example-npm-circle's Issues
CVE-2020-7598 (Medium) detected in minimist-0.0.10.tgz
CVE-2020-7598 - Medium Severity Vulnerability
Vulnerable Library - minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /tmp/ws-scm/example-npm-circle/node_modules/minimist/package.json
Dependency Hierarchy:
- handlebars-4.5.3.tgz (Root Library)
- optimist-0.6.1.tgz
- ❌ minimist-0.0.10.tgz (Vulnerable Library)
- optimist-0.6.1.tgz
Found in HEAD commit: dc622c22bc07e86cb43ca6e4c1562a92588218bc
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
WS-2020-0070 (High) detected in lodash-4.17.11.tgz
WS-2020-0070 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/lodash/package.json
Dependency Hierarchy:
- ❌ lodash-4.17.11.tgz (Vulnerable Library)
Found in HEAD commit: dc622c22bc07e86cb43ca6e4c1562a92588218bc
Vulnerability Details
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
WS-2019-0331 (Medium) detected in handlebars-4.4.5.tgz
WS-2019-0331 - Medium Severity Vulnerability
Vulnerable Library - handlebars-4.4.5.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.4.5.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/handlebars/package.json
Dependency Hierarchy:
- ❌ handlebars-4.4.5.tgz (Vulnerable Library)
Found in HEAD commit: 6510bdb836382c20430023990e14a2e6c6aef3d7
Vulnerability Details
Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-13
URL: WS-2019-0331
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.2
CVE-2020-7598 (Medium) detected in minimist-0.0.10.tgz
CVE-2020-7598 - Medium Severity Vulnerability
Vulnerable Library - minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /tmp/ws-scm/example-npm-circle/node_modules/minimist/package.json
Dependency Hierarchy:
- handlebars-4.5.2.tgz (Root Library)
- optimist-0.6.1.tgz
- ❌ minimist-0.0.10.tgz (Vulnerable Library)
- optimist-0.6.1.tgz
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
CVE-2015-9251 (Medium) detected in jquery-1.7.1.min.js, jquery-1.4.4.min.js
CVE-2015-9251 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-1.7.1.min.js, jquery-1.4.4.min.js
jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/example-npm-circle/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /example-npm-circle/node_modules/sockjs/examples/express/index.html,/example-npm-circle/node_modules/sockjs/examples/echo/index.html,/example-npm-circle/node_modules/sockjs/examples/hapi/html/index.html,/example-npm-circle/node_modules/sockjs/examples/multiplex/index.html,/example-npm-circle/node_modules/sockjs/examples/express-3.x/index.html
Dependency Hierarchy:
- ❌ jquery-1.7.1.min.js (Vulnerable Library)
jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/example-npm-circle/node_modules/selenium-webdriver/lib/test/data/draggableLists.html
Path to vulnerable library: /example-npm-circle/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
- ❌ jquery-1.4.4.min.js (Vulnerable Library)
Found in HEAD commit: 4b9d35337365451db5cf7aad10d58ff1a3dc8acd
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
CVE-2019-10742 (High) detected in axios-0.18.0.tgz
CVE-2019-10742 - High Severity Vulnerability
Vulnerable Library - axios-0.18.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.18.0.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/axios/package.json
Dependency Hierarchy:
- ❌ axios-0.18.0.tgz (Vulnerable Library)
Found in HEAD commit: dc622c22bc07e86cb43ca6e4c1562a92588218bc
Vulnerability Details
Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.
Publish Date: 2019-05-07
URL: CVE-2019-10742
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: axios/axios#1098
Release Date: 2019-05-31
Fix Resolution: 0.19.0
CVE-2019-10746 (High) detected in mixin-deep-1.3.1.tgz
CVE-2019-10746 - High Severity Vulnerability
Vulnerable Library - mixin-deep-1.3.1.tgz
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/mixin-deep/package.json
Dependency Hierarchy:
- ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
Vulnerability Details
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: jonschlinkert/mixin-deep@8f464c8
Release Date: 2019-07-11
Fix Resolution: 1.3.2,2.0.1
WS-2019-0333 (Medium) detected in handlebars-4.5.2.tgz
WS-2019-0333 - Medium Severity Vulnerability
Vulnerable Library - handlebars-4.5.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.2.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/handlebars/package.json
Dependency Hierarchy:
- ❌ handlebars-4.5.2.tgz (Vulnerable Library)
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
Vulnerability Details
Prototype Pollution vulnerability found in handlebars 1.0.6 before 4.5.3. It is possible to add or modify properties to the Object prototype through a malicious template. Attacker may crash the application or execute Arbitrary Code in specific conditions.
