zc_messaging's People
Forkers
delight-fela-steve mukhtarb austinoski mikenrowland man-of-mind joseph455 zxenonx o4codes ndubuisijr benjamin-bala odelolajosh murithijoshua jamido1 tundealabi bori7 kinglighthill theisrael1 ayodiya dantanee almaudoh j-0ri pauline-banye florenceegwu smyja akintibubopelumi nogist samuelibanga5 bolexs babafemiolatona kelani34 olixpin pauline-wanjiku rahmlad-aramide thecodeghinux sahilpanhotra jerahmeel200 petsamuel iamkira420 deyemiobaa marcellintacite chayildeborah johndiddles odohemma sandratoo henryagu babatundeibukun agnesmuita mavrik-jnr ibimina dycodes efezinoidisi ginohmk princeizekor tryraisins shopiley aadevdtudios jojothomas1515 matthew-akinola kodeman2 huzzy619 julianasau henzyd rector619 a11rew jujucoder taiwonaf bernadettechukwuedo nodebe edokadev mrcoded devvspaces afolasope samson063 bunde-uji solomonwole khingz sulaimon23 richd0tcom michaelhpet intuneteq samadeen namikaze-dev abiol4001 danielalejandroamaro pyaustinezc_messaging's Issues
CVE-2022-37601 (High) detected in loader-utils-2.0.1.tgz
CVE-2022-37601 - High Severity Vulnerability
Vulnerable Library - loader-utils-2.0.1.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.1.tgz
Dependency Hierarchy:
- webpack-config-single-spa-react-4.0.2.tgz (Root Library)
- webpack-config-single-spa-5.1.1.tgz
- css-loader-5.2.7.tgz
- ❌ loader-utils-2.0.1.tgz (Vulnerable Library)
- css-loader-5.2.7.tgz
- webpack-config-single-spa-5.1.1.tgz
Found in base branch: dev
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution: loader-utils - 1.4.1,2.0.3
Step up your Open Source Security Game with Mend here
CVE-2022-0155 (Medium) detected in follow-redirects-1.14.4.tgz
CVE-2022-0155 - Medium Severity Vulnerability
Vulnerable Library - follow-redirects-1.14.4.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.4.tgz
Dependency Hierarchy:
- webpack-dev-server-4.4.0.tgz (Root Library)
- http-proxy-middleware-2.0.1.tgz
- http-proxy-1.18.1.tgz
- ❌ follow-redirects-1.14.4.tgz (Vulnerable Library)
- http-proxy-1.18.1.tgz
- http-proxy-middleware-2.0.1.tgz
Found in HEAD commit: cab208c606590c8dc7a246e0f544aa9722d32091
Found in base branch: dev
Vulnerability Details
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (webpack-dev-server): 4.5.0
Step up your Open Source Security Game with WhiteSource here
CVE-2024-35195 (Medium) detected in requests-2.31.0-py3-none-any.whl
CVE-2024-35195 - Medium Severity Vulnerability
Vulnerable Library - requests-2.31.0-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
Path to dependency file: /backend/requirements.txt
Path to vulnerable library: /backend/requirements.txt
Dependency Hierarchy:
- ❌ requests-2.31.0-py3-none-any.whl (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
Requests is a HTTP library. Prior to 2.32.2, when making requests through a Requests Session
, if the first request is made with verify=False
to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of verify
. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.2.
