Giter Club home page Giter Club logo

edm115 / school-codes-v2 Goto Github PK

View Code? Open in Web Editor NEW
3.0 3.0 0.0 5.28 GB

Everything I code at school (college that time)

License: Other

Java 0.40% Makefile 0.01% C 0.02% HTML 61.05% Jupyter Notebook 37.55% Shell 0.01% C++ 0.13% Python 0.03% CSS 0.39% PLSQL 0.01% JavaScript 0.29% PHP 0.03% Pug 0.01% Lua 0.02% Ruby 0.01% TeX 0.04% Perl 0.01% Dockerfile 0.01% TypeScript 0.01% Vue 0.02%
but college computer-science french java maths school sql studies unix

school-codes-v2's Introduction

Hey, it's-a me, EDM115 ๐Ÿ‘‹

Languages and Tools

Programming Languages

java javascript python

Frontend Development

bootstrap css3 html5

Backend Development

apache nodejs

Database

mongodb mysql oracle

Devops

bash docker

Backend as a Service (BaaS)

heroku

Framework

aioHTTP Boostrap BoxIcons Motor Pillow PyroGram Swiper three.js typed.js

Software

android studio chrome vs code

Tools

chatgpt copilot

Other

canva debian git linux markdown windows 11

Some stats ๐Ÿฅฐ

Discord Presence
EDM115's GitHub stats | Reload the page if you see this :)
Most Used Languages | Reload the page if you see this :)
EDM115's github activity graph
GitHub Streak
Spotify Activity

trophy
GitHub followers

Contact me

edm115 18644204 dev@edm115.eu.org

For the others way to contact me, head to my website

Support me ๐Ÿฅบ

ย 
edm115
edm115

Donate
EDM115
edm115

school-codes-v2's People

Contributors

deepsource-autofix[bot] avatar deepsourcebot avatar edm115 avatar imgbot[bot] avatar imgbotapp avatar mend-bolt-for-github[bot] avatar renovate[bot] avatar stacksharebot avatar

Stargazers

 avatar  avatar  avatar

Watchers

 avatar

school-codes-v2's Issues

sqlite3-5.1.7.tgz: 1 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - sqlite3-5.1.7.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json,/BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (sqlite3 version) Remediation Possible**
CVE-2023-42282 Critical 9.8 ip-2.0.0.tgz Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-42282

Vulnerable Library - ip-2.0.0.tgz

[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-2.0.0.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json,/BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

  • sqlite3-5.1.7.tgz (Root Library)
    • node-gyp-8.4.1.tgz
      • make-fetch-happen-9.1.0.tgz
        • socks-proxy-agent-6.2.1.tgz
          • socks-2.7.1.tgz
            • โŒ ip-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-78xj-cgh5-2h22

Release Date: 2024-02-08

Fix Resolution: ip - 1.1.9,2.0.1

Step up your Open Source Security Game with Mend here

jade-1.11.0.tgz: 5 vulnerabilities (highest severity is: 10.0)

Vulnerable Library - jade-1.11.0.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jade version) Remediation Possible**
WS-2019-0217 Critical 10.0 constantinople-3.0.2.tgz Transitive N/A* โŒ
WS-2018-0068 Critical 9.8 constantinople-3.0.2.tgz Transitive N/A* โŒ
CVE-2015-8857 Critical 9.8 uglify-js-2.2.5.tgz Transitive N/A* โŒ
CVE-2015-8858 High 7.5 uglify-js-2.2.5.tgz Transitive N/A* โŒ
WS-2019-0017 Medium 5.3 clean-css-3.4.28.tgz Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2019-0217

Vulnerable Library - constantinople-3.0.2.tgz

Determine whether a JavaScript expression evaluates to a constant (using UglifyJS)

Library home page: https://registry.npmjs.org/constantinople/-/constantinople-3.0.2.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

  • jade-1.11.0.tgz (Root Library)
    • โŒ constantinople-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

constantinople before 3.1.1 affected by a sandbox bypass.

Publish Date: 2018-02-09

URL: WS-2019-0217

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/568

Release Date: 2018-02-09

Fix Resolution: 3.1.1

Step up your Open Source Security Game with Mend here

WS-2018-0068

Vulnerable Library - constantinople-3.0.2.tgz

Determine whether a JavaScript expression evaluates to a constant (using UglifyJS)

Library home page: https://registry.npmjs.org/constantinople/-/constantinople-3.0.2.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

  • jade-1.11.0.tgz (Root Library)
    • โŒ constantinople-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

Versions of constantinople prior to 3.1.1 are vulnerable to a sandbox bypass which can lead to arbitrary code execution.

