Vulnerable Library - sdk-core-0.5.7.tgz
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (sdk-core version) |
Remediation Available |
CVE-2023-30542 |
High |
8.8 |
contracts-4.7.3.tgz |
Transitive |
N/A* |
โ |
CVE-2022-25901 |
High |
7.5 |
cookiejar-2.1.3.tgz |
Transitive |
N/A* |
โ |
CVE-2022-25881 |
High |
7.5 |
http-cache-semantics-4.1.0.tgz |
Transitive |
N/A* |
โ |
CVE-2023-28155 |
Medium |
6.1 |
request-2.88.2.tgz |
Transitive |
N/A* |
โ |
CVE-2022-33987 |
Medium |
5.3 |
got-9.6.0.tgz |
Transitive |
N/A* |
โ |
CVE-2020-7608 |
Medium |
5.3 |
yargs-parser-2.4.1.tgz |
Transitive |
N/A* |
โ |
CVE-2023-30541 |
Medium |
5.3 |
contracts-4.7.3.tgz |
Transitive |
N/A* |
โ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2023-30542
Vulnerable Library - contracts-4.7.3.tgz
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- โ contracts-4.7.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (propose
) in GovernorCompatibilityBravo
allows the creation of proposals with a signatures
array shorter than the calldatas
array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The ProposalCreated
event correctly represents what will eventually execute, but the proposal parameters as queried through getActions
appear to respect the original intended calldata. This issue has been patched in 4.8.3. As a workaround, ensure that all proposals that pass through governance have equal length signatures
and calldatas
parameters.
Publish Date: 2023-04-16
URL: CVE-2023-30542
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-93hq-5wgc-jc82
Release Date: 2023-04-16
Fix Resolution: @openzeppelin/contracts - 4.8.3;@openzeppelin/contracts-upgradeable - 4.8.3
Step up your Open Source Security Game with Mend here
CVE-2022-25901
Vulnerable Library - cookiejar-2.1.3.tgz
simple persistent cookiejar system
Library home page: https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.3.tgz
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- web3-1.7.4.tgz
- web3-core-1.7.4.tgz
- web3-core-requestmanager-1.7.4.tgz
- web3-providers-http-1.7.4.tgz
- xhr2-cookies-1.1.0.tgz
- โ cookiejar-2.1.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
Publish Date: 2023-01-18
URL: CVE-2022-25901
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2023-01-18
Fix Resolution: cookiejar - 2.1.4
Step up your Open Source Security Game with Mend here
CVE-2022-25881
Vulnerable Library - http-cache-semantics-4.1.0.tgz
Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- web3-1.7.4.tgz
- web3-bzz-1.7.4.tgz
- got-9.6.0.tgz
- cacheable-request-6.1.0.tgz
- โ http-cache-semantics-4.1.0.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25881
Release Date: 2023-01-31
Fix Resolution: http-cache-semantics - 4.1.1
Step up your Open Source Security Game with Mend here
CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- web3-1.7.4.tgz
- web3-bzz-1.7.4.tgz
- swarm-js-0.1.42.tgz
- eth-lib-0.1.29.tgz
- servify-0.1.12.tgz
- โ request-2.88.2.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2022-33987
Vulnerable Library - got-9.6.0.tgz
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- web3-1.7.4.tgz
- web3-bzz-1.7.4.tgz
- โ got-9.6.0.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
Step up your Open Source Security Game with Mend here
CVE-2020-7608
Vulnerable Library - yargs-parser-2.4.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-2.4.1.tgz
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- contract-4.5.23.tgz
- ensjs-2.1.0.tgz
- ens-0.4.5.tgz
- solc-0.4.26.tgz
- yargs-4.8.1.tgz
- โ yargs-parser-2.4.1.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1
Step up your Open Source Security Game with Mend here
CVE-2023-30541
Vulnerable Library - contracts-4.7.3.tgz
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Dependency Hierarchy:
- sdk-core-0.5.7.tgz (Root Library)
- ethereum-contracts-1.4.2.tgz
- โ contracts-4.7.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Vulnerability Details
OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata. The probability of an accidental clash is negligible, but one could be caused deliberately and could cause a reduction in availability. The issue has been fixed in version 4.8.3. As a workaround if a function appears to be inaccessible for this reason, it may be possible to craft the calldata such that ABI decoding does not fail at the proxy and the function is properly proxied through.
Publish Date: 2023-04-17
URL: CVE-2023-30541
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-mx2q-35m2-x2rh
Release Date: 2023-04-17
Fix Resolution: @openzeppelin/contracts - 4.8.3, @openzeppelin/contracts-upgradeable - 4.8.3
Step up your Open Source Security Game with Mend here