll find this list on your repo or organization’s settings page, under Installed GitHub Apps.

Vulnerabilities

DepShield reports that this application's usage of lodash._createcache:3.1.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._createcache:3.1.2 is a transitive dependency introduced by the following direct dependency(s):

• npm:6.4.1
        └─ lodash._createcache:3.1.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The project could not be analyzed because of maven build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

CVE-2015-8857 - High Severity Vulnerability

Vulnerable Library - uglify-js-2.3.6.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/uglify-js/package.json

Dependency Hierarchy:

• hbs-3.1.1.tgz (Root Library)
  • handlebars-3.0.0.tgz
    • ❌ uglify-js-2.3.6.tgz (Vulnerable Library)

Vulnerability Details

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.

Publish Date: 2017-01-23

URL: CVE-2015-8857

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2018-12-15

Fix Resolution: v2.4.24

Step up your Open Source Security Game with WhiteSource here

Vulnerabilities

DepShield reports that this application's usage of handlebars:3.0.0 results in the following vulnerability(s):

• (CVSS 6.1) CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• (CVSS 6.1) [CVE-2015-8861] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
• (CVSS 5.3) CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Occurrences

handlebars:3.0.0 is a transitive dependency introduced by the following direct dependency(s):

• hbs:3.1.1
        └─ handlebars:3.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

WS-2015-0003 - Medium Severity Vulnerability

Vulnerable Library - handlebars-3.0.0.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: http://registry.npmjs.org/handlebars/-/handlebars-3.0.0.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/handlebars/package.json

Dependency Hierarchy:

• hbs-3.1.1.tgz (Root Library)
  • ❌ handlebars-3.0.0.tgz (Vulnerable Library)

Vulnerability Details

Quoteless Attributes in Templates can lead to Content Injection

Publish Date: 2015-12-14

URL: WS-2015-0003

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/61

Release Date: 2015-12-14

Fix Resolution: If you are unable to upgrade to version 4.0.0 or greater you can add quotes to your attributes in your handlebar templates.

Step up your Open Source Security Game with WhiteSource here

CVE-2017-16119 - High Severity Vulnerability

Vulnerable Library - fresh-0.3.0.tgz

HTTP response freshness testing

Library home page: https://registry.npmjs.org/fresh/-/fresh-0.3.0.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/fresh/package.json

Dependency Hierarchy:

• express-4.14.1.tgz (Root Library)
  • ❌ fresh-0.3.0.tgz (Vulnerable Library)

Vulnerability Details

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16119

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2015-8858 - High Severity Vulnerability

Vulnerable Library - uglify-js-2.3.6.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/uglify-js/package.json

Dependency Hierarchy:

• hbs-3.1.1.tgz (Root Library)
  • handlebars-3.0.0.tgz
    • ❌ uglify-js-2.3.6.tgz (Vulnerable Library)

Vulnerability Details

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8858

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2018-12-15

Fix Resolution: v2.6.0

Step up your Open Source Security Game with WhiteSource here

Vulnerabilities

DepShield reports that this application's usage of lodash.isnumber:3.0.3 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.isnumber:3.0.3 is a transitive dependency introduced by the following direct dependency(s):

• jsonwebtoken:8.4.0
        └─ lodash.isnumber:3.0.3

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

CVE-2018-16492 - High Severity Vulnerability

Vulnerable Library - extend-3.0.1.tgz

Port of jQuery.extend for node.js and the browser

Library home page: https://registry.npmjs.org/extend/-/extend-3.0.1.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/extend/package.json

Dependency Hierarchy:

• angular2-template-loader-0.5.0.tgz (Root Library)
  • codecov-1.0.1.tgz
    • request-2.87.0.tgz
      • ❌ extend-3.0.1.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16492

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/381185

Release Date: 2019-02-01

Fix Resolution: v3.0.2,v2.0.2

Step up your Open Source Security Game with WhiteSource here

WS-2015-0024 - High Severity Vulnerability

Vulnerable Library - uglify-js-2.3.6.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/uglify-js/package.json

Dependency Hierarchy:

• hbs-3.1.1.tgz (Root Library)
  • handlebars-3.0.0.tgz
    • ❌ uglify-js-2.3.6.tgz (Vulnerable Library)

Vulnerability Details

UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification.

Publish Date: 2015-08-24

URL: WS-2015-0024

CVSS 2 Score Details (8.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: mishoo/UglifyJS@905b601

Release Date: 2017-01-31

Fix Resolution: v2.4.24

Step up your Open Source Security Game with WhiteSource here

CVE-2017-1000048 - High Severity Vulnerability

Vulnerable Library - qs-6.2.0.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.2.0.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/qs/package.json

Dependency Hierarchy:

• express-4.14.1.tgz (Root Library)
  • ❌ qs-6.2.0.tgz (Vulnerable Library)

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: ljharb/qs@c709f6e

Release Date: 2017-03-06

Fix Resolution: Replace or update the following files: parse.js, parse.js, utils.js

Step up your Open Source Security Game with WhiteSource here

CVE-2017-16138 - High Severity Vulnerability

Vulnerable Library - mime-1.3.4.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/mime/package.json

Dependency Hierarchy:

• express-4.14.1.tgz (Root Library)
  • send-0.14.2.tgz
    • ❌ mime-1.3.4.tgz (Vulnerable Library)

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Vulnerabilities

DepShield reports that this application's usage of qs:6.2.0 results in the following vulnerability(s):

• (CVSS 7.5) [CVE-2017-1000048] Improper Input Validation

Occurrences

qs:6.2.0 is a transitive dependency introduced by the following direct dependency(s):

• body-parser:1.15.2
        └─ qs:6.2.0

• express:4.14.1
        └─ qs:6.2.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash._root:3.0.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._root:3.0.1 is a transitive dependency introduced by the following direct dependency(s):

• npm:6.4.1
        └─ lodash._baseuniq:4.6.0
              └─ lodash._root:3.0.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of fresh:0.3.0 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

fresh:0.3.0 is a transitive dependency introduced by the following direct dependency(s):

• express:4.14.1
        └─ fresh:0.3.0
        └─ send:0.14.2
              └─ fresh:0.3.0

• serve-favicon:2.3.2
        └─ fresh:0.3.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

WS-2015-0017 - Medium Severity Vulnerability

Vulnerable Library - uglify-js-2.3.6.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/uglify-js/package.json

Dependency Hierarchy:

• hbs-3.1.1.tgz (Root Library)
  • handlebars-3.0.0.tgz
    • ❌ uglify-js-2.3.6.tgz (Vulnerable Library)

Vulnerability Details

Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().

Publish Date: 2015-10-24

URL: WS-2015-0017

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/48

Release Date: 2015-10-24

Fix Resolution: Update to version 2.6.0 or later

Step up your Open Source Security Game with WhiteSource here

Vulnerabilities

DepShield reports that this application's usage of lodash.uniq:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.uniq:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• npm:6.4.1
        └─ lodash.uniq:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

DepShield reports that this application's usage of debug:2.2.0 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.clonedeep:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.clonedeep:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• npm:6.4.1
        └─ lodash.clonedeep:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The project could not be analyzed because of maven build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}