Publish Date: 2018-04-21

URL: WS-2018-0068

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/568

Release Date: 2018-01-24

Fix Resolution: 3.1.1

Step up your Open Source Security Game with Mend here

CVE-2015-8857

Vulnerable Library - uglify-js-2.2.5.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

  • jade-1.11.0.tgz (Root Library)
    • transformers-2.1.0.tgz
      • โŒ uglify-js-2.2.5.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.

Publish Date: 2017-01-23

URL: CVE-2015-8857

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2017-01-23

Fix Resolution: v2.4.24

Step up your Open Source Security Game with Mend here

CVE-2015-8858

Vulnerable Library - uglify-js-2.2.5.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

  • jade-1.11.0.tgz (Root Library)
    • transformers-2.1.0.tgz
      • โŒ uglify-js-2.2.5.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8858

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2017-01-23

Fix Resolution: v2.6.0

Step up your Open Source Security Game with Mend here

WS-2019-0017

Vulnerable Library - clean-css-3.4.28.tgz

A well-tested CSS minifier

Library home page: https://registry.npmjs.org/clean-css/-/clean-css-3.4.28.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

  • jade-1.11.0.tgz (Root Library)
    • โŒ clean-css-3.4.28.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2018-03-06

URL: WS-2019-0017

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wxhq-pm8v-cw75

Release Date: 2018-03-06

Fix Resolution: clean-css - 4.1.11

Step up your Open Source Security Game with Mend here

python-3.12.0-h8edadfe_0.tar.bz2: 1 vulnerabilities (highest severity is: 7.8)

Vulnerable Library - python-3.12.0-h8edadfe_0.tar.bz2

General purpose programming language

Library home page: https://api.anaconda.org/download/main/python/3.12.0/linux-aarch64/python-3.12.0-h8edadfe_0.tar.bz2

Path to dependency file: /BUT1/Moodle/S2/R2.08/pythondatascientist/environment.yml

Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.12.0-hab00c5b_0_cpython.conda

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (python version) Remediation Possible**
CVE-2023-6597 High 7.8 python-3.12.0-h8edadfe_0.tar.bz2 Direct v3.8.19,v3.9.19,v3.11.8,v3.12.1 โŒ

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-6597

Vulnerable Library - python-3.12.0-h8edadfe_0.tar.bz2

General purpose programming language

Library home page: https://api.anaconda.org/download/main/python/3.12.0/linux-aarch64/python-3.12.0-h8edadfe_0.tar.bz2

Path to dependency file: /BUT1/Moodle/S2/R2.08/pythondatascientist/environment.yml

Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.12.0-hab00c5b_0_cpython.conda

Dependency Hierarchy:

  • โŒ python-3.12.0-h8edadfe_0.tar.bz2 (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

An issue was found in the CPython tempfile.TemporaryDirectory class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.

Publish Date: 2024-03-19

URL: CVE-2023-6597

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-797f-63wg-8chv

Release Date: 2024-03-19

Fix Resolution: v3.8.19,v3.9.19,v3.11.8,v3.12.1

Step up your Open Source Security Game with Mend here

express-generator-4.16.1.tgz: 5 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - express-generator-4.16.1.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (express-generator version) Remediation Possible**
WS-2021-0153 Critical 9.8 ejs-2.6.1.tgz Transitive N/A* โŒ
CVE-2022-29078 Critical 9.8 ejs-2.6.1.tgz Transitive N/A* โŒ
CVE-2021-44906 Critical 9.8 minimist-0.0.8.tgz Transitive N/A* โŒ
CVE-2022-3517 High 7.5 minimatch-3.0.4.tgz Transitive N/A* โŒ
CVE-2020-7598 Medium 5.6 minimist-0.0.8.tgz Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2021-0153

Vulnerable Library - ejs-2.6.1.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.6.1.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Dependency Hierarchy:

  • express-generator-4.16.1.tgz (Root Library)
    • โŒ ejs-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-22

Fix Resolution: ejs - 3.1.6

Step up your Open Source Security Game with Mend here

CVE-2022-29078

Vulnerable Library - ejs-2.6.1.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.6.1.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Dependency Hierarchy:

  • express-generator-4.16.1.tgz (Root Library)
    • โŒ ejs-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Publish Date: 2022-04-25

URL: CVE-2022-29078

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~

Release Date: 2022-04-25

Fix Resolution: ejs - v3.1.7

Step up your Open Source Security Game with Mend here

CVE-2021-44906

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Dependency Hierarchy:

  • express-generator-4.16.1.tgz (Root Library)
    • mkdirp-0.5.1.tgz
      • โŒ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution: minimist - 0.2.4,1.2.6

Step up your Open Source Security Game with Mend here

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Dependency Hierarchy:

  • express-generator-4.16.1.tgz (Root Library)
    • โŒ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2020-7598

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Dependency Hierarchy:

  • express-generator-4.16.1.tgz (Root Library)
    • mkdirp-0.5.1.tgz
      • โŒ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Step up your Open Source Security Game with Mend here

express-4.16.4.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - express-4.16.4.tgz

