View Code? Open in Web Editor
NEW
Cloud GIS platform frontend. It supports OGC standards such as WFS WMS WPS. And it supports multi users doing the same project.
Home Page: https://cloudgis.chao6p.top
JavaScript 26.34%
HTML 3.99%
Vue 46.34%
TypeScript 20.13%
Shell 3.20%
cloudgis-frontend's Introduction
cloudgis-frontend's People
Stargazers
Watchers
cloudgis-frontend's Issues
WS-2021-0154 - Medium Severity Vulnerability
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/glob-parent
Dependency Hierarchy:
cli-plugin-typescript-4.5.13.tgz (Root Library)
globby-9.2.0.tgz
fast-glob-2.2.7.tgz
โ glob-parent-3.1.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.
Publish Date: 2021-01-27
URL: WS-2021-0154
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2
Release Date: 2021-01-27
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
CVE-2021-32640 - Medium Severity Vulnerability
Vulnerable Libraries - ws-6.2.1.tgz , ws-5.2.2.tgz , ws-7.4.5.tgz
ws-6.2.1.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-6.2.1.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/ws
Dependency Hierarchy:
cli-service-4.5.13.tgz (Root Library)
webpack-bundle-analyzer-3.9.0.tgz
โ ws-6.2.1.tgz (Vulnerable Library)
ws-5.2.2.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-5.2.2.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/ws
Dependency Hierarchy:
cli-plugin-unit-jest-4.5.13.tgz (Root Library)
jest-24.9.0.tgz
jest-cli-24.9.0.tgz
jest-config-24.9.0.tgz
jest-environment-jsdom-24.9.0.tgz
jsdom-11.12.0.tgz
โ ws-5.2.2.tgz (Vulnerable Library)
ws-7.4.5.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.4.5.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/ws
Dependency Hierarchy:
cli-plugin-unit-jest-4.5.13.tgz (Root Library)
jest-environment-jsdom-fifteen-1.0.2.tgz
jsdom-15.2.1.tgz
โ ws-7.4.5.tgz (Vulnerable Library)
Found in HEAD commit: 4602cd5649de2c8fcb2487506173f9ce9ec11838
Found in base branch: master
Vulnerability Details
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol
header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e ). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize
options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution: ws - 7.4.6
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7608 - Medium Severity Vulnerability
Vulnerable Library - yargs-parser-10.1.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/yargs-parser
Dependency Hierarchy:
cli-plugin-unit-jest-4.5.13.tgz (Root Library)
ts-jest-24.3.0.tgz
โ yargs-parser-10.1.0.tgz (Vulnerable Library)
Found in HEAD commit: 4602cd5649de2c8fcb2487506173f9ce9ec11838
Found in base branch: master
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto " payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: yargs/yargs-parser@63810ca
Release Date: 2020-06-05
Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7598 - Medium Severity Vulnerability
Vulnerable Libraries - minimist-0.0.8.tgz , minimist-1.2.0.tgz
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/minimist
Dependency Hierarchy:
cli-plugin-e2e-cypress-4.5.13.tgz (Root Library)
cypress-3.8.3.tgz
extract-zip-1.6.7.tgz
mkdirp-0.5.1.tgz
โ minimist-0.0.8.tgz (Vulnerable Library)
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/minimist
Dependency Hierarchy:
cli-plugin-e2e-cypress-4.5.13.tgz (Root Library)
cypress-3.8.3.tgz
โ minimist-1.2.0.tgz (Vulnerable Library)
Found in HEAD commit: 4602cd5649de2c8fcb2487506173f9ce9ec11838
Found in base branch: master
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto " payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23382 - Medium Severity Vulnerability
Vulnerable Library - postcss-7.0.35.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/postcss
Dependency Hierarchy:
cli-service-4.5.13.tgz (Root Library)
postcss-loader-3.0.0.tgz
โ postcss-7.0.35.tgz (Vulnerable Library)
Found in HEAD commit: 4602cd5649de2c8fcb2487506173f9ce9ec11838
Found in base branch: master
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution: postcss - 8.2.13
Step up your Open Source Security Game with WhiteSource here
CVE-2020-8203 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/lodash
Dependency Hierarchy:
cli-plugin-e2e-cypress-4.5.13.tgz (Root Library)
cypress-3.8.3.tgz
โ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 4602cd5649de2c8fcb2487506173f9ce9ec11838
Found in base branch: master
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-10-21
Fix Resolution: lodash - 4.17.19
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23368 - Medium Severity Vulnerability
Vulnerable Library - postcss-7.0.35.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/postcss
Dependency Hierarchy:
cli-service-4.5.13.tgz (Root Library)
postcss-loader-3.0.0.tgz
โ postcss-7.0.35.tgz (Vulnerable Library)
Found in HEAD commit: 4602cd5649de2c8fcb2487506173f9ce9ec11838
Found in base branch: master
Vulnerability Details
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution: postcss -8.2.10
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23386 - Medium Severity Vulnerability
Vulnerable Library - dns-packet-1.3.1.tgz
An abstract-encoding compliant module for encoding / decoding DNS packets
Library home page: https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/dns-packet
Dependency Hierarchy:
