edm115 / school-codes-v2 Goto Github PK

Everything I code at school (college that time)

License: Other

Java 0.40% Makefile 0.01% C 0.02% HTML 61.05% Jupyter Notebook 37.55% Shell 0.01% C++ 0.13% Python 0.03% CSS 0.39% PLSQL 0.01% JavaScript 0.29% PHP 0.03% Pug 0.01% Lua 0.02% Ruby 0.01% TeX 0.04% Perl 0.01% Dockerfile 0.01% TypeScript 0.01% Vue 0.02%

but college computer-science french java maths school sql studies unix

school-codes-v2's Introduction

Hey, it's-a me, EDM115 👋

Languages and Tools

Programming Languages

Frontend Development

Backend Development

Database

Devops

Backend as a Service (BaaS)

Framework

Software

Tools

Other

Some stats 🥰

Contact me

For the others way to contact me, head to my website

Support me 🥺

school-codes-v2's People

Contributors

Stargazers

Watchers

school-codes-v2's Issues

Website to browse content

Probablement useless, mais pourquoi pas...

python-3.12.0-h8edadfe_0.tar.bz2: 1 vulnerabilities (highest severity is: 7.8)

Vulnerable Library - python-3.12.0-h8edadfe_0.tar.bz2

General purpose programming language

Library home page: https://api.anaconda.org/download/main/python/3.12.0/linux-aarch64/python-3.12.0-h8edadfe_0.tar.bz2

Path to dependency file: /BUT1/Moodle/S2/R2.08/pythondatascientist/environment.yml

Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.12.0-hab00c5b_0_cpython.conda

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (python version)	Remediation Possible**
CVE-2023-6597	High	7.8	python-3.12.0-h8edadfe_0.tar.bz2	Direct	v3.8.19,v3.9.19,v3.11.8,v3.12.1	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-6597

Vulnerable Library - python-3.12.0-h8edadfe_0.tar.bz2

General purpose programming language

Library home page: https://api.anaconda.org/download/main/python/3.12.0/linux-aarch64/python-3.12.0-h8edadfe_0.tar.bz2

Path to dependency file: /BUT1/Moodle/S2/R2.08/pythondatascientist/environment.yml

Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.12.0-hab00c5b_0_cpython.conda

Dependency Hierarchy:

❌ python-3.12.0-h8edadfe_0.tar.bz2 (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

An issue was found in the CPython tempfile.TemporaryDirectory class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.

Publish Date: 2024-03-19

URL: CVE-2023-6597

CVSS 3 Score Details (7.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-797f-63wg-8chv

Release Date: 2024-03-19

Fix Resolution: v3.8.19,v3.9.19,v3.11.8,v3.12.1

Step up your Open Source Security Game with Mend here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Warning

Renovate failed to look up the following dependencies: Failed to look up maven package fr.ubs.sporttrack:model.

Files affected: BUT2/Moodle/S4/R4.01/sporttrack-webapp/pom.xml

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

Detected dependencies

bundler

BUT2/Moodle/S4/Parcours A/R4.A.13/cs231n.github.io - Convolutional Neural Networks for Visual Recognition - Stanford/Gemfile

jekyll undefined

docker-compose

BUT2/Moodle/S4/R4.02/rhtest/apps/docker-compose-monitoring.yml

grafana/grafana-oss 9.3.2

prom/prometheus v2.41.0

BUT2/Moodle/S4/R4.02/rhtest/apps/docker-compose-rhtest.yml

dockerfile

BUT2/Moodle/S4/R4.02/rhtest/apps/monitoring/noise/Dockerfile

alpine 3.17.1

BUT2/Moodle/S4/R4.02/rhtest/apps/rhapi/Dockerfile

node 18

node 18

node 18

BUT2/Moodle/S4/R4.02/rhtest/apps/rhfront/Dockerfile

github-actions

.github/workflows/codeql.yml

actions/checkout v4

github/codeql-action v3

github/codeql-action v3

github/codeql-action v3

BUT2/Moodle/S4/R4.02/tdd-workshop/.github/workflows/github-pages.yml

actions/checkout v2

html

BUT1/Moodle/S1/R1.07/R1.07_TP1.html

require.js 2.3.6

jquery 3.7.1

BUT1/Moodle/S2/R2.08/R2.08_RegLin_SQL.html

require.js 2.3.6

jquery 3.7.1

BUT1/Moodle/S2/R2.08/R2.08_TP1_bis.html

require.js 2.3.6

jquery 3.7.1

BUT1/Moodle/S2/R2.08/R2.08_TP2.html

require.js 2.3.6

jquery 3.7.1

BUT2/Moodle/S4/Parcours A/R4.A.13/cs231n.github.io - Convolutional Neural Networks for Visual Recognition - Stanford/_layouts/default.html

