chill-cats / cuddly-computing-machine Goto Github PK

Vulnerable Library - node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11694

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2018-06-04

Fix Resolution: libsass - 3.6.0

Vulnerability Details

The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20821

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2019-04-23

Fix Resolution: libsass - 3.6.0

Vulnerable Library - opennmsopennms-source-22.0.1-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Library Source Files (65)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /cuddly-computing-machine/node_modules/console-browserify/test/static/test-adapter.js
• /cuddly-computing-machine/node_modules/nan/nan_callbacks_pre_12_inl.h
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/expand.hpp
• /cuddly-computing-machine/node_modules/node-sass/src/sass_types/factory.cpp
• /cuddly-computing-machine/node_modules/js-base64/.attic/test-moment/./yoshinoya.js
• /cuddly-computing-machine/node_modules/node-sass/src/sass_types/boolean.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/sass_types/value.h
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/emitter.hpp
• /cuddly-computing-machine/node_modules/nan/nan_converters_pre_43_inl.h
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/file.cpp
• /cuddly-computing-machine/node_modules/nan/nan_persistent_12_inl.h
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/operation.hpp
• /cuddly-computing-machine/node_modules/nan/nan_persistent_pre_12_inl.h
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/operators.hpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/constants.hpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/error_handling.hpp
• /cuddly-computing-machine/node_modules/nan/nan_implementation_pre_12_inl.h
• /cuddly-computing-machine/node_modules/js-base64/.attic/test-moment/./dankogai.js
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/constants.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/sass_types/list.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/functions.hpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/util.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/custom_function_bridge.cpp
• /cuddly-computing-machine/node_modules/nan/nan_typedarray_contents.h
• /cuddly-computing-machine/node_modules/node-sass/src/custom_importer_bridge.h
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/bind.cpp
• /cuddly-computing-machine/node_modules/nan/nan_json.h
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/eval.hpp
• /cuddly-computing-machine/node_modules/nan/nan_converters.h
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/backtrace.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/extend.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/error_handling.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/emitter.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/sass_types/number.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/sass_types/color.h
• /cuddly-computing-machine/node_modules/nan/nan_new.h
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/sass_values.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/ast.hpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/output.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/check_nesting.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/sass_types/null.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/cssize.hpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/ast.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/to_c.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/to_value.hpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
• /cuddly-computing-machine/node_modules/nan/nan_callbacks.h
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/inspect.hpp
• /cuddly-computing-machine/node_modules/node-sass/src/sass_types/color.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/values.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/sass_types/list.h
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/check_nesting.hpp
• /cuddly-computing-machine/node_modules/nan/nan_define_own_property_helper.h
• /cuddly-computing-machine/node_modules/js-base64/test/./es5.js
• /cuddly-computing-machine/node_modules/node-sass/src/sass_types/map.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/to_value.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/context.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/sass_types/string.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/sass_context.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/prelexer.hpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/context.hpp
• /cuddly-computing-machine/node_modules/node-sass/src/sass_types/boolean.h
• /cuddly-computing-machine/node_modules/nan/nan_private.h

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11693

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11693

Release Date: 2018-06-04

Fix Resolution: LibSass - 3.5.5

Vulnerable Library - node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.13.1.tgz (Vulnerable Library)

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Inspect::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11696

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.5.5

Release Date: 2018-06-04

Fix Resolution: libsass - 3.5.5;node-sass - 4.14.0

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/elliptic/package.json

Dependency Hierarchy:

• react-5.3.13.tgz (Root Library)
  • webpack-4.41.5.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.0.4.tgz
          • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/indutny/elliptic/tree/v6.5.3

Release Date: 2020-06-04

Fix Resolution: v6.5.3

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-03

URL: CVE-2018-19797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2018-12-03

Fix Resolution: libsass - 3.6.0

Vulnerable Libraries - node-sass-4.13.1.tgz, CSS::Sassv3.4.11

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Vulnerability Details

In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.

