yoswein / nodegoat Goto Github PK

Vulnerable Library - minimatch-0.3.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/mocha/node_modules/minimatch/package.json

Dependency Hierarchy:

• mocha-2.5.3.tgz (Root Library)
  • glob-3.2.11.tgz
    • ❌ minimatch-0.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

Vulnerable Library - sshpk-1.10.1.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.10.1.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/request/node_modules/http-signature/node_modules/sshpk/package.json

Dependency Hierarchy:

• grunt-npm-install-0.3.1.tgz (Root Library)
  • npm-3.10.10.tgz
    • request-2.75.0.tgz
      • http-signature-1.1.1.tgz
        • ❌ sshpk-1.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

Publish Date: 2018-06-07

URL: CVE-2018-3737

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/319593

Release Date: 2018-06-07

Fix Resolution: 1.13.2

Vulnerable Library - growl-1.9.2.tgz

Growl unobtrusive notifications

Library home page: https://registry.npmjs.org/growl/-/growl-1.9.2.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/growl/package.json

Dependency Hierarchy:

• mocha-2.5.3.tgz (Root Library)
  • ❌ growl-1.9.2.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

Publish Date: 2018-06-04

URL: CVE-2017-16042

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16042

Release Date: 2018-06-04

Fix Resolution: 1.10.2

Vulnerable Library - qs-0.6.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/zaproxy/node_modules/qs/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • request-2.36.0.tgz
    • ❌ qs-0.6.6.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

Publish Date: 2018-05-31

URL: CVE-2014-10064

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/28

Release Date: 2014-08-06

Fix Resolution: Update to version 1.0.0 or later

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

• grunt-if-0.2.0.tgz (Root Library)
  • grunt-contrib-nodeunit-1.0.0.tgz
    • nodeunit-0.9.5.tgz
      • tap-7.1.2.tgz
        • nyc-7.1.0.tgz
          • istanbul-reports-1.0.0-alpha.8.tgz
            • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

In "showdownjs/showdown", versions prior to v4.4.5 are vulnerable against Regular expression Denial of Service (ReDOS) once receiving specially-crafted templates.

Publish Date: 2019-10-20

URL: WS-2019-0318

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2019-12-01

Fix Resolution: handlebars - 4.4.5

Vulnerable Library - jquery-1.4.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js

Path to dependency file: NodeGoat/node_modules/selenium-webdriver/lib/test/data/droppableItems.html

Path to vulnerable library: /node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js

Dependency Hierarchy:

• ❌ jquery-1.4.4.min.js (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-28

Fix Resolution: jquery - 1.9.0

Vulnerable Libraries - tough-cookie-2.3.1.tgz, tough-cookie-2.2.2.tgz

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

Publish Date: 2017-10-04

URL: CVE-2017-15010

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15010

Release Date: 2017-10-04

Fix Resolution: 2.3.3

Vulnerable Library - npm-3.10.10.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-3.10.10.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/npm/package.json

Dependency Hierarchy:

• grunt-npm-install-0.3.1.tgz (Root Library)
  • ❌ npm-3.10.10.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Publish Date: 2019-12-13

URL: CVE-2019-16775

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Release Date: 2019-12-13

Fix Resolution: npm - 6.13.3;yarn - 1.21.1

Vulnerable Library - brace-expansion-1.1.6.tgz

Brace expansion as known from sh/bash

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.6.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/package.json,NodeGoat/node_modules/npm/node_modules/node-gyp/node_modules/minimatch/node_modules/brace-expansion/package.json,NodeGoat/node_modules/npm/node_modules/fstream-npm/node_modules/fstream-ignore/node_modules/minimatch/node_modules/brace-expansion/package.json,NodeGoat/node_modules/npm/node_modules/init-package-json/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/package.json,NodeGoat/node_modules/nyc/node_modules/brace-expansion/package.json,NodeGoat/node_modules/npm/node_modules/read-package-json/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/package.json

Dependency Hierarchy:

• grunt-npm-install-0.3.1.tgz (Root Library)
  • npm-3.10.10.tgz
    • read-package-json-2.0.4.tgz
      • glob-6.0.4.tgz
        • minimatch-3.0.3.tgz
          • ❌ brace-expansion-1.1.6.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.