Found in HEAD commit: 68fd2052d0efc0a5cca85867e764d93cc98974bc

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (express version) Remediation Possible**
CVE-2022-24999 High 7.5 qs-6.5.2.tgz Transitive 4.17.0 โŒ

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-24999

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Dependency Hierarchy:

  • express-4.16.4.tgz (Root Library)
    • โŒ qs-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 68fd2052d0efc0a5cca85867e764d93cc98974bc

Found in base branch: master

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (express): 4.17.0

Step up your Open Source Security Game with Mend here

jekyll-4.2.0.gem: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - jekyll-4.2.0.gem

Path to dependency file: /BUT2/Moodle/S4/Parcours A/R4.A.13/cs231n.github.io - Convolutional Neural Networks for Visual Recognition - Stanford/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/addressable-2.7.0.gem

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jekyll version) Remediation Possible**
CVE-2021-32740 High 7.5 addressable-2.7.0.gem Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-32740

Vulnerable Library - addressable-2.7.0.gem

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. It is flexible, offers heuristic parsing, and additionally provides extensive support for IRIs and URI templates.

Library home page: https://rubygems.org/gems/addressable-2.7.0.gem

Path to dependency file: /BUT2/Moodle/S4/Parcours A/R4.A.13/cs231n.github.io - Convolutional Neural Networks for Visual Recognition - Stanford/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/addressable-2.7.0.gem

Dependency Hierarchy:

  • jekyll-4.2.0.gem (Root Library)
    • โŒ addressable-2.7.0.gem (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

Publish Date: 2021-07-06

URL: CVE-2021-32740

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jxhc-q857-3j6g

Release Date: 2021-07-06

Fix Resolution: addressable - 2.8.0

Step up your Open Source Security Game with Mend here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.


Warning

Renovate failed to look up the following dependencies: Failed to look up maven package fr.ubs.sporttrack:model.