Publish Date: 2019-11-18
URL: WS-2019-0333
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1325
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.3
CVE-2020-7608 (High) detected in yargs-parser-11.1.1.tgz
CVE-2020-7608 - High Severity Vulnerability
Vulnerable Library - yargs-parser-11.1.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /tmp/ws-scm/example-npm-circle/node_modules/yargs-parser/package.json
Dependency Hierarchy:
- protractor-5.4.4.tgz (Root Library)
- yargs-12.0.5.tgz
- ❌ yargs-parser-11.1.1.tgz (Vulnerable Library)
- yargs-12.0.5.tgz
Found in HEAD commit: 4b9d35337365451db5cf7aad10d58ff1a3dc8acd
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608
Release Date: 2020-03-16
Fix Resolution: v18.1.1;13.1.2;15.0.1
CVE-2012-6708 (Medium) detected in jquery-1.7.1.min.js, jquery-1.4.4.min.js
CVE-2012-6708 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-1.7.1.min.js, jquery-1.4.4.min.js
jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/example-npm-circle/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /example-npm-circle/node_modules/sockjs/examples/express/index.html,/example-npm-circle/node_modules/sockjs/examples/echo/index.html,/example-npm-circle/node_modules/sockjs/examples/hapi/html/index.html,/example-npm-circle/node_modules/sockjs/examples/multiplex/index.html,/example-npm-circle/node_modules/sockjs/examples/express-3.x/index.html
Dependency Hierarchy:
- ❌ jquery-1.7.1.min.js (Vulnerable Library)
jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/example-npm-circle/node_modules/selenium-webdriver/lib/test/data/draggableLists.html
Path to vulnerable library: /example-npm-circle/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
- ❌ jquery-1.4.4.min.js (Vulnerable Library)
Found in HEAD commit: 4b9d35337365451db5cf7aad10d58ff1a3dc8acd
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
WS-2019-0332 (Medium) detected in handlebars-4.5.2.tgz
WS-2019-0332 - Medium Severity Vulnerability
Vulnerable Library - handlebars-4.5.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.2.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/handlebars/package.json
Dependency Hierarchy:
- ❌ handlebars-4.5.2.tgz (Vulnerable Library)
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
Vulnerability Details
Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.
Publish Date: 2019-11-17
URL: WS-2019-0332
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.3
CVE-2019-10742 (High) detected in axios-0.18.0.tgz
CVE-2019-10742 - High Severity Vulnerability
Vulnerable Library - axios-0.18.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.18.0.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/axios/package.json
Dependency Hierarchy:
- ❌ axios-0.18.0.tgz (Vulnerable Library)
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
Vulnerability Details
Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.
Publish Date: 2019-05-07
URL: CVE-2019-10742
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: axios/axios#1098
Release Date: 2019-05-31
Fix Resolution: 0.19.0
CVE-2019-15657 (High) detected in eslint-utils-1.3.1.tgz
CVE-2019-15657 - High Severity Vulnerability
Vulnerable Library - eslint-utils-1.3.1.tgz
Utilities for ESLint plugins.
Library home page: https://registry.npmjs.org/eslint-utils/-/eslint-utils-1.3.1.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/eslint-utils/package.json
Dependency Hierarchy:
- ❌ eslint-utils-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
Vulnerability Details
In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code.
Publish Date: 2019-08-26
URL: CVE-2019-15657
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15657
Release Date: 2019-08-26
Fix Resolution: 1.4.1
CVE-2019-10746 (High) detected in mixin-deep-1.3.1.tgz
CVE-2019-10746 - High Severity Vulnerability
Vulnerable Library - mixin-deep-1.3.1.tgz
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/mixin-deep/package.json
Dependency Hierarchy:
- ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: dc622c22bc07e86cb43ca6e4c1562a92588218bc
Vulnerability Details
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: jonschlinkert/mixin-deep@8f464c8
Release Date: 2019-07-11
Fix Resolution: 1.3.2,2.0.1
CVE-2019-15657 (High) detected in eslint-utils-1.3.1.tgz
CVE-2019-15657 - High Severity Vulnerability
Vulnerable Library - eslint-utils-1.3.1.tgz
Utilities for ESLint plugins.
Library home page: https://registry.npmjs.org/eslint-utils/-/eslint-utils-1.3.1.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/eslint-utils/package.json
Dependency Hierarchy:
- ❌ eslint-utils-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: dc622c22bc07e86cb43ca6e4c1562a92588218bc
Vulnerability Details
In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code.