Publish Date: 2018-01-27

URL: CVE-2017-18077

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-18077

Release Date: 2018-01-27

Fix Resolution: 1.1.7

Vulnerable Library - diff-1.4.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/diff/package.json

Dependency Hierarchy:

• mocha-2.5.3.tgz (Root Library)
  • ❌ diff-1.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 2 Score Details (7.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: kpdecker/jsdiff@2aec429

Release Date: 2019-06-11

Fix Resolution: 3.5.0

Vulnerable Library - qs-0.6.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/zaproxy/node_modules/qs/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • request-2.36.0.tgz
    • ❌ qs-0.6.6.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time

Publish Date: 2014-07-31

URL: WS-2014-0005

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking

Release Date: 2014-08-06

Fix Resolution: Update qs to version 1.0.0 or greater

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

• grunt-if-0.2.0.tgz (Root Library)
  • grunt-contrib-nodeunit-1.0.0.tgz
    • nodeunit-0.9.5.tgz
      • tap-7.1.2.tgz
        • nyc-7.1.0.tgz
          • istanbul-reports-1.0.0-alpha.8.tgz
            • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Publish Date: 2020-09-30

URL: CVE-2019-20920

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2020-10-15

Fix Resolution: handlebars - 4.5.3

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

• grunt-if-0.2.0.tgz (Root Library)
  • grunt-contrib-nodeunit-1.0.0.tgz
    • nodeunit-0.9.5.tgz
      • tap-7.1.2.tgz
        • nyc-7.1.0.tgz
          • istanbul-reports-1.0.0-alpha.8.tgz
            • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-13

URL: WS-2019-0331

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.2

Vulnerable Library - bson-1.0.9.tgz

A bson parser for node.js and the browser

Library home page: https://registry.npmjs.org/bson/-/bson-1.0.9.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/bson/package.json

Dependency Hierarchy:

• mongodb-2.2.36.tgz (Root Library)
  • mongodb-core-2.1.20.tgz
    • ❌ bson-1.0.9.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

Publish Date: 2020-03-30

URL: CVE-2020-7610

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/mongodb/js-bson/releases/tag/v1.1.4

Release Date: 2020-03-30

Fix Resolution: bson - 1.1.4

Vulnerable Libraries - ini-1.3.5.tgz, ini-1.3.4.tgz

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution: v1.3.6

Vulnerable Library - npm-3.10.10.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-3.10.10.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/npm/package.json

Dependency Hierarchy:

• grunt-npm-install-0.3.1.tgz (Root Library)
  • ❌ npm-3.10.10.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.

Publish Date: 2020-07-07

URL: CVE-2020-15095

CVSS 3 Score Details (4.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-93f3-23rq-pjfp

Release Date: 2020-07-07

Fix Resolution: npm - 6.14.6

Vulnerable Library - y18n-3.2.1.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/y18n/package.json,NodeGoat/node_modules/nyc/node_modules/y18n/package.json

Dependency Hierarchy:

• grunt-if-0.2.0.tgz (Root Library)
  • grunt-contrib-nodeunit-1.0.0.tgz
    • nodeunit-0.9.5.tgz
      • tap-7.1.2.tgz
        • nyc-7.1.0.tgz
          • yargs-4.8.1.tgz
            • ❌ y18n-3.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution: 3.2.2, 4.0.1, 5.0.5

Vulnerable Library - undefsafe-2.0.2.tgz

Undefined safe way of extracting object properties

Library home page: https://registry.npmjs.org/undefsafe/-/undefsafe-2.0.2.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/undefsafe/package.json

Dependency Hierarchy:

• nodemon-1.19.1.tgz (Root Library)
  • ❌ undefsafe-2.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' function could be tricked into adding or modifying properties of Object.prototype using a proto payload.

Publish Date: 2020-02-18

URL: CVE-2019-10795

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10795

Release Date: 2020-02-18

Fix Resolution: 2.0.3

Vulnerable Library - tunnel-agent-0.4.3.tgz

HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.

Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/tunnel-agent/package.json,NodeGoat/node_modules/npm/node_modules/request/node_modules/tunnel-agent/package.json

Dependency Hierarchy:

• grunt-retire-0.3.12.tgz (Root Library)
  • request-2.67.0.tgz
    • ❌ tunnel-agent-0.4.3.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure.