Files affected: BUT2/Moodle/S4/R4.01/sporttrack-webapp/pom.xml


Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

Detected dependencies

bundler
BUT2/Moodle/S4/Parcours A/R4.A.13/cs231n.github.io - Convolutional Neural Networks for Visual Recognition - Stanford/Gemfile
  • jekyll undefined
docker-compose
BUT2/Moodle/S4/R4.02/rhtest/apps/docker-compose-monitoring.yml
  • grafana/grafana-oss 9.3.2
  • prom/prometheus v2.41.0
BUT2/Moodle/S4/R4.02/rhtest/apps/docker-compose-rhtest.yml
dockerfile
BUT2/Moodle/S4/R4.02/rhtest/apps/monitoring/noise/Dockerfile
  • alpine 3.17.1
BUT2/Moodle/S4/R4.02/rhtest/apps/rhapi/Dockerfile
  • node 18
  • node 18
  • node 18
BUT2/Moodle/S4/R4.02/rhtest/apps/rhfront/Dockerfile
github-actions
.github/workflows/codeql.yml
  • actions/checkout v4
  • github/codeql-action v3
  • github/codeql-action v3
  • github/codeql-action v3
BUT2/Moodle/S4/R4.02/tdd-workshop/.github/workflows/github-pages.yml
  • actions/checkout v2
html
BUT1/Moodle/S1/R1.07/R1.07_TP1.html
  • require.js 2.3.6
  • jquery 3.7.1
BUT1/Moodle/S2/R2.08/R2.08_RegLin_SQL.html
  • require.js 2.3.6
  • jquery 3.7.1
BUT1/Moodle/S2/R2.08/R2.08_TP1_bis.html
  • require.js 2.3.6
  • jquery 3.7.1
BUT1/Moodle/S2/R2.08/R2.08_TP2.html
  • require.js 2.3.6
  • jquery 3.7.1
BUT2/Moodle/S4/Parcours A/R4.A.13/cs231n.github.io - Convolutional Neural Networks for Visual Recognition - Stanford/_layouts/default.html
  • mathjax 2.7.1
maven
BUT2/Moodle/S4/R4.01/sporttrack-webapp/pom.xml
  • org.zkoss.zk:zkbind 9.6.0.2
  • org.zkoss.zk:zul 9.6.0.2
  • org.zkoss.zk:zkplus 9.6.0.2
  • org.zkoss.zk:zhtml 9.6.0.2
  • commons-io:commons-io 2.11.0
  • fr.ubs.sporttrack:model 1.0
  • org.eclipse.jetty:jetty-maven-plugin 10.0.13
  • org.apache.maven.plugins:maven-compiler-plugin 3.10.1
  • org.apache.maven.plugins:maven-war-plugin 3.3.2
  • org.apache.maven.plugins:maven-assembly-plugin 3.4.2
npm
BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json
  • cookie-parser ~1.4.4
  • debug ~4.3.0
  • express ~4.19.0
  • express-session ^1.17.3
  • http-errors ~2.0.0
  • jade ~1.11.0
  • morgan ~1.10.0
  • multer ^1.4.5-lts.1
  • sqlite3 ^5.1.6
BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json
  • express-generator ^4.16.1
  • sqlite3 ^5.1.6
BUT2/Moodle/S4/Parcours A/R4.A.10/r4.a.10-main/section/cours/R4A10_Partie_2/plugin/menu/package.json
  • @babel/core ^7.10.4
  • @babel/preset-env ^7.10.4
  • @rollup/plugin-babel ^6.0.0
  • @rollup/plugin-commonjs ^25.0.0
  • @rollup/plugin-node-resolve ^15.0.0
  • babel-plugin-transform-html-import-to-string 2.0.0
  • core-js ^3.6.5
  • gulp ^4.0.2
  • rollup ^3.0.0
  • @rollup/plugin-terser ^0.4.4
BUT2/Moodle/S4/R4.02/rhtest/apps/rhapi/package.json
  • cors ^2.8.5
  • express ^4.19.2
  • express-promise-router ^4.1.1
  • prom-client ^15.1.2
  • @biomejs/biome 1.7.2
  • @types/cors ^2.8.17
  • @types/express ^4.17.21
  • @types/supertest ^6.0.2
  • @vitest/coverage-istanbul ^1.5.3
  • nodemon ^3.1.0
  • supertest ^7.0.0
  • ts-node ^10.9.1
  • typescript ^4.9.4
  • vitest ^1.5.3
BUT2/Moodle/S4/R4.02/rhtest/apps/rhfront/package.json
  • @picocss/pico ^2.0.6
  • axios ^1.6.8
  • vue ^3.4.26
  • @vitejs/plugin-vue ^5.0.4
  • vite ^5.2.10
BUT2/Moodle/S4/R4.02/tdd-workshop/demos/tdd-demo/package.json
  • @types/jest ^29.5.12
  • @typescript-eslint/eslint-plugin ^7.8.0
  • @typescript-eslint/parser ^7.8.0
  • eslint ^8.56.0
  • jest ^29.7.0
  • ts-jest ^29.1.2
  • ts-node ^10.9.2
  • typescript ^5.4.5
BUT2/Moodle/S4/R4.02/tdd-workshop/demos/tests-ai-assisted/package.json
  • @typescript-eslint/eslint-plugin ^7.8.0
  • @typescript-eslint/parser ^7.8.0
  • @vitest/coverage-istanbul ^1.5.3
  • eslint ^8.56.0
  • nodemon ^3.1.0
  • supertest ^7.0.0
  • ts-node ^10.9.1
  • typescript ^4.9.4
  • vitest ^1.5.3
BUT2/Moodle/S4/R4.02/tdd-workshop/demos/tests-snapshot/package.json
  • @typescript-eslint/eslint-plugin ^7.8.0
  • @typescript-eslint/parser ^7.8.0
  • @vitest/coverage-istanbul ^1.5.3
  • eslint ^8.56.0
  • nodemon ^3.1.0
  • supertest ^7.0.0
  • ts-node ^10.9.1
  • typescript ^4.9.4
  • vitest ^1.5.3
nvm
BUT2/Moodle/S4/R4.02/rhtest/.nvmrc
  • node 18
BUT2/Moodle/S4/R4.02/tdd-workshop/demos/tdd-demo/.nvmrc
  • node 20

  • Check this box to trigger a request for Renovate to run again on this repository

junit-4.11.jar: 1 vulnerabilities (highest severity is: 5.5)

Vulnerable Library - junit-4.11.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to vulnerable library: /BUT1/Codes/R2.03/TPTestJUnit/lib/junit-4.11.jar,/BUT1/Codes/R2.03/TPMoney/lib/junit-4.11.jar,/BUT1/Moodle/S2/R2.03/JUnit/junit-4.11.jar

Found in HEAD commit: 68fd2052d0efc0a5cca85867e764d93cc98974bc

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (junit version) Remediation Possible**
CVE-2020-15250 Medium 5.5 junit-4.11.jar Direct 4.13.1 โŒ

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-15250

Vulnerable Library - junit-4.11.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to vulnerable library: /BUT1/Codes/R2.03/TPTestJUnit/lib/junit-4.11.jar,/BUT1/Codes/R2.03/TPMoney/lib/junit-4.11.jar,/BUT1/Moodle/S2/R2.03/JUnit/junit-4.11.jar

Dependency Hierarchy:

  • โŒ junit-4.11.jar (Vulnerable Library)

Found in HEAD commit: 68fd2052d0efc0a5cca85867e764d93cc98974bc

Found in base branch: master

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: 4.13.1

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.