mathjax 2.7.1

maven

BUT2/Moodle/S4/R4.01/sporttrack-webapp/pom.xml

org.zkoss.zk:zkbind 9.6.0.2

org.zkoss.zk:zul 9.6.0.2

org.zkoss.zk:zkplus 9.6.0.2

org.zkoss.zk:zhtml 9.6.0.2

commons-io:commons-io 2.11.0

fr.ubs.sporttrack:model 1.0

org.eclipse.jetty:jetty-maven-plugin 10.0.13

org.apache.maven.plugins:maven-compiler-plugin 3.10.1

org.apache.maven.plugins:maven-war-plugin 3.3.2

org.apache.maven.plugins:maven-assembly-plugin 3.4.2

npm

BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

cookie-parser ~1.4.4

debug ~4.3.0

express ~4.19.0

express-session ^1.17.3

http-errors ~2.0.0

jade ~1.11.0

morgan ~1.10.0

multer ^1.4.5-lts.1

sqlite3 ^5.1.6

BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

express-generator ^4.16.1

sqlite3 ^5.1.6

BUT2/Moodle/S4/Parcours A/R4.A.10/r4.a.10-main/section/cours/R4A10_Partie_2/plugin/menu/package.json

@babel/core ^7.10.4

@babel/preset-env ^7.10.4

@rollup/plugin-babel ^6.0.0

@rollup/plugin-commonjs ^25.0.0

@rollup/plugin-node-resolve ^15.0.0

babel-plugin-transform-html-import-to-string 2.0.0

core-js ^3.6.5

gulp ^4.0.2

rollup ^3.0.0

@rollup/plugin-terser ^0.4.4

BUT2/Moodle/S4/R4.02/rhtest/apps/rhapi/package.json

cors ^2.8.5

express ^4.19.2

express-promise-router ^4.1.1

prom-client ^15.1.2

@biomejs/biome 1.7.2

@types/cors ^2.8.17

@types/express ^4.17.21

@types/supertest ^6.0.2

@vitest/coverage-istanbul ^1.5.3

nodemon ^3.1.0

supertest ^7.0.0

ts-node ^10.9.1

typescript ^4.9.4

vitest ^1.5.3

BUT2/Moodle/S4/R4.02/rhtest/apps/rhfront/package.json

@picocss/pico ^2.0.6

axios ^1.6.8

vue ^3.4.26

@vitejs/plugin-vue ^5.0.4

vite ^5.2.10

BUT2/Moodle/S4/R4.02/tdd-workshop/demos/tdd-demo/package.json

@types/jest ^29.5.12

@typescript-eslint/eslint-plugin ^7.8.0

@typescript-eslint/parser ^7.8.0

eslint ^8.56.0

jest ^29.7.0

ts-jest ^29.1.2

ts-node ^10.9.2

typescript ^5.4.5

BUT2/Moodle/S4/R4.02/tdd-workshop/demos/tests-ai-assisted/package.json

@typescript-eslint/eslint-plugin ^7.8.0

@typescript-eslint/parser ^7.8.0

@vitest/coverage-istanbul ^1.5.3

eslint ^8.56.0

nodemon ^3.1.0

supertest ^7.0.0

ts-node ^10.9.1

typescript ^4.9.4

vitest ^1.5.3

BUT2/Moodle/S4/R4.02/tdd-workshop/demos/tests-snapshot/package.json

@typescript-eslint/eslint-plugin ^7.8.0

@typescript-eslint/parser ^7.8.0

@vitest/coverage-istanbul ^1.5.3

eslint ^8.56.0

nodemon ^3.1.0

supertest ^7.0.0

ts-node ^10.9.1

typescript ^4.9.4

vitest ^1.5.3

nvm

BUT2/Moodle/S4/R4.02/rhtest/.nvmrc

node 18

BUT2/Moodle/S4/R4.02/tdd-workshop/demos/tdd-demo/.nvmrc

node 20

Check this box to trigger a request for Renovate to run again on this repository

express-4.16.4.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - express-4.16.4.tgz

Found in HEAD commit: 68fd2052d0efc0a5cca85867e764d93cc98974bc

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (express version)	Remediation Possible**
CVE-2022-24999	High	7.5	qs-6.5.2.tgz	Transitive	4.17.0	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-24999