This is exploitable if user supplied input is provided to the auth value and is a number.

Publish Date: 2017-03-05

URL: WS-2018-0076

CVSS 3 Score Details (5.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/598

Release Date: 2018-01-27

Fix Resolution: 0.6.0

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-4.13.1.tgz, lodash-4.17.11.tgz

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-08

Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0

Vulnerable Libraries - cryptiles-0.2.2.tgz, cryptiles-2.0.5.tgz

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution: v4.1.2

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

• grunt-if-0.2.0.tgz (Root Library)
  • grunt-contrib-nodeunit-1.0.0.tgz
    • nodeunit-0.9.5.tgz
      • tap-7.1.2.tgz
        • nyc-7.1.0.tgz
          • istanbul-reports-1.0.0-alpha.8.tgz
            • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-19

URL: WS-2019-0492

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-11-19

Fix Resolution: handlebars - 3.0.8,4.5.3

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/nanomatch/node_modules/kind-of/package.json,NodeGoat/node_modules/define-property/node_modules/kind-of/package.json,NodeGoat/node_modules/extglob/node_modules/kind-of/package.json,NodeGoat/node_modules/base/node_modules/kind-of/package.json,NodeGoat/node_modules/micromatch/node_modules/kind-of/package.json,NodeGoat/node_modules/make-iterator/node_modules/kind-of/package.json,NodeGoat/node_modules/snapdragon-node/node_modules/kind-of/package.json,NodeGoat/node_modules/liftoff/node_modules/kind-of/package.json

Dependency Hierarchy:

• grunt-cli-1.3.2.tgz (Root Library)
  • liftoff-2.5.0.tgz
    • findup-sync-2.0.0.tgz
      • micromatch-3.1.10.tgz
        • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution: 6.0.3

Vulnerable Library - tough-cookie-2.2.2.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/grunt-retire/node_modules/tough-cookie/package.json

Dependency Hierarchy:

• grunt-retire-0.3.12.tgz (Root Library)
  • request-2.67.0.tgz
    • ❌ tough-cookie-2.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.

Publish Date: 2018-09-05

URL: CVE-2016-1000232

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/130

Release Date: 2018-09-05

Fix Resolution: 2.3.0

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/dot-prop/package.json

Dependency Hierarchy:

• nodemon-1.19.1.tgz (Root Library)
  • update-notifier-2.5.0.tgz
    • configstore-3.1.2.tgz
      • ❌ dot-prop-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

Vulnerable Library - ms-0.7.1.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/mocha/node_modules/ms/package.json,NodeGoat/node_modules/npm/node_modules/node-gyp/node_modules/path-array/node_modules/array-index/node_modules/debug/node_modules/ms/package.json,NodeGoat/node_modules/nyc/node_modules/ms/package.json,NodeGoat/node_modules/connect/node_modules/ms/package.json

Dependency Hierarchy:

• mocha-2.5.3.tgz (Root Library)
  • debug-2.2.0.tgz
    • ❌ ms-0.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-04-12

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: vercel/ms#89

Release Date: 2017-04-12

Fix Resolution: 2.1.1

Vulnerable Library - mime-1.2.11.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.2.11.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/zaproxy/node_modules/mime/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • request-2.36.0.tgz
    • ❌ mime-1.2.11.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-06-07

Fix Resolution: 1.4.1,2.0.3

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

• grunt-if-0.2.0.tgz (Root Library)
  • grunt-contrib-nodeunit-1.0.0.tgz
    • nodeunit-0.9.5.tgz
      • tap-7.1.2.tgz
        • nyc-7.1.0.tgz
          • istanbul-reports-1.0.0-alpha.8.tgz
            • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

In handlebars, versions prior to v4.5.3 are vulnerable to prototype pollution. Using a malicious template it's possbile to add or modify properties to the Object prototype. This can also lead to DOS and RCE in certain conditions.

