ikonovalov / eth-dummy-cargo Goto Github PK

Vulnerable Library - constantinople-3.0.2.tgz

Determine whether a JavaScript expression evaluates to a constant (using UglifyJS)

Library home page: http://registry.npmjs.org/constantinople/-/constantinople-3.0.2.tgz

Path to dependency file: /eth-dummy-cargo/package.json

Path to vulnerable library: /tmp/git/eth-dummy-cargo/node_modules/constantinople/package.json

Dependency Hierarchy:

• jade-1.11.0.tgz (Root Library)
  • ❌ constantinople-3.0.2.tgz (Vulnerable Library)

Vulnerability Details

Versions of constantinople prior to 3.1.1 are vulnerable to a sandbox bypass which can lead to arbitrary code execution.

Publish Date: 2018-04-21

URL: WS-2018-0068

CVSS 2 Score Details (10.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/568

Release Date: 2018-01-24

Fix Resolution: 3.1.1

Vulnerable Library - mime-1.3.4.tgz

A comprehensive library for mime-type mapping

Library home page: http://registry.npmjs.org/mime/-/mime-1.3.4.tgz

Path to dependency file: /eth-dummy-cargo/package.json

Path to vulnerable library: /tmp/git/eth-dummy-cargo/node_modules/mime/package.json

Dependency Hierarchy:

• express-4.14.1.tgz (Root Library)
  • send-0.14.2.tgz
    • ❌ mime-1.3.4.tgz (Vulnerable Library)

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - uglify-js-2.2.5.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz

Path to dependency file: /eth-dummy-cargo/package.json

Path to vulnerable library: /tmp/git/eth-dummy-cargo/node_modules/transformers/node_modules/uglify-js/package.json

Dependency Hierarchy:

• jade-1.11.0.tgz (Root Library)
  • transformers-2.1.0.tgz
    • ❌ uglify-js-2.2.5.tgz (Vulnerable Library)

Vulnerability Details

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.

Publish Date: 2017-01-23

URL: CVE-2015-8857

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2018-12-15

Fix Resolution: v2.4.24

Vulnerable Library - clean-css-3.4.28.tgz

A well-tested CSS minifier

Library home page: https://registry.npmjs.org/clean-css/-/clean-css-3.4.28.tgz

Path to dependency file: /eth-dummy-cargo/package.json

Path to vulnerable library: /tmp/git/eth-dummy-cargo/node_modules/clean-css/package.json

Dependency Hierarchy:

• jade-1.11.0.tgz (Root Library)
  • ❌ clean-css-3.4.28.tgz (Vulnerable Library)

Vulnerability Details

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-02-21

URL: WS-2019-0017

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/785

Release Date: 2019-02-21

Fix Resolution: v4.1.11

Vulnerable Library - uglify-js-2.2.5.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz

Path to dependency file: /eth-dummy-cargo/package.json

Path to vulnerable library: /tmp/git/eth-dummy-cargo/node_modules/transformers/node_modules/uglify-js/package.json

Dependency Hierarchy:

• jade-1.11.0.tgz (Root Library)
  • transformers-2.1.0.tgz
    • ❌ uglify-js-2.2.5.tgz (Vulnerable Library)

Vulnerability Details

Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().

Publish Date: 2015-10-24

URL: WS-2015-0017

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/48

Release Date: 2015-10-24

Fix Resolution: Update to version 2.6.0 or later

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-05-15

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: vercel/ms@305f2dd

Release Date: 2017-04-12

Fix Resolution: Replace or update the following file: index.js

Vulnerable Library - qs-6.2.0.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.2.0.tgz

Path to dependency file: /eth-dummy-cargo/package.json

Path to vulnerable library: /tmp/git/eth-dummy-cargo/node_modules/qs/package.json

Dependency Hierarchy:

• body-parser-1.15.2.tgz (Root Library)
  • ❌ qs-6.2.0.tgz (Vulnerable Library)

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: ljharb/qs@c709f6e

Release Date: 2017-03-06

Fix Resolution: Replace or update the following files: parse.js, parse.js, utils.js

Vulnerable Library - uglify-js-2.2.5.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz

Path to dependency file: /eth-dummy-cargo/package.json

Path to vulnerable library: /tmp/git/eth-dummy-cargo/node_modules/transformers/node_modules/uglify-js/package.json

Dependency Hierarchy:

• jade-1.11.0.tgz (Root Library)
  • transformers-2.1.0.tgz
    • ❌ uglify-js-2.2.5.tgz (Vulnerable Library)

Vulnerability Details

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8858

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2018-12-15

Fix Resolution: v2.6.0

Vulnerable Library - uglify-js-2.2.5.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz

Path to dependency file: /eth-dummy-cargo/package.json

Path to vulnerable library: /tmp/git/eth-dummy-cargo/node_modules/transformers/node_modules/uglify-js/package.json

Dependency Hierarchy:

• jade-1.11.0.tgz (Root Library)
  • transformers-2.1.0.tgz
    • ❌ uglify-js-2.2.5.tgz (Vulnerable Library)

Vulnerability Details

UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification.

Publish Date: 2015-08-24

URL: WS-2015-0024

CVSS 2 Score Details (8.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: mishoo/UglifyJS@905b601

Release Date: 2017-01-31

Fix Resolution: v2.4.24

Vulnerable Library - mime-1.3.4.tgz

A comprehensive library for mime-type mapping

Library home page: http://registry.npmjs.org/mime/-/mime-1.3.4.tgz

Path to dependency file: /eth-dummy-cargo/package.json

Path to vulnerable library: /tmp/git/eth-dummy-cargo/node_modules/mime/package.json

Dependency Hierarchy:

• express-4.14.1.tgz (Root Library)
  • send-0.14.2.tgz
    • ❌ mime-1.3.4.tgz (Vulnerable Library)

Vulnerability Details

Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.

Publish Date: 2017-09-27

URL: WS-2017-0330

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: broofa/mime@1df903f

Release Date: 2019-04-03

Fix Resolution: 1.4.1,2.0.3

Vulnerable Library - fresh-0.3.0.tgz

HTTP response freshness testing

Library home page: http://registry.npmjs.org/fresh/-/fresh-0.3.0.tgz

Path to dependency file: /eth-dummy-cargo/package.json

Path to vulnerable library: /tmp/git/eth-dummy-cargo/node_modules/fresh/package.json

Dependency Hierarchy:

• express-4.14.1.tgz (Root Library)
  • ❌ fresh-0.3.0.tgz (Vulnerable Library)

Vulnerability Details

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16119

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - morgan-1.7.0.tgz

HTTP request logger middleware for node.js

Library home page: http://registry.npmjs.org/morgan/-/morgan-1.7.0.tgz

Path to dependency file: /eth-dummy-cargo/package.json

Path to vulnerable library: /eth-dummy-cargo/node_modules/morgan/package.json

Dependency Hierarchy:

• ❌ morgan-1.7.0.tgz (Vulnerable Library)

Vulnerability Details

morgan before 1.9.1 is vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack.

Publish Date: 2018-11-25

URL: WS-2018-0209

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/735

Release Date: 2019-04-08

Fix Resolution: 1.9.1

Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: http://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: /eth-dummy-cargo/package.json

Path to vulnerable library: /eth-dummy-cargo/node_modules/debug/package.json

Dependency Hierarchy:

• ❌ debug-2.2.0.tgz (Vulnerable Library)

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/534

Release Date: 2017-09-27

Fix Resolution: Version 2.x.x: Update to version 2.6.9 or later. Version 3.x.x: Update to version 3.1.0 or later.