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Dependency Hierarchy:

express-4.16.4.tgz (Root Library)
- ❌ qs-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 68fd2052d0efc0a5cca85867e764d93cc98974bc

Found in base branch: master

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (express): 4.17.0

Step up your Open Source Security Game with Mend here

jade-1.11.0.tgz: 5 vulnerabilities (highest severity is: 10.0)

Vulnerable Library - jade-1.11.0.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jade version)	Remediation Possible**
WS-2019-0217	Critical	10.0	constantinople-3.0.2.tgz	Transitive	N/A*	❌
WS-2018-0068	Critical	9.8	constantinople-3.0.2.tgz	Transitive	N/A*	❌
CVE-2015-8857	Critical	9.8	uglify-js-2.2.5.tgz	Transitive	N/A*	❌
CVE-2015-8858	High	7.5	uglify-js-2.2.5.tgz	Transitive	N/A*	❌
WS-2019-0017	Medium	5.3	clean-css-3.4.28.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2019-0217

Vulnerable Library - constantinople-3.0.2.tgz

Determine whether a JavaScript expression evaluates to a constant (using UglifyJS)

Library home page: https://registry.npmjs.org/constantinople/-/constantinople-3.0.2.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

jade-1.11.0.tgz (Root Library)
- ❌ constantinople-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

constantinople before 3.1.1 affected by a sandbox bypass.

Publish Date: 2018-02-09

URL: WS-2019-0217

CVSS 3 Score Details (10.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/568

Release Date: 2018-02-09

Fix Resolution: 3.1.1

Step up your Open Source Security Game with Mend here

WS-2018-0068

Vulnerable Library - constantinople-3.0.2.tgz

Determine whether a JavaScript expression evaluates to a constant (using UglifyJS)

Library home page: https://registry.npmjs.org/constantinople/-/constantinople-3.0.2.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

jade-1.11.0.tgz (Root Library)
- ❌ constantinople-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

Versions of constantinople prior to 3.1.1 are vulnerable to a sandbox bypass which can lead to arbitrary code execution.

Publish Date: 2018-04-21

URL: WS-2018-0068

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/568

Release Date: 2018-01-24

Fix Resolution: 3.1.1

Step up your Open Source Security Game with Mend here

CVE-2015-8857

Vulnerable Library - uglify-js-2.2.5.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

jade-1.11.0.tgz (Root Library)
- transformers-2.1.0.tgz
  - ❌ uglify-js-2.2.5.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.

Publish Date: 2017-01-23

URL: CVE-2015-8857

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2017-01-23

Fix Resolution: v2.4.24

Step up your Open Source Security Game with Mend here

CVE-2015-8858

Vulnerable Library - uglify-js-2.2.5.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

jade-1.11.0.tgz (Root Library)
- transformers-2.1.0.tgz
  - ❌ uglify-js-2.2.5.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8858

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2017-01-23

Fix Resolution: v2.6.0

Step up your Open Source Security Game with Mend here

WS-2019-0017

Vulnerable Library - clean-css-3.4.28.tgz

A well-tested CSS minifier

Library home page: https://registry.npmjs.org/clean-css/-/clean-css-3.4.28.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

jade-1.11.0.tgz (Root Library)
- ❌ clean-css-3.4.28.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2018-03-06

URL: WS-2019-0017

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wxhq-pm8v-cw75

Release Date: 2018-03-06

Fix Resolution: clean-css - 4.1.11

Step up your Open Source Security Game with Mend here

junit-4.11.jar: 1 vulnerabilities (highest severity is: 5.5)

Vulnerable Library - junit-4.11.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to vulnerable library: /BUT1/Codes/R2.03/TPTestJUnit/lib/junit-4.11.jar,/BUT1/Codes/R2.03/TPMoney/lib/junit-4.11.jar,/BUT1/Moodle/S2/R2.03/JUnit/junit-4.11.jar

Found in HEAD commit: 68fd2052d0efc0a5cca85867e764d93cc98974bc

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (junit version)	Remediation Possible**
CVE-2020-15250	Medium	5.5	junit-4.11.jar	Direct	4.13.1	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-15250

Vulnerable Library - junit-4.11.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to vulnerable library: /BUT1/Codes/R2.03/TPTestJUnit/lib/junit-4.11.jar,/BUT1/Codes/R2.03/TPMoney/lib/junit-4.11.jar,/BUT1/Moodle/S2/R2.03/JUnit/junit-4.11.jar

