zurichat / zc_messaging Goto Github PK

Vulnerable Library - loader-utils-2.0.1.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.1.tgz

Dependency Hierarchy:

• webpack-config-single-spa-react-4.0.2.tgz (Root Library)
  • webpack-config-single-spa-5.1.1.tgz
    • css-loader-5.2.7.tgz
      • ❌ loader-utils-2.0.1.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution: loader-utils - 1.4.1,2.0.3

Vulnerable Library - follow-redirects-1.14.4.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.4.tgz

Dependency Hierarchy:

• webpack-dev-server-4.4.0.tgz (Root Library)
  • http-proxy-middleware-2.0.1.tgz
    • http-proxy-1.18.1.tgz
      • ❌ follow-redirects-1.14.4.tgz (Vulnerable Library)

Found in HEAD commit: cab208c606590c8dc7a246e0f544aa9722d32091

Found in base branch: dev

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution (follow-redirects): 1.14.8

Direct dependency fix Resolution (webpack-dev-server): 4.5.0

Vulnerable Library - requests-2.31.0-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt

Dependency Hierarchy:

• ❌ requests-2.31.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Requests is a HTTP library. Prior to 2.32.2, when making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.2.

Publish Date: 2024-05-20

URL: CVE-2024-35195

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-9wx4-h78v-vm56

Release Date: 2024-05-20

Fix Resolution: requests - 2.32.2

Vulnerable Library - ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/strip-ansi/node_modules/ansi-regex/package.json

Dependency Hierarchy:

• serve-12.0.1.tgz (Root Library)
  • boxen-1.3.0.tgz
    • string-width-2.1.1.tgz
      • strip-ansi-4.0.0.tgz
        • ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf

Found in base branch: dev

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (serve): 13.0.0

Vulnerable Library - loader-utils-2.0.1.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.1.tgz

Dependency Hierarchy:

• webpack-config-single-spa-react-4.0.2.tgz (Root Library)
  • webpack-config-single-spa-5.1.1.tgz
    • css-loader-5.2.7.tgz
      • ❌ loader-utils-2.0.1.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-3rfm-jhwj-7488

Release Date: 2022-10-14

Fix Resolution: loader-utils - 1.4.2,2.0.4,3.2.1

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• webpack-dev-server-4.4.0.tgz (Root Library)
  • selfsigned-1.10.11.tgz
    • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf

Found in base branch: dev

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (webpack-dev-server): 4.7.1

Vulnerable Library - follow-redirects-1.14.9.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• axios-0.21.4.tgz (Root Library)
  • ❌ follow-redirects-1.14.9.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

Publish Date: 2024-01-02

URL: CVE-2023-26159

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159

Release Date: 2024-01-02

Fix Resolution (follow-redirects): 1.15.4

Direct dependency fix Resolution (axios): 0.22.0

Vulnerable Library - loader-utils-2.0.1.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.1.tgz

Dependency Hierarchy:

• webpack-config-single-spa-react-4.0.2.tgz (Root Library)
  • webpack-config-single-spa-5.1.1.tgz
    • css-loader-5.2.7.tgz
      • ❌ loader-utils-2.0.1.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

Publish Date: 2022-10-11

URL: CVE-2022-37599

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hhq3-ff78-jv3g

Release Date: 2022-10-11

Fix Resolution: loader-utils - 1.4.2,2.0.4,3.2.1

Vulnerable Library - axios-0.21.4.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz

Dependency Hierarchy:

• ❌ axios-0.21.4.tgz (Vulnerable Library)

Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf

Found in base branch: dev

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.

Publish Date: 2022-05-03

URL: CVE-2022-1214

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/

Release Date: 2022-05-03

Fix Resolution: 0.26.0

Vulnerable Library - postcss-8.3.11.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-8.3.11.tgz

Path to dependency file: /frontend/root-config/package.json

Path to vulnerable library: /frontend/root-config/package.json

Dependency Hierarchy:

• webpack-config-single-spa-react-4.0.2.tgz (Root Library)
  • webpack-config-single-spa-5.1.1.tgz
    • css-loader-5.2.7.tgz
      • ❌ postcss-8.3.11.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

Publish Date: 2023-09-29

URL: CVE-2023-44270

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44270

Release Date: 2023-09-29

Fix Resolution: postcss - 8.4.31

Vulnerable Library - python-multipart-0.0.5.tar.gz

A streaming multipart parser for Python

Library home page: https://files.pythonhosted.org/packages/46/40/a933ac570bf7aad12a298fc53458115cc74053474a72fbb8201d7dc06d3d/python-multipart-0.0.5.tar.gz

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt

Dependency Hierarchy:

• ❌ python-multipart-0.0.5.tar.gz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

python-multipart is a streaming multipart parser for Python. When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options. An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.