Publish Date: 2018-12-04

URL: CVE-2018-19839

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2018-12-04

Fix Resolution: libsass - 3.6.0

Vulnerable Library - highlight.js-9.13.1.tgz

Syntax highlighting with language autodetection.

Library home page: https://registry.npmjs.org/highlight.js/-/highlight.js-9.13.1.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/highlight.js/package.json

Dependency Hierarchy:

• addon-actions-5.3.13.tgz (Root Library)
  • components-5.3.13.tgz
    • react-syntax-highlighter-11.0.2.tgz
      • ❌ highlight.js-9.13.1.tgz (Vulnerable Library)

Vulnerability Details

If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service). This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using highlightAuto to detect the language (and have any of these grammars registered) you are vulnerable.

Publish Date: 2020-12-04

URL: WS-2020-0208

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/highlightjs/highlight.js/tree/10.4.1

Release Date: 2020-12-04

Fix Resolution: 10.4.1

Vulnerable Library - react-dev-utils-10.2.0.tgz

webpack utilities used by Create React App

Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-10.2.0.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/react-dev-utils/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • ❌ react-dev-utils-10.2.0.tgz (Vulnerable Library)

Vulnerability Details

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.

Publish Date: 2021-03-09

URL: CVE-2021-24033

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.facebook.com/security/advisories/cve-2021-24033

Release Date: 2021-03-09

Fix Resolution: react-dev-utils-11.0.4

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: yargs/yargs-parser@63810ca

Release Date: 2020-06-05

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

Vulnerable Library - axios-0.19.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/axios/package.json

Dependency Hierarchy:

• addon-actions-5.3.13.tgz (Root Library)
  • react-inspector-4.0.0.tgz
    • storybook-chromatic-2.2.2.tgz
      • localtunnel-1.10.1.tgz
        • ❌ axios-0.19.0.tgz (Vulnerable Library)

Vulnerability Details

axios is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-08-31

URL: CVE-2021-3749

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/axios/axios/releases/tag/v0.21.2

Release Date: 2021-08-31

Fix Resolution: axios - 0.21.2

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-22.0.1-1

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6284

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2020-08-24

Fix Resolution: libsass - 3.6.0

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-24.1.2-1

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Vulnerability Details

LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp.

Publish Date: 2019-11-06

URL: CVE-2019-18797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: cuddly-computing-machine/node_modules/sockjs/examples/hapi/html/index.html

Path to vulnerable library: cuddly-computing-machine/node_modules/sockjs/examples/hapi/html/index.html,cuddly-computing-machine/node_modules/sockjs/examples/echo/index.html,cuddly-computing-machine/node_modules/sockjs/examples/express-3.x/index.html,cuddly-computing-machine/node_modules/sockjs/examples/multiplex/index.html,cuddly-computing-machine/node_modules/sockjs/examples/express/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Library - axios-0.19.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/axios/package.json

Dependency Hierarchy:

• addon-actions-5.3.13.tgz (Root Library)
  • react-inspector-4.0.0.tgz
    • storybook-chromatic-2.2.2.tgz
      • localtunnel-1.10.1.tgz
        • ❌ axios-0.19.0.tgz (Vulnerable Library)

Vulnerability Details

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Publish Date: 2020-11-06

URL: CVE-2020-28168

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: axios/axios@c7329fe

Release Date: 2020-11-06

Fix Resolution: axios - 0.21.1

Vulnerability Details

Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the Previewers plugin (>=v1.10.0) or the Previewer: Easing plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

Publish Date: 2020-08-07

URL: CVE-2020-15138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/PrismJS/prism/v1.21.0

Release Date: 2020-07-21

Fix Resolution: v1.21.0

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: cuddly-computing-machine/node_modules/sockjs/examples/hapi/html/index.html

Path to vulnerable library: cuddly-computing-machine/node_modules/sockjs/examples/hapi/html/index.html,cuddly-computing-machine/node_modules/sockjs/examples/echo/index.html,cuddly-computing-machine/node_modules/sockjs/examples/express-3.x/index.html,cuddly-computing-machine/node_modules/sockjs/examples/multiplex/index.html,cuddly-computing-machine/node_modules/sockjs/examples/express/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-28

Fix Resolution: jquery - 1.9.0

Vulnerable Library - merge-deep-3.0.2.tgz

Recursively merge values in a javascript object.