Publish Date: 2024-05-20
URL: CVE-2024-35195
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-9wx4-h78v-vm56
Release Date: 2024-05-20
Fix Resolution: requests - 2.32.2
Step up your Open Source Security Game with Mend here
CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz - autoclosed
CVE-2021-3807 - High Severity Vulnerability
Vulnerable Library - ansi-regex-3.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/strip-ansi/node_modules/ansi-regex/package.json
Dependency Hierarchy:
- serve-12.0.1.tgz (Root Library)
- boxen-1.3.0.tgz
- string-width-2.1.1.tgz
- strip-ansi-4.0.0.tgz
- ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)
- strip-ansi-4.0.0.tgz
- string-width-2.1.1.tgz
- boxen-1.3.0.tgz
Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf
Found in base branch: dev
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 3.0.1
Direct dependency fix Resolution (serve): 13.0.0
Step up your Open Source Security Game with WhiteSource here
CVE-2022-37603 (High) detected in loader-utils-2.0.1.tgz
CVE-2022-37603 - High Severity Vulnerability
Vulnerable Library - loader-utils-2.0.1.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.1.tgz
Dependency Hierarchy:
- webpack-config-single-spa-react-4.0.2.tgz (Root Library)
- webpack-config-single-spa-5.1.1.tgz
- css-loader-5.2.7.tgz
- ❌ loader-utils-2.0.1.tgz (Vulnerable Library)
- css-loader-5.2.7.tgz
- webpack-config-single-spa-5.1.1.tgz
Found in base branch: dev
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution: loader-utils - 1.4.2,2.0.4,3.2.1
Step up your Open Source Security Game with Mend here
CVE-2022-24772 (High) detected in node-forge-0.10.0.tgz - autoclosed
CVE-2022-24772 - High Severity Vulnerability
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
- webpack-dev-server-4.4.0.tgz (Root Library)
- selfsigned-1.10.11.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.11.tgz
Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf
Found in base branch: dev
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (webpack-dev-server): 4.7.1
Step up your Open Source Security Game with WhiteSource here
CVE-2023-26159 (Medium) detected in follow-redirects-1.14.9.tgz
CVE-2023-26159 - Medium Severity Vulnerability
Vulnerable Library - follow-redirects-1.14.9.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- axios-0.21.4.tgz (Root Library)
- ❌ follow-redirects-1.14.9.tgz (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
Publish Date: 2024-01-02
URL: CVE-2023-26159
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159
Release Date: 2024-01-02
Fix Resolution (follow-redirects): 1.15.4
Direct dependency fix Resolution (axios): 0.22.0
Step up your Open Source Security Game with Mend here
CVE-2022-37599 (High) detected in loader-utils-2.0.1.tgz
CVE-2022-37599 - High Severity Vulnerability
Vulnerable Library - loader-utils-2.0.1.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.1.tgz
Dependency Hierarchy:
- webpack-config-single-spa-react-4.0.2.tgz (Root Library)
- webpack-config-single-spa-5.1.1.tgz
- css-loader-5.2.7.tgz
- ❌ loader-utils-2.0.1.tgz (Vulnerable Library)
- css-loader-5.2.7.tgz
- webpack-config-single-spa-5.1.1.tgz
Found in base branch: dev
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: 2022-10-11
URL: CVE-2022-37599
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-hhq3-ff78-jv3g
Release Date: 2022-10-11
Fix Resolution: loader-utils - 1.4.2,2.0.4,3.2.1
Step up your Open Source Security Game with Mend here
CVE-2022-1214 (High) detected in axios-0.21.4.tgz - autoclosed
CVE-2022-1214 - High Severity Vulnerability
Vulnerable Library - axios-0.21.4.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz
Dependency Hierarchy:
- ❌ axios-0.21.4.tgz (Vulnerable Library)
Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf
Found in base branch: dev
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.
Publish Date: 2022-05-03
URL: CVE-2022-1214
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/
Release Date: 2022-05-03
Fix Resolution: 0.26.0
Step up your Open Source Security Game with WhiteSource here
CVE-2023-44270 (Medium) detected in postcss-8.3.11.tgz
CVE-2023-44270 - Medium Severity Vulnerability
Vulnerable Library - postcss-8.3.11.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.3.11.tgz
Path to dependency file: /frontend/root-config/package.json
Path to vulnerable library: /frontend/root-config/package.json
Dependency Hierarchy:
- webpack-config-single-spa-react-4.0.2.tgz (Root Library)
- webpack-config-single-spa-5.1.1.tgz
- css-loader-5.2.7.tgz
- ❌ postcss-8.3.11.tgz (Vulnerable Library)
- css-loader-5.2.7.tgz
- webpack-config-single-spa-5.1.1.tgz
Found in base branch: dev
Vulnerability Details
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Publish Date: 2023-09-29
URL: CVE-2023-44270
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44270
Release Date: 2023-09-29
Fix Resolution: postcss - 8.4.31
Step up your Open Source Security Game with Mend here
CVE-2024-24762 (High) detected in python-multipart-0.0.5.tar.gz
CVE-2024-24762 - High Severity Vulnerability
Vulnerable Library - python-multipart-0.0.5.tar.gz
A streaming multipart parser for Python
Library home page: https://files.pythonhosted.org/packages/46/40/a933ac570bf7aad12a298fc53458115cc74053474a72fbb8201d7dc06d3d/python-multipart-0.0.5.tar.gz
Path to dependency file: /backend/requirements.txt
Path to vulnerable library: /backend/requirements.txt
Dependency Hierarchy:
- ❌ python-multipart-0.0.5.tar.gz (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
python-multipart
is a streaming multipart parser for Python. When using form data, python-multipart
uses a Regular Expression to parse the HTTP Content-Type
header, including options. An attacker could send a custom-made Content-Type
option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.