Publish Date: 2024-02-05

URL: CVE-2024-24762

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-24762

Release Date: 2024-02-05

Fix Resolution: 0.0.7

Vulnerable Library - py-1.10.0-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/67/32/6fe01cfc3d1a27c92fdbcdfc3f67856da8cbadf0dd9f2e18055202b2dc62/py-1.10.0-py2.py3-none-any.whl

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt,/backend/requirements.txt

Dependency Hierarchy:

• ❌ py-1.10.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

Publish Date: 2022-10-16

URL: CVE-2022-42969

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - black-21.9b0-py3-none-any.whl

The uncompromising code formatter.

Library home page: https://files.pythonhosted.org/packages/d2/16/a92c999103bee1236dd93f703f3522217fe00bd97bd50ae3699c2d91e320/black-21.9b0-py3-none-any.whl

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt

Dependency Hierarchy:

• ❌ black-21.9b0-py3-none-any.whl (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

Publish Date: 2024-03-19

URL: CVE-2024-21503

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-fj7x-q9j7-g6q6

Release Date: 2024-03-19

Fix Resolution: black - 24.3.0

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• webpack-dev-server-4.4.0.tgz (Root Library)
  • selfsigned-1.10.11.tgz
    • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf

Found in base branch: dev

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (webpack-dev-server): 4.7.1

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• webpack-dev-server-4.4.0.tgz (Root Library)
  • selfsigned-1.10.11.tgz
    • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf

Found in base branch: dev

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (webpack-dev-server): 4.7.1

Vulnerable Library - axios-0.21.4.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• ❌ axios-0.21.4.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Publish Date: 2023-11-08

URL: CVE-2023-45857

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-08

Fix Resolution: 0.28.0

Vulnerable Library - certifi-2022.12.7-py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/71/4c/3db2b8021bd6f2f0ceb0e088d6b2d49147671f25832fb17970e9b583d742/certifi-2022.12.7-py3-none-any.whl

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt,/backend/requirements.txt

Dependency Hierarchy:

• ❌ certifi-2022.12.7-py3-none-any.whl (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

Publish Date: 2023-07-25

URL: CVE-2023-37920

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xqr8-7jwr-rhp7

Release Date: 2023-07-25

Fix Resolution: 2023.7.22

Vulnerable Library - follow-redirects-1.14.9.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• axios-0.21.4.tgz (Root Library)
  • ❌ follow-redirects-1.14.9.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-03-14

URL: CVE-2024-28849

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-cxjh-pqwp-8mfp

Release Date: 2024-03-14

Fix Resolution: follow-redirects - 1.15.6

Vulnerable Library - terser-5.9.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-5.9.0.tgz

Dependency Hierarchy:

• webpack-config-single-spa-react-4.0.2.tgz (Root Library)
  • webpack-config-single-spa-5.1.1.tgz
    • html-webpack-plugin-5.5.0.tgz
      • html-minifier-terser-6.0.2.tgz
        • ❌ terser-5.9.0.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

URL: CVE-2022-25858

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution (terser): 5.14.2

Direct dependency fix Resolution (webpack-config-single-spa-react): 4.0.3

Vulnerable Library - follow-redirects-1.14.4.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.4.tgz

Dependency Hierarchy:

• webpack-dev-server-4.4.0.tgz (Root Library)
  • http-proxy-middleware-2.0.1.tgz
    • http-proxy-1.18.1.tgz
      • ❌ follow-redirects-1.14.4.tgz (Vulnerable Library)

Found in HEAD commit: f577864bd2e8e38a6355c7a0fd7beffa49c7d798

Found in base branch: dev

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution (follow-redirects): 1.14.8

Direct dependency fix Resolution (webpack-dev-server): 4.5.0

Vulnerable Library - pydantic-1.8.2-cp37-cp37m-manylinux2014_x86_64.whl

Data validation using Python type hints

Library home page: https://files.pythonhosted.org/packages/9f/f2/2d5425efe57f6c4e06cbe5e587c1fd16929dcf0eb90bd4d3d1e1c97d1151/pydantic-1.8.2-cp37-cp37m-manylinux2014_x86_64.whl

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt,/backend/requirements.txt

Dependency Hierarchy:

• ❌ pydantic-1.8.2-cp37-cp37m-manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string.