Library home page: https://registry.npmjs.org/merge-deep/-/merge-deep-3.0.2.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/merge-deep/package.json

Dependency Hierarchy:

• react-5.3.13.tgz (Root Library)
  • webpack-4.3.3.tgz
    • plugin-svgo-4.3.1.tgz
      • ❌ merge-deep-3.0.2.tgz (Vulnerable Library)

Vulnerability Details

The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

Publish Date: 2021-06-02

URL: CVE-2021-26707

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1922259

Release Date: 2021-02-05

Fix Resolution: 3.0.3

Vulnerable Library - sockjs-0.3.19.tgz

SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication

Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/sockjs/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-dev-server-3.10.2.tgz
    • ❌ sockjs-0.3.19.tgz (Vulnerable Library)

Vulnerability Details

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

Publish Date: 2020-07-09

URL: CVE-2020-7693

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: sockjs/sockjs-node#265

Release Date: 2020-07-09

Fix Resolution: sockjs - 0.3.20

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/elliptic/package.json

Dependency Hierarchy:

• react-5.3.13.tgz (Root Library)
  • webpack-4.41.5.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.0.4.tgz
          • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Vulnerability Details

all versions of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11697

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2018-06-04

Fix Resolution: libsass - 3.6.0

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-22.0.1-1

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.

Publish Date: 2019-01-14

URL: CVE-2019-6286

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2019-07-23

Fix Resolution: libsass - 3.6.0

Vulnerable Library - opennmsopennms-source-24.1.2-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Library Source Files (12)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/util.hpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/cssize.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/sass_context_wrapper.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/functions.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/expand.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/prelexer.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/callback_bridge.h
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/sass.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/sass_context_wrapper.h
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/parser.hpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/eval.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/debugger.hpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.2. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11695

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11695

Release Date: 2018-06-04

Fix Resolution: 3.6.0

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-08

Fix Resolution: 7.1.1

Vulnerable Library - opennmsopennms-source-22.0.1-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Vulnerable Source Files (1)

cuddly-computing-machine/node_modules/node-sass/src/libsass/src/ast.hpp

Vulnerability Details

LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20822

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.5.5

Release Date: 2019-04-23

Fix Resolution: libsass - 3.5.5;node-sass - 4.14.0

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-22.0.1-1

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Vulnerability Details

In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().

Publish Date: 2018-12-04

URL: CVE-2018-19838

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.5.5

Release Date: 2018-12-04

Fix Resolution: libsass - 3.5.5;node-sass - 4.14.0

Vulnerable Library - node-notifier-5.4.3.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-5.4.3.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/node-notifier/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • jest-24.9.0.tgz
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • reporters-24.9.0.tgz
          • ❌ node-notifier-5.4.3.tgz (Vulnerable Library)

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789

Release Date: 2020-12-11

Fix Resolution: 9.0.0

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-22.0.1-1

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11698

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.5.5

Release Date: 2018-06-04

Fix Resolution: libsass - 3.5.5;node-sass - 4.14.0

Vulnerable Libraries - node-sass-4.13.1.tgz, opennmsopennms-source-22.0.1-1

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6283

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2020-08-24

Fix Resolution: libsass - 3.6.0

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Vulnerable Libraries - jquery-1.9.0.min.js, jquery-1.11.3.js, jquery-2.1.4.min.js, jquery-1.7.1.min.js

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Libraries - jquery-1.9.0.min.js, jquery-1.11.3.js, jquery-2.1.4.min.js, jquery-1.7.1.min.js

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Vulnerable Library - node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.13.1.tgz (Vulnerable Library)

Vulnerability Details

Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.