Publish Date: 2024-02-05
URL: CVE-2024-24762
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-24762
Release Date: 2024-02-05
Fix Resolution: 0.0.7
Step up your Open Source Security Game with Mend here
CVE-2022-42969 (High) detected in py-1.10.0-py2.py3-none-any.whl
CVE-2022-42969 - High Severity Vulnerability
Vulnerable Library - py-1.10.0-py2.py3-none-any.whl
library with cross-python path, ini-parsing, io, code, log facilities
Library home page: https://files.pythonhosted.org/packages/67/32/6fe01cfc3d1a27c92fdbcdfc3f67856da8cbadf0dd9f2e18055202b2dc62/py-1.10.0-py2.py3-none-any.whl
Path to dependency file: /backend/requirements.txt
Path to vulnerable library: /backend/requirements.txt,/backend/requirements.txt
Dependency Hierarchy:
- ❌ py-1.10.0-py2.py3-none-any.whl (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
Publish Date: 2022-10-16
URL: CVE-2022-42969
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2024-21503 (Medium) detected in black-21.9b0-py3-none-any.whl
CVE-2024-21503 - Medium Severity Vulnerability
Vulnerable Library - black-21.9b0-py3-none-any.whl
The uncompromising code formatter.
Library home page: https://files.pythonhosted.org/packages/d2/16/a92c999103bee1236dd93f703f3522217fe00bd97bd50ae3699c2d91e320/black-21.9b0-py3-none-any.whl
Path to dependency file: /backend/requirements.txt
Path to vulnerable library: /backend/requirements.txt
Dependency Hierarchy:
- ❌ black-21.9b0-py3-none-any.whl (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.
Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
Publish Date: 2024-03-19
URL: CVE-2024-21503
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-fj7x-q9j7-g6q6
Release Date: 2024-03-19
Fix Resolution: black - 24.3.0
Step up your Open Source Security Game with Mend here
CVE-2022-0122 (Medium) detected in node-forge-0.10.0.tgz - autoclosed
CVE-2022-0122 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
- webpack-dev-server-4.4.0.tgz (Root Library)
- selfsigned-1.10.11.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.11.tgz
Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf
Found in base branch: dev
Vulnerability Details
forge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (webpack-dev-server): 4.7.1
Step up your Open Source Security Game with WhiteSource here
WS-2022-0008 (Medium) detected in node-forge-0.10.0.tgz - autoclosed
WS-2022-0008 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
- webpack-dev-server-4.4.0.tgz (Root Library)
- selfsigned-1.10.11.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.11.tgz
Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf
Found in base branch: dev
Vulnerability Details
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
CVSS 3 Score Details (6.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (webpack-dev-server): 4.7.1
Step up your Open Source Security Game with WhiteSource here
CVE-2023-45857 (Medium) detected in axios-0.21.4.tgz
CVE-2023-45857 - Medium Severity Vulnerability
Vulnerable Library - axios-0.21.4.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ axios-0.21.4.tgz (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: 2023-11-08
URL: CVE-2023-45857
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Step up your Open Source Security Game with Mend here
CVE-2023-37920 (Critical) detected in certifi-2022.12.7-py3-none-any.whl
CVE-2023-37920 - Critical Severity Vulnerability
Vulnerable Library - certifi-2022.12.7-py3-none-any.whl