Publish Date: 2024-04-15

URL: CVE-2024-3772

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2024-04-15

Fix Resolution: 1.10.13

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/minimatch/package.json

Dependency Hierarchy:

• eslint-8.1.0.tgz (Root Library)
  • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• webpack-dev-server-4.4.0.tgz (Root Library)
  • selfsigned-1.10.11.tgz
    • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf

Found in base branch: dev

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24773

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (webpack-dev-server): 4.7.1

Vulnerable Library - qs-6.7.0.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.7.0.tgz

Dependency Hierarchy:

• webpack-dev-server-4.4.0.tgz (Root Library)
  • express-4.17.1.tgz
    • ❌ qs-6.7.0.tgz (Vulnerable Library)

Found in HEAD commit: 19483627fa0b5d0b71a8e750e074d0939a9777b7

Found in base branch: dev

Vulnerability Details

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.

Publish Date: 2022-03-17

URL: CVE-2021-44907

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44907

Release Date: 2022-03-17

Fix Resolution (qs): 6.8.1

Direct dependency fix Resolution (webpack-dev-server): 4.7.0

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Dependency Hierarchy:

• webpack-config-single-spa-5.1.1.tgz (Root Library)
  • babel-loader-8.2.3.tgz
    • loader-utils-1.4.0.tgz
      • json5-1.0.1.tgz
        • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 19483627fa0b5d0b71a8e750e074d0939a9777b7

Found in base branch: dev

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/issues/164

Release Date: 2022-03-17

Fix Resolution: minimist - 1.2.6

Vulnerable Libraries - json5-2.2.0.tgz, json5-1.0.1.tgz

Found in base branch: dev

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 2.2.2

Direct dependency fix Resolution (webpack-config-single-spa-react): 4.0.3

Fix Resolution (json5): 1.0.2

Direct dependency fix Resolution (webpack-config-single-spa-react): 4.0.3

Vulnerable Library - word-wrap-1.2.3.tgz

Wrap words to a specified length.

Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/word-wrap/package.json

Dependency Hierarchy:

• eslint-8.1.0.tgz (Root Library)
  • optionator-0.9.1.tgz
    • ❌ word-wrap-1.2.3.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

Publish Date: 2023-06-22

URL: CVE-2023-26115

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8xg-fqg3-53r7

Release Date: 2023-06-22

Fix Resolution (word-wrap): 1.2.4

Direct dependency fix Resolution (eslint): 8.2.0

Vulnerable Library - yaml-1.10.2.tgz

JavaScript parser and stringifier for YAML

Library home page: https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz

Dependency Hierarchy:

• styled-11.3.0.tgz (Root Library)
  • babel-plugin-11.3.0.tgz
    • babel-plugin-macros-2.8.0.tgz
      • cosmiconfig-6.0.0.tgz
        • ❌ yaml-1.10.2.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Uncaught Exception in GitHub repository eemeli/yaml prior to 2.2.2.

Publish Date: 2023-04-24

URL: CVE-2023-2251

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-f9xv-q969-pqx4

Release Date: 2023-04-24

Fix Resolution: yaml - 2.2.2

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• webpack-dev-server-4.4.0.tgz (Root Library)
  • selfsigned-1.10.11.tgz
    • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

In node-forge before 1.0.0 he regex used for the forge.util.parseUrl API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior.