Publish Date: 2019-11-18

URL: WS-2019-0333

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1325

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Vulnerable Library - adm-zip-0.4.4.tgz

A Javascript implementation of zip for nodejs. Allows user to create or extract zip files both in memory or to/from disk

Library home page: https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.4.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/adm-zip/package.json

Dependency Hierarchy:

• selenium-webdriver-2.53.3.tgz (Root Library)
  • ❌ adm-zip-0.4.4.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Publish Date: 2018-07-25

URL: CVE-2018-1002204

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1002204

Release Date: 2018-07-25

Fix Resolution: 0.4.9

Vulnerable Library - hawk-1.0.0.tgz

HTTP Hawk Authentication Scheme

Library home page: https://registry.npmjs.org/hawk/-/hawk-1.0.0.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/zaproxy/node_modules/hawk/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • request-2.36.0.tgz
    • ❌ hawk-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.

Publish Date: 2016-04-13

URL: CVE-2016-2515

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2515

Release Date: 2016-04-13

Fix Resolution: 3.1.3,4.1.1

Vulnerable Library - stringstream-0.0.5.tgz

Encode and decode streams into string streams

Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/request/node_modules/stringstream/package.json

Dependency Hierarchy:

• grunt-npm-install-0.3.1.tgz (Root Library)
  • npm-3.10.10.tgz
    • request-2.75.0.tgz
      • ❌ stringstream-0.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).

Publish Date: 2020-12-03

URL: CVE-2018-21270

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21270

Release Date: 2020-12-03

Fix Resolution: 0.0.6

Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/debug/package.json,NodeGoat/node_modules/mocha/node_modules/debug/package.json,NodeGoat/node_modules/npm/node_modules/node-gyp/node_modules/path-array/node_modules/array-index/node_modules/debug/package.json,NodeGoat/node_modules/connect/node_modules/debug/package.json

Dependency Hierarchy:

• mocha-2.5.3.tgz (Root Library)
  • ❌ debug-2.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137

Release Date: 2018-06-07

Fix Resolution: 2.6.9

Vulnerable Libraries - qs-0.6.6.tgz, qs-5.2.1.tgz, qs-6.2.1.tgz

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048

Release Date: 2017-07-17

Fix Resolution: qs - 6.0.4,6.1.2,6.2.3,6.3.2

Vulnerable Library - getobject-0.1.0.tgz

get.and.set.deep.objects.easily = true

Library home page: https://registry.npmjs.org/getobject/-/getobject-0.1.0.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/getobject/package.json

Dependency Hierarchy:

• grunt-1.0.3.tgz (Root Library)
  • grunt-legacy-util-1.1.1.tgz
    • ❌ getobject-0.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.

Publish Date: 2020-12-29

URL: CVE-2020-28282

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/package/getobject

Release Date: 2020-12-29

Fix Resolution: getobject - 1.0.0

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

• grunt-if-0.2.0.tgz (Root Library)
  • grunt-contrib-nodeunit-1.0.0.tgz
    • nodeunit-0.9.5.tgz
      • tap-7.1.2.tgz
        • nyc-7.1.0.tgz
          • istanbul-reports-1.0.0-alpha.8.tgz
            • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1164

Release Date: 2019-12-20

Fix Resolution: 4.3.0

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

• grunt-if-0.2.0.tgz (Root Library)
  • grunt-contrib-nodeunit-1.0.0.tgz
    • nodeunit-0.9.5.tgz
      • tap-7.1.2.tgz
        • nyc-7.1.0.tgz
          • istanbul-reports-1.0.0-alpha.8.tgz
            • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

Publish Date: 2020-09-30

URL: CVE-2019-20922

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2020-10-07

Fix Resolution: handlebars - 4.4.5

Vulnerable Library - marked-0.3.9.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.9.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

• ❌ marked-0.3.9.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.

Publish Date: 2018-04-16

URL: WS-2018-0628

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/0.4.0

Release Date: 2018-04-16

Fix Resolution: marked - 0.4.0

Vulnerable Library - jquery-1.4.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js

Path to dependency file: NodeGoat/node_modules/selenium-webdriver/lib/test/data/droppableItems.html

Path to vulnerable library: /node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js

Dependency Hierarchy:

• ❌ jquery-1.4.4.min.js (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

• grunt-if-0.2.0.tgz (Root Library)
  • grunt-contrib-nodeunit-1.0.0.tgz
    • nodeunit-0.9.5.tgz
      • tap-7.1.2.tgz
        • nyc-7.1.0.tgz
          • istanbul-reports-1.0.0-alpha.8.tgz
            • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.

Publish Date: 2019-11-17

URL: WS-2019-0332

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Vulnerable Library - helmet-csp-1.2.2.tgz

Content Security Policy middleware.