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/71/4c/3db2b8021bd6f2f0ceb0e088d6b2d49147671f25832fb17970e9b583d742/certifi-2022.12.7-py3-none-any.whl
Path to dependency file: /backend/requirements.txt
Path to vulnerable library: /backend/requirements.txt,/backend/requirements.txt
Dependency Hierarchy:
- ❌ certifi-2022.12.7-py3-none-any.whl (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
Publish Date: 2023-07-25
URL: CVE-2023-37920
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xqr8-7jwr-rhp7
Release Date: 2023-07-25
Fix Resolution: 2023.7.22
Step up your Open Source Security Game with Mend here
CVE-2024-28849 (Medium) detected in follow-redirects-1.14.9.tgz
CVE-2024-28849 - Medium Severity Vulnerability
Vulnerable Library - follow-redirects-1.14.9.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- axios-0.21.4.tgz (Root Library)
- ❌ follow-redirects-1.14.9.tgz (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
follow-redirects is an open source, drop-in replacement for Node's http
and https
modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-03-14
URL: CVE-2024-28849
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-cxjh-pqwp-8mfp
Release Date: 2024-03-14
Fix Resolution: follow-redirects - 1.15.6
Step up your Open Source Security Game with Mend here
CVE-2022-25858 (High) detected in terser-5.9.0.tgz - autoclosed
CVE-2022-25858 - High Severity Vulnerability
Vulnerable Library - terser-5.9.0.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-5.9.0.tgz
Dependency Hierarchy:
- webpack-config-single-spa-react-4.0.2.tgz (Root Library)
- webpack-config-single-spa-5.1.1.tgz
- html-webpack-plugin-5.5.0.tgz
- html-minifier-terser-6.0.2.tgz
- ❌ terser-5.9.0.tgz (Vulnerable Library)
- html-minifier-terser-6.0.2.tgz
- html-webpack-plugin-5.5.0.tgz
- webpack-config-single-spa-5.1.1.tgz
Found in base branch: dev
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 5.14.2
Direct dependency fix Resolution (webpack-config-single-spa-react): 4.0.3
Step up your Open Source Security Game with Mend here
CVE-2022-0536 (Medium) detected in follow-redirects-1.14.4.tgz
CVE-2022-0536 - Medium Severity Vulnerability
Vulnerable Library - follow-redirects-1.14.4.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.4.tgz
Dependency Hierarchy:
- webpack-dev-server-4.4.0.tgz (Root Library)
- http-proxy-middleware-2.0.1.tgz
- http-proxy-1.18.1.tgz
- ❌ follow-redirects-1.14.4.tgz (Vulnerable Library)
- http-proxy-1.18.1.tgz
- http-proxy-middleware-2.0.1.tgz
Found in HEAD commit: f577864bd2e8e38a6355c7a0fd7beffa49c7d798
Found in base branch: dev
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (webpack-dev-server): 4.5.0
Step up your Open Source Security Game with WhiteSource here
CVE-2024-3772 (Medium) detected in pydantic-1.8.2-cp37-cp37m-manylinux2014_x86_64.whl
CVE-2024-3772 - Medium Severity Vulnerability
Vulnerable Library - pydantic-1.8.2-cp37-cp37m-manylinux2014_x86_64.whl
Data validation using Python type hints
Library home page: https://files.pythonhosted.org/packages/9f/f2/2d5425efe57f6c4e06cbe5e587c1fd16929dcf0eb90bd4d3d1e1c97d1151/pydantic-1.8.2-cp37-cp37m-manylinux2014_x86_64.whl
Path to dependency file: /backend/requirements.txt
Path to vulnerable library: /backend/requirements.txt,/backend/requirements.txt
Dependency Hierarchy:
- ❌ pydantic-1.8.2-cp37-cp37m-manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string.
