Vulnerable Library - sqlite3-5.1.7.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json,/BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

CVE-2023-42282

Vulnerable Library - ip-2.0.0.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-2.0.0.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json,/BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

• sqlite3-5.1.7.tgz (Root Library)
  • node-gyp-8.4.1.tgz
    • make-fetch-happen-9.1.0.tgz
      • socks-proxy-agent-6.2.1.tgz
        • socks-2.7.1.tgz
          • ❌ ip-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-78xj-cgh5-2h22

Release Date: 2024-02-08

Fix Resolution: ip - 1.1.9,2.0.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - jade-1.11.0.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

WS-2019-0217

Vulnerable Library - constantinople-3.0.2.tgz

Determine whether a JavaScript expression evaluates to a constant (using UglifyJS)

Library home page: https://registry.npmjs.org/constantinople/-/constantinople-3.0.2.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

• jade-1.11.0.tgz (Root Library)
  • ❌ constantinople-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

constantinople before 3.1.1 affected by a sandbox bypass.

Publish Date: 2018-02-09

URL: WS-2019-0217

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/568

Release Date: 2018-02-09

Fix Resolution: 3.1.1

Step up your Open Source Security Game with Mend here

WS-2018-0068

Vulnerable Library - constantinople-3.0.2.tgz

Determine whether a JavaScript expression evaluates to a constant (using UglifyJS)

Library home page: https://registry.npmjs.org/constantinople/-/constantinople-3.0.2.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

• jade-1.11.0.tgz (Root Library)
  • ❌ constantinople-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

Versions of constantinople prior to 3.1.1 are vulnerable to a sandbox bypass which can lead to arbitrary code execution.

Publish Date: 2018-04-21

URL: WS-2018-0068

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/568

Release Date: 2018-01-24

Fix Resolution: 3.1.1

Step up your Open Source Security Game with Mend here

CVE-2015-8857

Vulnerable Library - uglify-js-2.2.5.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

• jade-1.11.0.tgz (Root Library)
  • transformers-2.1.0.tgz
    • ❌ uglify-js-2.2.5.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.

Publish Date: 2017-01-23

URL: CVE-2015-8857

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2017-01-23

Fix Resolution: v2.4.24

Step up your Open Source Security Game with Mend here

CVE-2015-8858

Vulnerable Library - uglify-js-2.2.5.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

• jade-1.11.0.tgz (Root Library)
  • transformers-2.1.0.tgz
    • ❌ uglify-js-2.2.5.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8858

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2017-01-23

Fix Resolution: v2.6.0

Step up your Open Source Security Game with Mend here

WS-2019-0017

Vulnerable Library - clean-css-3.4.28.tgz

A well-tested CSS minifier

Library home page: https://registry.npmjs.org/clean-css/-/clean-css-3.4.28.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

• jade-1.11.0.tgz (Root Library)
  • ❌ clean-css-3.4.28.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2018-03-06

URL: WS-2019-0017

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-wxhq-pm8v-cw75

Release Date: 2018-03-06

Fix Resolution: clean-css - 4.1.11

Step up your Open Source Security Game with Mend here

Vulnerable Library - python-3.12.0-h8edadfe_0.tar.bz2

General purpose programming language

Library home page: https://api.anaconda.org/download/main/python/3.12.0/linux-aarch64/python-3.12.0-h8edadfe_0.tar.bz2

Path to dependency file: /BUT1/Moodle/S2/R2.08/pythondatascientist/environment.yml

Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.12.0-hab00c5b_0_cpython.conda

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

CVE-2023-6597

Vulnerable Library - python-3.12.0-h8edadfe_0.tar.bz2

General purpose programming language

Library home page: https://api.anaconda.org/download/main/python/3.12.0/linux-aarch64/python-3.12.0-h8edadfe_0.tar.bz2

Path to dependency file: /BUT1/Moodle/S2/R2.08/pythondatascientist/environment.yml

Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.12.0-hab00c5b_0_cpython.conda

Dependency Hierarchy:

• ❌ python-3.12.0-h8edadfe_0.tar.bz2 (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

An issue was found in the CPython tempfile.TemporaryDirectory class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.