Publish Date: 2022-01-08

URL: WS-2022-0007

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-08

Fix Resolution: node-forge - 1.0.0

Vulnerable Libraries - semver-7.3.5.tgz, semver-6.3.0.tgz

Found in base branch: dev

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Dependency Hierarchy:

• webpack-dev-server-4.4.0.tgz (Root Library)
  • portfinder-1.0.28.tgz
    • ❌ async-2.6.3.tgz (Vulnerable Library)

Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf

Found in base branch: dev

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 3.2.2

Direct dependency fix Resolution (webpack-dev-server): 4.7.1

Vulnerable Library - certifi-2021.10.8-py2.py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/37/45/946c02767aabb873146011e665728b680884cd8fe70dde973c640e45b775/certifi-2021.10.8-py2.py3-none-any.whl

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt,/backend/requirements.txt

Dependency Hierarchy:

• ❌ certifi-2021.10.8-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution: certifi - 2022.12.07

Vulnerable Library - traverse-7.16.0.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.16.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• styled-components-5.3.3.tgz (Root Library)
  • ❌ traverse-7.16.0.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected] and @babel/[email protected]. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution (@babel/traverse): 7.23.2

Direct dependency fix Resolution (styled-components): 5.3.4

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• webpack-dev-server-4.4.0.tgz (Root Library)
  • selfsigned-1.10.11.tgz
    • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 6a95b3e13857670dc212dc469e8b58ade3ef5dbf

Found in base branch: dev

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (webpack-dev-server): 4.7.1

Vulnerable Library - urllib3-1.26.7-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/af/f4/524415c0744552cce7d8bf3669af78e8a069514405ea4fcbd0cc44733744/urllib3-1.26.7-py2.py3-none-any.whl

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt,/backend/requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.26.7-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST) to GET as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False and disable automatic redirects with redirects=False and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.

Publish Date: 2023-10-17

URL: CVE-2023-45803

CVSS 3 Score Details (4.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-g4mx-q9vg-27p4

Release Date: 2023-10-17

Fix Resolution: 1.26.18

Vulnerable Library - requests-2.26.0-py2.py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/92/96/144f70b972a9c0eabbd4391ef93ccd49d0f2747f4f6a2a2738e99e5adc65/requests-2.26.0-py2.py3-none-any.whl

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt

Dependency Hierarchy:

• ❌ requests-2.26.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies to reattach the Proxy-Authorization header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

Publish Date: 2023-05-26

URL: CVE-2023-32681

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8r2-6x86-q33q

Release Date: 2023-05-26

Fix Resolution: requests -2.31.0

Vulnerable Library - urllib3-1.26.7-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/af/f4/524415c0744552cce7d8bf3669af78e8a069514405ea4fcbd0cc44733744/urllib3-1.26.7-py2.py3-none-any.whl

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt,/backend/requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.26.7-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Publish Date: 2023-10-04

URL: CVE-2023-43804

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804

Release Date: 2023-10-04

Fix Resolution: 1.26.17

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/glob-parent/package.json

Dependency Hierarchy:

• stylelint-13.13.1.tgz (Root Library)
  • fast-glob-3.2.7.tgz
    • ❌ glob-parent-5.1.2.tgz (Vulnerable Library)

Found in HEAD commit: c03d32b214b80caed9512e65a907ef00a53068bd

Found in base branch: dev

Vulnerability Details

The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: gulpjs/glob-parent#49

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1

Vulnerable Library - nanoid-3.1.30.tgz

A tiny (130 bytes), secure URL-friendly unique string ID generator

Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.30.tgz

Dependency Hierarchy:

• webpack-config-single-spa-5.1.1.tgz (Root Library)
  • css-loader-5.2.7.tgz
    • postcss-8.3.11.tgz
      • ❌ nanoid-3.1.30.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Publish Date: 2022-01-14

URL: CVE-2021-23566

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: ai/nanoid#328

Release Date: 2022-01-14

Fix Resolution (nanoid): 3.1.31

Direct dependency fix Resolution (webpack-config-single-spa): 5.2.0

Vulnerable Library - starlette-0.16.0-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/20/74/4e60dbbf61567bf5adea89433068d5f7c18c86ca77617b5de5b3ddd83f62/starlette-0.16.0-py3-none-any.whl

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt,/backend/requirements.txt

Dependency Hierarchy:

• ❌ starlette-0.16.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

A Denial of Service (DoS) vulnerability was discovered in starlette prior to 0.25.0. The MultipartParser using the package python-multipart accepts an unlimited number of multipart parts (form fields or files). Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill. This can be triggered by sending too many small form fields with no content, or too many empty files.

Publish Date: 2023-02-14

URL: WS-2023-0037

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-74m5-2c7w-9w3x

Release Date: 2023-02-14

Fix Resolution: starlette - 0.25.0