Publish Date: 2021-01-11

URL: CVE-2020-24025

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Vulnerability Details

The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

Publish Date: 2021-02-18

URL: CVE-2021-23341

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23341

Release Date: 2021-02-18

Fix Resolution: 1.23.0

Vulnerable Library - node-sassv4.13.1

🌈 Node.js bindings to libsass

Library home page: https://github.com/sass/node-sass.git

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Library Source Files (5)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /cuddly-computing-machine/node_modules/node-sass/src/binding.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/inspect.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/operators.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/custom_importer_bridge.cpp
• /cuddly-computing-machine/node_modules/node-sass/src/libsass/src/parser.cpp

Vulnerability Details

** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters. NOTE: Upstream comments indicate this issue is closed as "won't fix" and "works as intended" by design.

Publish Date: 2018-12-03

URL: CVE-2018-19826

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19826

Release Date: 2019-09-01

Fix Resolution: Replace or update the following file: LibSass - 3.6.0

Vulnerable Libraries - jquery-1.11.3.js, jquery-2.1.4.min.js

Found in HEAD commit: a8d198c123b74b0d4aa91ab05be478b93203afaf

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/elliptic/package.json

Dependency Hierarchy:

• react-5.3.13.tgz (Root Library)
  • webpack-4.41.5.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.0.4.tgz
          • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Vulnerability Details

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Publish Date: 2021-02-02

URL: CVE-2020-28498

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498

Release Date: 2021-02-02

Fix Resolution: v6.5.4

Vulnerable Library - markdown-to-jsx-6.11.0.tgz

Convert markdown to JSX with ease for React and React-like projects. Super lightweight and highly configurable.

Library home page: https://registry.npmjs.org/markdown-to-jsx/-/markdown-to-jsx-6.11.0.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/markdown-to-jsx/package.json

Dependency Hierarchy:

• addon-actions-5.3.13.tgz (Root Library)
  • components-5.3.13.tgz
    • ❌ markdown-to-jsx-6.11.0.tgz (Vulnerable Library)

Vulnerability Details

Versions of markdown-to-jsx prior to 6.11.4 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload.

Publish Date: 2020-05-20

URL: WS-2020-0103

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/probablyup/markdown-to-jsx/tree/6.11.4

Release Date: 2020-05-31

Fix Resolution: 6.11.4

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

Vulnerability Details

In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-12-03

URL: CVE-2018-19827

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2018-12-03

Fix Resolution: libsass - 3.6.0

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerability Details

Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.

Publish Date: 2021-06-28

URL: CVE-2021-32723

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-gj77-59wh-66hg

Release Date: 2021-06-28

Fix Resolution: prismjs - 1.24.0

Vulnerability Details

A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.

Publish Date: 2018-05-26

URL: CVE-2018-11499

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2018-05-26

Fix Resolution: libsass - 3.6.0

Vulnerable Library - node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.13.1.tgz (Vulnerable Library)

Vulnerability Details

In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of '%' as a modulo operator in parser.cpp.

Publish Date: 2018-12-04

URL: CVE-2018-19837

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.5.5

Release Date: 2018-12-04

Fix Resolution: libsass - 3.5.5;node-sass - 4.14.0

Vulnerable Library - http-proxy-1.18.0.tgz

HTTP proxying for the masses

Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.0.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/http-proxy/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-dev-server-3.10.2.tgz
    • http-proxy-middleware-0.19.1.tgz
      • ❌ http-proxy-1.18.0.tgz (Vulnerable Library)

Vulnerability Details

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

Publish Date: 2020-05-14

URL: WS-2020-0091

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1486

Release Date: 2020-05-26

Fix Resolution: http-proxy - 1.18.1

Vulnerability Details

prism is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3801

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Vulnerable Library - serialize-javascript-2.1.2.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz

Path to dependency file: cuddly-computing-machine/package.json

Path to vulnerable library: cuddly-computing-machine/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • terser-webpack-plugin-2.3.4.tgz
    • ❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-01

Fix Resolution: serialize-javascript - 3.1.0

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-17

URL: CVE-2018-20190

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2018-12-17

Fix Resolution: libsass - 3.6.0