Publish Date: 2024-03-19

URL: CVE-2023-6597

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-797f-63wg-8chv

Release Date: 2024-03-19

Fix Resolution: v3.8.19,v3.9.19,v3.11.8,v3.12.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - express-generator-4.16.1.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

WS-2021-0153

Vulnerable Library - ejs-2.6.1.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.6.1.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Dependency Hierarchy:

• express-generator-4.16.1.tgz (Root Library)
  • ❌ ejs-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-22

Fix Resolution: ejs - 3.1.6

Step up your Open Source Security Game with Mend here

CVE-2022-29078

Vulnerable Library - ejs-2.6.1.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.6.1.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Dependency Hierarchy:

• express-generator-4.16.1.tgz (Root Library)
  • ❌ ejs-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Publish Date: 2022-04-25

URL: CVE-2022-29078

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~

Release Date: 2022-04-25

Fix Resolution: ejs - v3.1.7

Step up your Open Source Security Game with Mend here

CVE-2021-44906

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Dependency Hierarchy:

• express-generator-4.16.1.tgz (Root Library)
  • mkdirp-0.5.1.tgz
    • ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution: minimist - 0.2.4,1.2.6

Step up your Open Source Security Game with Mend here

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Dependency Hierarchy:

• express-generator-4.16.1.tgz (Root Library)
  • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2020-7598

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Dependency Hierarchy:

• express-generator-4.16.1.tgz (Root Library)
  • mkdirp-0.5.1.tgz
    • ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Step up your Open Source Security Game with Mend here

Vulnerable Library - express-4.16.4.tgz

Found in HEAD commit: 68fd2052d0efc0a5cca85867e764d93cc98974bc

CVE-2022-24999

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Dependency Hierarchy:

• express-4.16.4.tgz (Root Library)
  • ❌ qs-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 68fd2052d0efc0a5cca85867e764d93cc98974bc

Found in base branch: master

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (express): 4.17.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - jekyll-4.2.0.gem

Path to dependency file: /BUT2/Moodle/S4/Parcours A/R4.A.13/cs231n.github.io - Convolutional Neural Networks for Visual Recognition - Stanford/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/addressable-2.7.0.gem

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

CVE-2021-32740

Vulnerable Library - addressable-2.7.0.gem

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. It is flexible, offers heuristic parsing, and additionally provides extensive support for IRIs and URI templates.

Library home page: https://rubygems.org/gems/addressable-2.7.0.gem

Path to dependency file: /BUT2/Moodle/S4/Parcours A/R4.A.13/cs231n.github.io - Convolutional Neural Networks for Visual Recognition - Stanford/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/addressable-2.7.0.gem

Dependency Hierarchy:

• jekyll-4.2.0.gem (Root Library)
  • ❌ addressable-2.7.0.gem (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

Publish Date: 2021-07-06

URL: CVE-2021-32740

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jxhc-q857-3j6g

Release Date: 2021-07-06

Fix Resolution: addressable - 2.8.0

Step up your Open Source Security Game with Mend here

BUT2/Moodle/S4/Parcours A/R4.A.13/cs231n.github.io - Convolutional Neural Networks for Visual Recognition - Stanford/Gemfile

• jekyll undefined

BUT2/Moodle/S4/R4.02/rhtest/apps/docker-compose-monitoring.yml

• grafana/grafana-oss 9.3.2
• prom/prometheus v2.41.0

BUT2/Moodle/S4/R4.02/rhtest/apps/docker-compose-rhtest.yml

BUT2/Moodle/S4/R4.02/rhtest/apps/monitoring/noise/Dockerfile

• alpine 3.17.1

BUT2/Moodle/S4/R4.02/rhtest/apps/rhapi/Dockerfile

• node 18
• node 18
• node 18

BUT2/Moodle/S4/R4.02/rhtest/apps/rhfront/Dockerfile

.github/workflows/codeql.yml

• actions/checkout v4
• github/codeql-action v3
• github/codeql-action v3
• github/codeql-action v3

BUT2/Moodle/S4/R4.02/tdd-workshop/.github/workflows/github-pages.yml

• actions/checkout v2

BUT1/Moodle/S1/R1.07/R1.07_TP1.html

• require.js 2.3.6
• jquery 3.7.1

BUT1/Moodle/S2/R2.08/R2.08_RegLin_SQL.html

• require.js 2.3.6
• jquery 3.7.1

BUT1/Moodle/S2/R2.08/R2.08_TP1_bis.html

• require.js 2.3.6
• jquery 3.7.1

BUT1/Moodle/S2/R2.08/R2.08_TP2.html

• require.js 2.3.6
• jquery 3.7.1

BUT2/Moodle/S4/Parcours A/R4.A.13/cs231n.github.io - Convolutional Neural Networks for Visual Recognition - Stanford/_layouts/default.html

• mathjax 2.7.1

BUT2/Moodle/S4/R4.01/sporttrack-webapp/pom.xml

• org.zkoss.zk:zkbind 9.6.0.2
• org.zkoss.zk:zul 9.6.0.2
• org.zkoss.zk:zkplus 9.6.0.2
• org.zkoss.zk:zhtml 9.6.0.2
• commons-io:commons-io 2.11.0
• fr.ubs.sporttrack:model 1.0
• org.eclipse.jetty:jetty-maven-plugin 10.0.13
• org.apache.maven.plugins:maven-compiler-plugin 3.10.1
• org.apache.maven.plugins:maven-war-plugin 3.3.2
• org.apache.maven.plugins:maven-assembly-plugin 3.4.2

BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

• cookie-parser ~1.4.4
• debug ~4.3.0
• express ~4.19.0
• express-session ^1.17.3
• http-errors ~2.0.0
• jade ~1.11.0
• morgan ~1.10.0
• multer ^1.4.5-lts.1
• sqlite3 ^5.1.6

BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

• express-generator ^4.16.1
• sqlite3 ^5.1.6

BUT2/Moodle/S4/Parcours A/R4.A.10/r4.a.10-main/section/cours/R4A10_Partie_2/plugin/menu/package.json

• @babel/core ^7.10.4
• @babel/preset-env ^7.10.4
• @rollup/plugin-babel ^6.0.0
• @rollup/plugin-commonjs ^25.0.0
• @rollup/plugin-node-resolve ^15.0.0
• babel-plugin-transform-html-import-to-string 2.0.0
• core-js ^3.6.5
• gulp ^4.0.2
• rollup ^3.0.0
• @rollup/plugin-terser ^0.4.4

BUT2/Moodle/S4/R4.02/rhtest/apps/rhapi/package.json

• cors ^2.8.5
• express ^4.19.2
• express-promise-router ^4.1.1
• prom-client ^15.1.2
• @biomejs/biome 1.7.2
• @types/cors ^2.8.17
• @types/express ^4.17.21
• @types/supertest ^6.0.2
• @vitest/coverage-istanbul ^1.5.3
• nodemon ^3.1.0
• supertest ^7.0.0
• ts-node ^10.9.1
• typescript ^4.9.4
• vitest ^1.5.3

BUT2/Moodle/S4/R4.02/rhtest/apps/rhfront/package.json

• @picocss/pico ^2.0.6
• axios ^1.6.8
• vue ^3.4.26
• @vitejs/plugin-vue ^5.0.4
• vite ^5.2.10

BUT2/Moodle/S4/R4.02/tdd-workshop/demos/tdd-demo/package.json

• @types/jest ^29.5.12
• @typescript-eslint/eslint-plugin ^7.8.0
• @typescript-eslint/parser ^7.8.0
• eslint ^8.56.0
• jest ^29.7.0
• ts-jest ^29.1.2
• ts-node ^10.9.2
• typescript ^5.4.5

BUT2/Moodle/S4/R4.02/tdd-workshop/demos/tests-ai-assisted/package.json

• @typescript-eslint/eslint-plugin ^7.8.0
• @typescript-eslint/parser ^7.8.0
• @vitest/coverage-istanbul ^1.5.3
• eslint ^8.56.0
• nodemon ^3.1.0
• supertest ^7.0.0
• ts-node ^10.9.1
• typescript ^4.9.4
• vitest ^1.5.3

BUT2/Moodle/S4/R4.02/tdd-workshop/demos/tests-snapshot/package.json

• @typescript-eslint/eslint-plugin ^7.8.0
• @typescript-eslint/parser ^7.8.0
• @vitest/coverage-istanbul ^1.5.3
• eslint ^8.56.0
• nodemon ^3.1.0
• supertest ^7.0.0
• ts-node ^10.9.1
• typescript ^4.9.4
• vitest ^1.5.3

BUT2/Moodle/S4/R4.02/rhtest/.nvmrc

• node 18

BUT2/Moodle/S4/R4.02/tdd-workshop/demos/tdd-demo/.nvmrc

• node 20

Vulnerable Library - junit-4.11.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to vulnerable library: /BUT1/Codes/R2.03/TPTestJUnit/lib/junit-4.11.jar,/BUT1/Codes/R2.03/TPMoney/lib/junit-4.11.jar,/BUT1/Moodle/S2/R2.03/JUnit/junit-4.11.jar

Found in HEAD commit: 68fd2052d0efc0a5cca85867e764d93cc98974bc

CVE-2020-15250

Vulnerable Library - junit-4.11.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to vulnerable library: /BUT1/Codes/R2.03/TPTestJUnit/lib/junit-4.11.jar,/BUT1/Codes/R2.03/TPMoney/lib/junit-4.11.jar,/BUT1/Moodle/S2/R2.03/JUnit/junit-4.11.jar

Dependency Hierarchy:

• ❌ junit-4.11.jar (Vulnerable Library)

Found in HEAD commit: 68fd2052d0efc0a5cca85867e764d93cc98974bc

Found in base branch: master

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: 4.13.1

Step up your Open Source Security Game with Mend here