Publish Date: 2024-04-15
URL: CVE-2024-3772
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz
CVE-2022-3517 - High Severity Vulnerability
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/minimatch/package.json
Dependency Hierarchy:
- eslint-8.1.0.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2022-24773 (Medium) detected in node-forge-0.10.0.tgz - autoclosed
CVE-2022-24773 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
- webpack-dev-server-4.4.0.tgz (Root Library)
- selfsigned-1.10.11.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.11.tgz
Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf
Found in base branch: dev
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo
for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24773
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (webpack-dev-server): 4.7.1
Step up your Open Source Security Game with WhiteSource here
CVE-2021-44907 (High) detected in qs-6.7.0.tgz
CVE-2021-44907 - High Severity Vulnerability
Vulnerable Library - qs-6.7.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.7.0.tgz
Dependency Hierarchy:
- webpack-dev-server-4.4.0.tgz (Root Library)
- express-4.17.1.tgz
- ❌ qs-6.7.0.tgz (Vulnerable Library)
- express-4.17.1.tgz
Found in HEAD commit: 19483627fa0b5d0b71a8e750e074d0939a9777b7
Found in base branch: dev
Vulnerability Details
A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.
Publish Date: 2022-03-17
URL: CVE-2021-44907
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44907
Release Date: 2022-03-17
Fix Resolution (qs): 6.8.1
Direct dependency fix Resolution (webpack-dev-server): 4.7.0
Step up your Open Source Security Game with WhiteSource here
CVE-2021-44906 (High) detected in minimist-1.2.5.tgz
CVE-2021-44906 - High Severity Vulnerability
Vulnerable Library - minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Dependency Hierarchy:
- webpack-config-single-spa-5.1.1.tgz (Root Library)
- babel-loader-8.2.3.tgz
- loader-utils-1.4.0.tgz
- json5-1.0.1.tgz
- ❌ minimist-1.2.5.tgz (Vulnerable Library)
- json5-1.0.1.tgz
- loader-utils-1.4.0.tgz
- babel-loader-8.2.3.tgz
Found in HEAD commit: 19483627fa0b5d0b71a8e750e074d0939a9777b7
Found in base branch: dev
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/issues/164
Release Date: 2022-03-17
Fix Resolution: minimist - 1.2.6
Step up your Open Source Security Game with WhiteSource here
CVE-2022-46175 (High) detected in json5-2.2.0.tgz, json5-1.0.1.tgz
CVE-2022-46175 - High Severity Vulnerability
Vulnerable Libraries - json5-2.2.0.tgz, json5-1.0.1.tgz
json5-2.2.0.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.2.0.tgz
Dependency Hierarchy:
- webpack-config-single-spa-react-4.0.2.tgz (Root Library)
- webpack-config-single-spa-5.1.1.tgz
- css-loader-5.2.7.tgz
- loader-utils-2.0.1.tgz
- ❌ json5-2.2.0.tgz (Vulnerable Library)
- loader-utils-2.0.1.tgz
- css-loader-5.2.7.tgz
- webpack-config-single-spa-5.1.1.tgz
json5-1.0.1.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz
Dependency Hierarchy:
- webpack-config-single-spa-react-4.0.2.tgz (Root Library)
- webpack-config-single-spa-5.1.1.tgz
- babel-loader-8.2.3.tgz
- loader-utils-1.4.2.tgz
- ❌ json5-1.0.1.tgz (Vulnerable Library)
- loader-utils-1.4.2.tgz
- babel-loader-8.2.3.tgz
- webpack-config-single-spa-5.1.1.tgz
Found in base branch: dev
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (webpack-config-single-spa-react): 4.0.3
Fix Resolution (json5): 1.0.2
Direct dependency fix Resolution (webpack-config-single-spa-react): 4.0.3
Step up your Open Source Security Game with Mend here
CVE-2023-26115 (High) detected in word-wrap-1.2.3.tgz
CVE-2023-26115 - High Severity Vulnerability
Vulnerable Library - word-wrap-1.2.3.tgz
Wrap words to a specified length.
Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/word-wrap/package.json
Dependency Hierarchy:
- eslint-8.1.0.tgz (Root Library)
- optionator-0.9.1.tgz
- ❌ word-wrap-1.2.3.tgz (Vulnerable Library)
- optionator-0.9.1.tgz
Found in base branch: dev
Vulnerability Details
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
Publish Date: 2023-06-22
URL: CVE-2023-26115
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-j8xg-fqg3-53r7
Release Date: 2023-06-22
Fix Resolution (word-wrap): 1.2.4
Direct dependency fix Resolution (eslint): 8.2.0
Step up your Open Source Security Game with Mend here
CVE-2023-2251 (High) detected in yaml-1.10.2.tgz - autoclosed
CVE-2023-2251 - High Severity Vulnerability
Vulnerable Library - yaml-1.10.2.tgz
JavaScript parser and stringifier for YAML
Library home page: https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz
Dependency Hierarchy:
- styled-11.3.0.tgz (Root Library)
- babel-plugin-11.3.0.tgz
- babel-plugin-macros-2.8.0.tgz
- cosmiconfig-6.0.0.tgz
- ❌ yaml-1.10.2.tgz (Vulnerable Library)
- cosmiconfig-6.0.0.tgz
- babel-plugin-macros-2.8.0.tgz
- babel-plugin-11.3.0.tgz
Found in base branch: dev
Vulnerability Details
Uncaught Exception in GitHub repository eemeli/yaml prior to 2.2.2.
Publish Date: 2023-04-24
URL: CVE-2023-2251
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-f9xv-q969-pqx4
Release Date: 2023-04-24
Fix Resolution: yaml - 2.2.2
Step up your Open Source Security Game with Mend here
WS-2022-0007 (Medium) detected in node-forge-0.10.0.tgz - autoclosed
WS-2022-0007 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
- webpack-dev-server-4.4.0.tgz (Root Library)
- selfsigned-1.10.11.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.11.tgz
Found in base branch: dev
Vulnerability Details
In node-forge before 1.0.0 he regex used for the forge.util.parseUrl API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior.
Publish Date: 2022-01-08
URL: WS-2022-0007
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-08
Fix Resolution: node-forge - 1.0.0
Step up your Open Source Security Game with WhiteSource here
CVE-2022-25883 (High) detected in semver-7.3.5.tgz, semver-6.3.0.tgz
CVE-2022-25883 - High Severity Vulnerability
Vulnerable Libraries - semver-7.3.5.tgz, semver-6.3.0.tgz
semver-7.3.5.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.5.tgz
Path to dependency file: /frontend/root-config/package.json
Path to vulnerable library: /frontend/root-config/package.json,/package.json,/frontend/node_modules/eslint/node_modules/semver/package.json
Dependency Hierarchy:
- webpack-config-single-spa-react-4.0.2.tgz (Root Library)
- webpack-config-single-spa-5.1.1.tgz
- css-loader-5.2.7.tgz
- ❌ semver-7.3.5.tgz (Vulnerable Library)
- css-loader-5.2.7.tgz
- webpack-config-single-spa-5.1.1.tgz
semver-6.3.0.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz
Path to dependency file: /frontend/root-config/package.json
Path to vulnerable library: /frontend/root-config/package.json
Dependency Hierarchy:
- webpack-config-single-spa-react-4.0.2.tgz (Root Library)
- webpack-config-single-spa-5.1.1.tgz
- babel-loader-8.2.3.tgz
- make-dir-3.1.0.tgz
- ❌ semver-6.3.0.tgz (Vulnerable Library)
- make-dir-3.1.0.tgz
- babel-loader-8.2.3.tgz
- webpack-config-single-spa-5.1.1.tgz
Found in base branch: dev
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
Step up your Open Source Security Game with Mend here
CVE-2021-43138 (High) detected in async-2.6.3.tgz - autoclosed
CVE-2021-43138 - High Severity Vulnerability
Vulnerable Library - async-2.6.3.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Dependency Hierarchy:
- webpack-dev-server-4.4.0.tgz (Root Library)
- portfinder-1.0.28.tgz
- ❌ async-2.6.3.tgz (Vulnerable Library)
- portfinder-1.0.28.tgz
Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf
Found in base branch: dev