cli-service-4.5.13.tgz (Root Library)
webpack-dev-server-3.11.2.tgz
bonjour-3.5.0.tgz
multicast-dns-6.2.3.tgz
โ dns-packet-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: 4602cd5649de2c8fcb2487506173f9ce9ec11838
Found in base branch: master
Vulnerability Details
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Publish Date: 2021-05-20
URL: CVE-2021-23386
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386
Release Date: 2021-05-20
Fix Resolution: dns-packet - 5.2.2
Step up your Open Source Security Game with WhiteSource here
cesium widget getting longer automatically when style="height: 100%"
CVE-2020-28500 - Medium Severity Vulnerability
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/lodash
Dependency Hierarchy:
cli-plugin-e2e-cypress-4.5.13.tgz (Root Library)
cypress-3.8.3.tgz
โ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 4602cd5649de2c8fcb2487506173f9ce9ec11838
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash-4.17.21
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23343 - High Severity Vulnerability
Vulnerable Library - path-parse-1.0.6.tgz
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/path-parse
Dependency Hierarchy:
cli-plugin-typescript-4.5.13.tgz (Root Library)
tslint-5.20.1.tgz
resolve-1.20.0.tgz
โ path-parse-1.0.6.tgz (Vulnerable Library)
Found in HEAD commit: 4602cd5649de2c8fcb2487506173f9ce9ec11838
Found in base branch: master
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: jbgutierrez/path-parse#8
Release Date: 2021-05-04
Fix Resolution: path-parse - 1.0.7
Step up your Open Source Security Game with WhiteSource here
Geoserver ogc services auth
Geoserver ogc services auth support HTTP Header Proxy Authentication . We will use this as user/group project auth method. Backend solution is here .
var provider = new Cesium . WebMapServiceImageryProvider ( {
url : new Cesium . Resource ( {
url : 'https://YourServerHere.com/...' ,
headers : {
'sdf09rt2s' : 'admin'
}
} ) ,
layers : '0' ,
proxy : new Cesium . DefaultProxy ( '/proxy/' )
} ) ;
viewer . imageryLayers . addImageryProvider ( provider ) ;
WS-2021-0153 - High Severity Vulnerability
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/ejs
Dependency Hierarchy:
cli-service-4.5.13.tgz (Root Library)
webpack-bundle-analyzer-3.9.0.tgz
โ ejs-2.7.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.
Publish Date: 2021-01-22
URL: WS-2021-0153
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: mde/ejs#571
Release Date: 2021-01-22
Fix Resolution: ejs - 3.1.6
Step up your Open Source Security Game with WhiteSource here
CVE-2020-28469 - High Severity Vulnerability
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/glob-parent
Dependency Hierarchy:
cli-plugin-typescript-4.5.13.tgz (Root Library)
globby-9.2.0.tgz
fast-glob-2.2.7.tgz
โ glob-parent-3.1.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
Technology Stack
Which technology we will choose?
๐ Cesium : An open-source JavaScript library for world-class 3D globes and maps.
๐จ Ant Design : provides plenty of UI components to enrich your web applications, and we will improve components experience consistently.
๐ฅ Vue3 : Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
alternative ui
alternative geo client
which wps client
Wps doesn't support authentication, so maybe choose wps as a backend message queue. MQ can dynamic capacity expansion and is stateless.
CVE-2021-33587 - High Severity Vulnerability
Vulnerable Library - css-what-3.4.2.tgz
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/css-what
Dependency Hierarchy:
cli-service-4.5.13.tgz (Root Library)
html-webpack-plugin-3.2.0.tgz
pretty-error-2.1.2.tgz
renderkid-2.0.5.tgz
css-select-2.1.0.tgz
โ css-what-3.4.2.tgz (Vulnerable Library)
Found in HEAD commit: 4602cd5649de2c8fcb2487506173f9ce9ec11838
Found in base branch: master
Vulnerability Details
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution: css-what - 5.0.1
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23337 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/lodash
Dependency Hierarchy:
cli-plugin-e2e-cypress-4.5.13.tgz (Root Library)
cypress-3.8.3.tgz
โ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 4602cd5649de2c8fcb2487506173f9ce9ec11838
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: lodash/lodash@3469357
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
CVE-2021-33502 - High Severity Vulnerability
Vulnerable Libraries - normalize-url-1.9.1.tgz , normalize-url-3.3.0.tgz
normalize-url-1.9.1.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/normalize-url
Dependency Hierarchy:
cli-service-4.5.13.tgz (Root Library)
mini-css-extract-plugin-0.9.0.tgz
โ normalize-url-1.9.1.tgz (Vulnerable Library)
normalize-url-3.3.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: cloudgis-frontend/package.json
Path to vulnerable library: cloudgis-frontend/node_modules/normalize-url
Dependency Hierarchy:
cli-service-4.5.13.tgz (Root Library)
optimize-cssnano-plugin-1.0.6.tgz
cssnano-preset-default-4.0.8.tgz
postcss-normalize-url-4.0.1.tgz
โ normalize-url-3.3.0.tgz (Vulnerable Library)
Found in HEAD commit: 4602cd5649de2c8fcb2487506173f9ce9ec11838
Found in base branch: master
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1
Step up your Open Source Security Game with WhiteSource here