Giter Club home page Giter Club logo

jonprentice.me's Introduction

๐Ÿ‘‹ About Me:

GitHub LinkedIn Resume

I'm a Product Security professional from Washington ๐Ÿ”๏ธ.

  • ๐Ÿ”ญ Passionate about SAST, SARIF, security automation, and anything else security!

  • โš™๏ธ Experience working on various security projects

  • ๐Ÿ”Ž Always exploring new technologies.

  • โšก๏ธ In my free time, I work on my home lab, Kubernetes cluster, and other self-hosted projects.

  • ๐Ÿ“ซ Connect with me: LinkedIn

๐Ÿ“š Skills:

  • ๐Ÿ•ต๏ธโ€โ™€๏ธ Static Application Security Testing (SAST)
  • ๐Ÿ“Š Static Analysis Results Interchange Format (SARIF)
  • ๐Ÿค– Security Automation

๐Ÿš€ Projects:

  • ๐Ÿ  Home lab
  • ๐ŸŒ Kubernetes cluster
  • ๐Ÿ’ป Self-hosted projects

๐Ÿ› ๏ธ Languages and Tools:

Golang TypeScript Python Git Kubernetes AWS

๐Ÿ”ฅ Stats

jonprentice.me's People

Contributors

dependabot[bot] avatar jon77p avatar renovate[bot] avatar snyk-bot avatar

Stargazers

avatar

Watchers

avatar avatar

jonprentice.me's Issues

cypress-13.13.0.tgz: 1 vulnerabilities (highest severity is: 6.5) - autoclosed

Vulnerable Library - cypress-13.13.0.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/package.json

Found in HEAD commit: 48c4261582884e0dce174f532913c67d2d8d9538

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (cypress version) Remediation Possible**
CVE-2024-39249 Medium 6.5 async-3.2.5.tgz Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-39249

Vulnerable Library - async-3.2.5.tgz

Library home page: https://registry.npmjs.org/async/-/async-3.2.5.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/package.json

Dependency Hierarchy:

  • cypress-13.13.0.tgz (Root Library)
    • getos-3.2.1.tgz
      • โŒ async-3.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 48c4261582884e0dce174f532913c67d2d8d9538

Found in base branch: master

Vulnerability Details

Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function.

Publish Date: 2024-07-01

URL: CVE-2024-39249

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-39249

Release Date: 2024-07-01

Fix Resolution: async - 3.0.1

Step up your Open Source Security Game with Mend here

zipp-3.15.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 3.3)

Vulnerable Library - zipp-3.15.0-py3-none-any.whl

Backport of pathlib-compatible object wrapper for zip files

Library home page: https://files.pythonhosted.org/packages/5b/fa/c9e82bbe1af6266adf08afb563905eb87cab83fde00a0a08963510621047/zipp-3.15.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/backend/requirements.txt

Found in HEAD commit: 48c4261582884e0dce174f532913c67d2d8d9538

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (zipp version) Remediation Possible**
CVE-2024-5569 Low 3.3 zipp-3.15.0-py3-none-any.whl Direct 3.19.1 โŒ

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-5569

Vulnerable Library - zipp-3.15.0-py3-none-any.whl

Backport of pathlib-compatible object wrapper for zip files

Library home page: https://files.pythonhosted.org/packages/5b/fa/c9e82bbe1af6266adf08afb563905eb87cab83fde00a0a08963510621047/zipp-3.15.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/backend/requirements.txt

Dependency Hierarchy:

  • โŒ zipp-3.15.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 48c4261582884e0dce174f532913c67d2d8d9538

Found in base branch: master

Vulnerability Details

A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the Path module in both zipp and zipfile, such as joinpath, the overloaded division operator, and iterdir. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.