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 3.2.2
Direct dependency fix Resolution (webpack-dev-server): 4.7.1
Step up your Open Source Security Game with WhiteSource here
CVE-2022-23491 (High) detected in certifi-2021.10.8-py2.py3-none-any.whl
CVE-2022-23491 - High Severity Vulnerability
Vulnerable Library - certifi-2021.10.8-py2.py3-none-any.whl
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/37/45/946c02767aabb873146011e665728b680884cd8fe70dde973c640e45b775/certifi-2021.10.8-py2.py3-none-any.whl
Path to dependency file: /backend/requirements.txt
Path to vulnerable library: /backend/requirements.txt,/backend/requirements.txt
Dependency Hierarchy:
- ❌ certifi-2021.10.8-py2.py3-none-any.whl (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
Publish Date: 2022-12-07
URL: CVE-2022-23491
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491
Release Date: 2022-12-07
Fix Resolution: certifi - 2022.12.07
Step up your Open Source Security Game with Mend here
CVE-2023-45133 (High) detected in traverse-7.16.0.tgz
CVE-2023-45133 - High Severity Vulnerability
Vulnerable Library - traverse-7.16.0.tgz
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- styled-components-5.3.3.tgz (Root Library)
- ❌ traverse-7.16.0.tgz (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
Babel is a compiler for writingJavaScript. In @babel/traverse
prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse
, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()
or path.evaluateTruthy()
internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime
; @babel/preset-env
when using its useBuiltIns
option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider
, such as babel-plugin-polyfill-corejs3
, babel-plugin-polyfill-corejs2
, babel-plugin-polyfill-es-shims
, babel-plugin-polyfill-regenerator
. No other plugins under the @babel/
namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected]
and @babel/[email protected]
. Those who cannot upgrade @babel/traverse
and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse
versions: @babel/plugin-transform-runtime
v7.23.2, @babel/preset-env
v7.23.2, @babel/helper-define-polyfill-provider
v0.4.3, babel-plugin-polyfill-corejs2
v0.4.6, babel-plugin-polyfill-corejs3
v0.8.5, babel-plugin-polyfill-es-shims
v0.10.0, babel-plugin-polyfill-regenerator
v0.5.3.
Publish Date: 2023-10-12
URL: CVE-2023-45133
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution (@babel/traverse): 7.23.2
Direct dependency fix Resolution (styled-components): 5.3.4
Step up your Open Source Security Game with Mend here
CVE-2022-24771 (High) detected in node-forge-0.10.0.tgz - autoclosed
CVE-2022-24771 - High Severity Vulnerability
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
- webpack-dev-server-4.4.0.tgz (Root Library)
- selfsigned-1.10.11.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.11.tgz
Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf
Found in base branch: dev
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (webpack-dev-server): 4.7.1
Step up your Open Source Security Game with WhiteSource here
CVE-2023-45803 (Medium) detected in urllib3-1.26.7-py2.py3-none-any.whl
CVE-2023-45803 - Medium Severity Vulnerability
Vulnerable Library - urllib3-1.26.7-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/af/f4/524415c0744552cce7d8bf3669af78e8a069514405ea4fcbd0cc44733744/urllib3-1.26.7-py2.py3-none-any.whl
Path to dependency file: /backend/requirements.txt
Path to vulnerable library: /backend/requirements.txt,/backend/requirements.txt
Dependency Hierarchy:
- ❌ urllib3-1.26.7-py2.py3-none-any.whl (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST
) to GET
as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False
and disable automatic redirects with redirects=False
and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.