Library home page: https://registry.npmjs.org/helmet-csp/-/helmet-csp-1.2.2.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/helmet-csp/package.json

Dependency Hierarchy:

• helmet-2.3.0.tgz (Root Library)
  • ❌ helmet-csp-1.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Helmet-csp before 2.9.1 is vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting.

Publish Date: 2019-11-18

URL: WS-2019-0289

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1176

Release Date: 2019-10-06

Fix Resolution: 2.9.1

Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/set-value@95e9d99

Release Date: 2019-07-24

Fix Resolution: 2.0.1,3.0.1

Vulnerable Library - chownr-1.0.1.tgz

like `chown -R`

Library home page: https://registry.npmjs.org/chownr/-/chownr-1.0.1.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/chownr/package.json

Dependency Hierarchy:

• grunt-npm-install-0.3.1.tgz (Root Library)
  • npm-3.10.10.tgz
    • ❌ chownr-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.

Publish Date: 2020-06-15

URL: CVE-2017-18869

CVSS 3 Score Details (2.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18869

Release Date: 2020-06-15

Fix Resolution: 1.1.0

Vulnerable Library - sshpk-1.10.1.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.10.1.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/request/node_modules/http-signature/node_modules/sshpk/package.json

Dependency Hierarchy:

• grunt-npm-install-0.3.1.tgz (Root Library)
  • npm-3.10.10.tgz
    • request-2.75.0.tgz
      • http-signature-1.1.1.tgz
        • ❌ sshpk-1.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

Publish Date: 2018-04-25

URL: WS-2018-0084

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/606

Release Date: 2018-01-27

Fix Resolution: 1.14.1

Vulnerable Library - marked-0.3.9.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.9.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

• ❌ marked-0.3.9.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/v1.1.1

Release Date: 2020-07-02

Fix Resolution: marked - 1.1.1

Vulnerable Library - npm-3.10.10.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-3.10.10.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/npm/package.json

Dependency Hierarchy:

• grunt-npm-install-0.3.1.tgz (Root Library)
  • ❌ npm-3.10.10.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Publish Date: 2019-12-13

URL: CVE-2019-16776

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Release Date: 2019-12-13

Fix Resolution: npm - 6.13.3;yarn - 1.21.1

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-4.13.1.tgz, lodash-4.17.11.tgz

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerable Library - websocket-extensions-0.1.3.tgz

Generic extension manager for WebSocket connections

Library home page: https://registry.npmjs.org/websocket-extensions/-/websocket-extensions-0.1.3.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/websocket-extensions/package.json

Dependency Hierarchy:

• grunt-contrib-watch-1.1.0.tgz (Root Library)
  • tiny-lr-1.1.1.tgz
    • faye-websocket-0.10.0.tgz
      • websocket-driver-0.7.0.tgz
        • ❌ websocket-extensions-0.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

Publish Date: 2020-06-02

URL: CVE-2020-7662

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-g78m-2chm-r7qv

Release Date: 2020-06-02

Fix Resolution: websocket-extensions - 0.1.4

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/mixin-deep/package.json

Dependency Hierarchy:

• nodemon-1.19.1.tgz (Root Library)
  • chokidar-2.1.6.tgz
    • braces-2.3.2.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-07-11

Fix Resolution: 1.3.2,2.0.1

Vulnerable Library - npm-3.10.10.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-3.10.10.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/npm/package.json

Dependency Hierarchy:

• grunt-npm-install-0.3.1.tgz (Root Library)
  • ❌ npm-3.10.10.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Publish Date: 2019-12-13

URL: CVE-2019-16777

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Release Date: 2019-12-13

Fix Resolution: npm - 6.13.4

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: NodeGoat/package.json

Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

• grunt-if-0.2.0.tgz (Root Library)
  • grunt-contrib-nodeunit-1.0.0.tgz
    • nodeunit-0.9.5.tgz
      • tap-7.1.2.tgz
        • nyc-7.1.0.tgz
          • istanbul-reports-1.0.0-alpha.8.tgz
            • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 26ef3f51dc7e983c5a5b8c3b9239aca51a91432b

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.2 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-14

URL: WS-2019-0493

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-11-14

Fix Resolution: handlebars - 3.0.8,4.5.2