Publish Date: 2019-08-26
URL: CVE-2019-15657
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15657
Release Date: 2019-08-26
Fix Resolution: 1.4.1
CVE-2019-10747 (High) detected in set-value-0.4.3.tgz
CVE-2019-10747 - High Severity Vulnerability
Vulnerable Library - set-value-0.4.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/set-value/package.json
Dependency Hierarchy:
- ❌ set-value-0.4.3.tgz (Vulnerable Library)
Found in HEAD commit: dc622c22bc07e86cb43ca6e4c1562a92588218bc
Vulnerability Details
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Publish Date: 2019-08-23
URL: CVE-2019-10747
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: jonschlinkert/set-value@95e9d99
Release Date: 2019-07-24
Fix Resolution: 2.0.1,3.0.1
CVE-2018-20834 (High) detected in tar-4.4.1.tgz
CVE-2018-20834 - High Severity Vulnerability
Vulnerable Library - tar-4.4.1.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.1.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/tar/package.json
Dependency Hierarchy:
- ❌ tar-4.4.1.tgz (Vulnerable Library)
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
Vulnerability Details
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
Publish Date: 2019-04-30
URL: CVE-2018-20834
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/344595
Release Date: 2019-04-30
Fix Resolution: v4.4.2
CVE-2019-10744 (High) detected in lodash-4.17.11.tgz
CVE-2019-10744 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/lodash/package.json
Dependency Hierarchy:
- ❌ lodash-4.17.11.tgz (Vulnerable Library)
Found in HEAD commit: dc622c22bc07e86cb43ca6e4c1562a92588218bc
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: lodash/lodash@a01e4fa
Release Date: 2019-07-08
Fix Resolution: 4.17.12
WS-2019-0369 (High) detected in handlebars-4.5.2.tgz
WS-2019-0369 - High Severity Vulnerability
Vulnerable Library - handlebars-4.5.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.2.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/handlebars/package.json
Dependency Hierarchy:
- ❌ handlebars-4.5.2.tgz (Vulnerable Library)
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
Vulnerability Details
Prototype Pollution vulnerability found in handlebars.js before 4.5.3. Attacker may use Remote-Code-Execution exploits.
Publish Date: 2019-11-17
URL: WS-2019-0369
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://github.com/wycats/handlebars.js/blob/master/release-notes.md#v453---november-18th-2019
Release Date: 2020-01-08
Fix Resolution: handlebars - 4.5.3
CVE-2020-11022 (Medium) detected in jquery-1.7.1.min.js
CVE-2020-11022 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/example-npm-circle/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /example-npm-circle/node_modules/sockjs/examples/express/index.html,/example-npm-circle/node_modules/sockjs/examples/echo/index.html,/example-npm-circle/node_modules/sockjs/examples/hapi/html/index.html,/example-npm-circle/node_modules/sockjs/examples/multiplex/index.html,/example-npm-circle/node_modules/sockjs/examples/express-3.x/index.html
Dependency Hierarchy:
- ❌ jquery-1.7.1.min.js (Vulnerable Library)
Found in HEAD commit: 4b9d35337365451db5cf7aad10d58ff1a3dc8acd
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
WS-2020-0068 (High) detected in yargs-parser-11.1.1.tgz, yargs-parser-13.1.2.tgz
WS-2020-0068 - High Severity Vulnerability
Vulnerable Libraries - yargs-parser-11.1.1.tgz, yargs-parser-13.1.2.tgz
yargs-parser-11.1.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /tmp/ws-scm/example-npm-circle/node_modules/yargs-parser/package.json
Dependency Hierarchy:
- protractor-5.4.4.tgz (Root Library)
- yargs-12.0.5.tgz
- ❌ yargs-parser-11.1.1.tgz (Vulnerable Library)
- yargs-12.0.5.tgz
yargs-parser-13.1.2.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.2.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /tmp/ws-scm/example-npm-circle/node_modules/@angular/compiler-cli/node_modules/yargs-parser/package.json
Dependency Hierarchy:
- compiler-cli-8.2.14.tgz (Root Library)
- yargs-13.1.0.tgz
- ❌ yargs-parser-13.1.2.tgz (Vulnerable Library)
- yargs-13.1.0.tgz
Found in HEAD commit: 4b9d35337365451db5cf7aad10d58ff1a3dc8acd
Vulnerability Details
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Publish Date: 2020-05-01
URL: WS-2020-0068
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/package/yargs-parser
Release Date: 2020-05-04
Fix Resolution: https://www.npmjs.com/package/yargs-parser/v/18.1.2,https://www.npmjs.com/package/yargs-parser/v/15.0.1
CVE-2011-4969 (Medium) detected in jquery-1.4.4.min.js
CVE-2011-4969 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/example-npm-circle/node_modules/selenium-webdriver/lib/test/data/draggableLists.html
Path to vulnerable library: /example-npm-circle/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
- ❌ jquery-1.4.4.min.js (Vulnerable Library)
Found in HEAD commit: 4b9d35337365451db5cf7aad10d58ff1a3dc8acd
Vulnerability Details
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Publish Date: 2013-03-08
URL: CVE-2011-4969
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969
Release Date: 2013-03-08
Fix Resolution: 1.6.3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.