Publish Date: 2023-10-17
URL: CVE-2023-45803
CVSS 3 Score Details (4.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-g4mx-q9vg-27p4
Release Date: 2023-10-17
Fix Resolution: 1.26.18
Step up your Open Source Security Game with Mend here
CVE-2023-32681 (Medium) detected in requests-2.26.0-py2.py3-none-any.whl - autoclosed
CVE-2023-32681 - Medium Severity Vulnerability
Vulnerable Library - requests-2.26.0-py2.py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/92/96/144f70b972a9c0eabbd4391ef93ccd49d0f2747f4f6a2a2738e99e5adc65/requests-2.26.0-py2.py3-none-any.whl
Path to dependency file: /backend/requirements.txt
Path to vulnerable library: /backend/requirements.txt
Dependency Hierarchy:
- ❌ requests-2.26.0-py2.py3-none-any.whl (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies
to reattach the Proxy-Authorization
header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization
header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
Publish Date: 2023-05-26
URL: CVE-2023-32681
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-j8r2-6x86-q33q
Release Date: 2023-05-26
Fix Resolution: requests -2.31.0
Step up your Open Source Security Game with Mend here
CVE-2023-43804 (High) detected in urllib3-1.26.7-py2.py3-none-any.whl
CVE-2023-43804 - High Severity Vulnerability
Vulnerable Library - urllib3-1.26.7-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/af/f4/524415c0744552cce7d8bf3669af78e8a069514405ea4fcbd0cc44733744/urllib3-1.26.7-py2.py3-none-any.whl
Path to dependency file: /backend/requirements.txt
Path to vulnerable library: /backend/requirements.txt,/backend/requirements.txt
Dependency Hierarchy:
- ❌ urllib3-1.26.7-py2.py3-none-any.whl (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie
HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie
header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
Publish Date: 2023-10-04
URL: CVE-2023-43804
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804
Release Date: 2023-10-04
Fix Resolution: 1.26.17
Step up your Open Source Security Game with Mend here
CVE-2021-35065 (High) detected in glob-parent-5.1.2.tgz - autoclosed
CVE-2021-35065 - High Severity Vulnerability
Vulnerable Library - glob-parent-5.1.2.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/glob-parent/package.json
Dependency Hierarchy:
- stylelint-13.13.1.tgz (Root Library)
- fast-glob-3.2.7.tgz
- ❌ glob-parent-5.1.2.tgz (Vulnerable Library)
- fast-glob-3.2.7.tgz
Found in HEAD commit: c03d32b214b80caed9512e65a907ef00a53068bd
Found in base branch: dev
Vulnerability Details
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: gulpjs/glob-parent#49
Release Date: 2021-06-22
Fix Resolution: glob-parent - 6.0.1
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23566 (Medium) detected in nanoid-3.1.30.tgz
CVE-2021-23566 - Medium Severity Vulnerability
Vulnerable Library - nanoid-3.1.30.tgz
A tiny (130 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.30.tgz
Dependency Hierarchy:
- webpack-config-single-spa-5.1.1.tgz (Root Library)
- css-loader-5.2.7.tgz
- postcss-8.3.11.tgz
- ❌ nanoid-3.1.30.tgz (Vulnerable Library)
- postcss-8.3.11.tgz
- css-loader-5.2.7.tgz
Found in base branch: dev
Vulnerability Details
The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Publish Date: 2022-01-14
URL: CVE-2021-23566
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: ai/nanoid#328
Release Date: 2022-01-14
Fix Resolution (nanoid): 3.1.31
Direct dependency fix Resolution (webpack-config-single-spa): 5.2.0
Step up your Open Source Security Game with WhiteSource here
WS-2023-0037 (High) detected in starlette-0.16.0-py3-none-any.whl - autoclosed
WS-2023-0037 - High Severity Vulnerability
Vulnerable Library - starlette-0.16.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/20/74/4e60dbbf61567bf5adea89433068d5f7c18c86ca77617b5de5b3ddd83f62/starlette-0.16.0-py3-none-any.whl
Path to dependency file: /backend/requirements.txt
Path to vulnerable library: /backend/requirements.txt,/backend/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.16.0-py3-none-any.whl (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
A Denial of Service (DoS) vulnerability was discovered in starlette prior to 0.25.0. The MultipartParser using the package python-multipart accepts an unlimited number of multipart parts (form fields or files). Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill. This can be triggered by sending too many small form fields with no content, or too many empty files.
Publish Date: 2023-02-14
URL: WS-2023-0037
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-74m5-2c7w-9w3x
Release Date: 2023-02-14
Fix Resolution: starlette - 0.25.0
Step up your Open Source Security Game with Mend here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.