Dependency Hierarchy:

❌ junit-4.11.jar (Vulnerable Library)

Found in HEAD commit: 68fd2052d0efc0a5cca85867e764d93cc98974bc

Found in base branch: master

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: 4.13.1

Step up your Open Source Security Game with Mend here

express-generator-4.16.1.tgz: 5 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - express-generator-4.16.1.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (express-generator version)	Remediation Possible**
WS-2021-0153	Critical	9.8	ejs-2.6.1.tgz	Transitive	N/A*	❌
CVE-2022-29078	Critical	9.8	ejs-2.6.1.tgz	Transitive	N/A*	❌
CVE-2021-44906	Critical	9.8	minimist-0.0.8.tgz	Transitive	N/A*	❌
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌
CVE-2020-7598	Medium	5.6	minimist-0.0.8.tgz	Transitive	N/A*	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2021-0153

Vulnerable Library - ejs-2.6.1.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.6.1.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Dependency Hierarchy:

express-generator-4.16.1.tgz (Root Library)
- ❌ ejs-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-22

Fix Resolution: ejs - 3.1.6

Step up your Open Source Security Game with Mend here

CVE-2022-29078

Vulnerable Library - ejs-2.6.1.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.6.1.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Dependency Hierarchy:

express-generator-4.16.1.tgz (Root Library)
- ❌ ejs-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Publish Date: 2022-04-25

URL: CVE-2022-29078

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~

Release Date: 2022-04-25

Fix Resolution: ejs - v3.1.7

Step up your Open Source Security Game with Mend here

CVE-2021-44906

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Dependency Hierarchy:

express-generator-4.16.1.tgz (Root Library)
- mkdirp-0.5.1.tgz
  - ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution: minimist - 0.2.4,1.2.6

Step up your Open Source Security Game with Mend here

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Dependency Hierarchy:

express-generator-4.16.1.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2020-7598

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Dependency Hierarchy:

express-generator-4.16.1.tgz (Root Library)
- mkdirp-0.5.1.tgz
  - ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Step up your Open Source Security Game with Mend here

sqlite3-5.1.7.tgz: 1 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - sqlite3-5.1.7.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json,/BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (sqlite3 version)	Remediation Possible**
CVE-2023-42282	Critical	9.8	ip-2.0.0.tgz	Transitive	N/A*	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-42282

Vulnerable Library - ip-2.0.0.tgz

[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-2.0.0.tgz

Path to dependency file: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json

Path to vulnerable library: /BUT2/Codes/S3/R3.01/TP3/sport-track-db/package.json,/BUT2/Codes/S3/R3.01/TP3/sport-track-db/express_webapp/package.json

Dependency Hierarchy:

sqlite3-5.1.7.tgz (Root Library)
- node-gyp-8.4.1.tgz
  - make-fetch-happen-9.1.0.tgz
    - socks-proxy-agent-6.2.1.tgz
      - socks-2.7.1.tgz
        
        ❌ ip-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-78xj-cgh5-2h22

Release Date: 2024-02-08

Fix Resolution: ip - 1.1.9,2.0.1

Step up your Open Source Security Game with Mend here

jekyll-4.2.0.gem: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - jekyll-4.2.0.gem

Path to dependency file: /BUT2/Moodle/S4/Parcours A/R4.A.13/cs231n.github.io - Convolutional Neural Networks for Visual Recognition - Stanford/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/addressable-2.7.0.gem

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jekyll version)	Remediation Possible**
CVE-2021-32740	High	7.5	addressable-2.7.0.gem	Transitive	N/A*	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-32740

Vulnerable Library - addressable-2.7.0.gem

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. It is flexible, offers heuristic parsing, and additionally provides extensive support for IRIs and URI templates.

Library home page: https://rubygems.org/gems/addressable-2.7.0.gem

Path to dependency file: /BUT2/Moodle/S4/Parcours A/R4.A.13/cs231n.github.io - Convolutional Neural Networks for Visual Recognition - Stanford/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/addressable-2.7.0.gem

Dependency Hierarchy:

jekyll-4.2.0.gem (Root Library)
- ❌ addressable-2.7.0.gem (Vulnerable Library)

Found in HEAD commit: b85d529ab67936920b3cba059f835857c987df1d

Found in base branch: master

Vulnerability Details

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

Publish Date: 2021-07-06

URL: CVE-2021-32740

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jxhc-q857-3j6g

Release Date: 2021-07-06

Fix Resolution: addressable - 2.8.0

Step up your Open Source Security Game with Mend here