Publish Date: 2024-07-09

URL: CVE-2024-5569

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae

Release Date: 2024-07-09

Fix Resolution: 3.19.1

Step up your Open Source Security Game with Mend here

Flask_Cors-4.0.1-py2.py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - Flask_Cors-4.0.1-py2.py3-none-any.whl

A Flask extension adding a decorator for CORS support

Library home page: https://files.pythonhosted.org/packages/8b/52/2aa6285f104616f73ee1ad7905a16b2b35af0143034ad0cf7b64bcba715c/Flask_Cors-4.0.1-py2.py3-none-any.whl

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt,/requirements.txt

Found in HEAD commit: e73ec3d70e4e0680871ada7ab00a7d14c086ef51

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Flask_Cors version) Remediation Possible**
CVE-2024-6221 High 7.5 Flask_Cors-4.0.1-py2.py3-none-any.whl Direct N/A โŒ

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-6221

Vulnerable Library - Flask_Cors-4.0.1-py2.py3-none-any.whl

A Flask extension adding a decorator for CORS support

Library home page: https://files.pythonhosted.org/packages/8b/52/2aa6285f104616f73ee1ad7905a16b2b35af0143034ad0cf7b64bcba715c/Flask_Cors-4.0.1-py2.py3-none-any.whl

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt,/requirements.txt

Dependency Hierarchy:

  • โŒ Flask_Cors-4.0.1-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: e73ec3d70e4e0680871ada7ab00a7d14c086ef51

Found in base branch: master

Vulnerability Details

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the Access-Control-Allow-Private-Network CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

Publish Date: 2024-08-18

URL: CVE-2024-6221

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

cypress-9.5.3.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - cypress-9.5.3.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/qs/package.json

Found in HEAD commit: db67e6bc1800ce3742359cc08b0175cfdff233d9

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-44907 High 7.5 qs-6.5.3.tgz Transitive N/A โŒ

Details

CVE-2021-44907

Vulnerable Library - qs-6.5.3.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.3.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/qs/package.json

Dependency Hierarchy:

  • cypress-9.5.3.tgz (Root Library)
    • request-2.88.10.tgz
      • โŒ qs-6.5.3.tgz (Vulnerable Library)

Found in HEAD commit: db67e6bc1800ce3742359cc08b0175cfdff233d9

Found in base branch: master

Vulnerability Details

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.

Publish Date: 2022-03-17

URL: CVE-2021-44907

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44907

Release Date: 2022-03-17

Fix Resolution: qs - 6.8.1

Step up your Open Source Security Game with WhiteSource here

vue-3.3.4.tgz: 1 vulnerabilities (highest severity is: 5.3) - autoclosed

Vulnerable Library - vue-3.3.4.tgz

Found in HEAD commit: de9f6fa1f72a9c85aa6914542d00c75be8f85366

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (vue version) Remediation Possible**
CVE-2023-44270 Medium 5.3 postcss-8.4.30.tgz Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-44270

Vulnerable Library - postcss-8.4.30.tgz

Library home page: https://registry.npmjs.org/postcss/-/postcss-8.4.30.tgz

Dependency Hierarchy:

  • vue-3.3.4.tgz (Root Library)
    • compiler-sfc-3.3.4.tgz
      • โŒ postcss-8.4.30.tgz (Vulnerable Library)

Found in HEAD commit: de9f6fa1f72a9c85aa6914542d00c75be8f85366

Found in base branch: master

Vulnerability Details

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

Publish Date: 2023-09-29

URL: CVE-2023-44270

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44270

Release Date: 2023-09-29

Fix Resolution: postcss - 8.4.31

Step up your Open Source Security Game with Mend here

cypress-13.12.0.tgz: 1 vulnerabilities (highest severity is: 6.5) - autoclosed

Vulnerable Library - cypress-13.12.0.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/package.json

Found in HEAD commit: e73ec3d70e4e0680871ada7ab00a7d14c086ef51

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (cypress version) Remediation Possible**
CVE-2024-39249 Medium 6.5 async-3.2.5.tgz Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-39249

Vulnerable Library - async-3.2.5.tgz

Library home page: https://registry.npmjs.org/async/-/async-3.2.5.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/package.json

Dependency Hierarchy:

  • cypress-13.12.0.tgz (Root Library)
    • getos-3.2.1.tgz
      • โŒ async-3.2.5.tgz (Vulnerable Library)

Found in HEAD commit: e73ec3d70e4e0680871ada7ab00a7d14c086ef51

Found in base branch: master

Vulnerability Details

Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function.

Publish Date: 2024-07-01

URL: CVE-2024-39249

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

serve-14.0.1.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - serve-14.0.1.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/serve-handler/node_modules/minimatch/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (serve version) Remediation Available
CVE-2022-3517 High 7.5 minimatch-3.0.4.tgz Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/serve-handler/node_modules/minimatch/package.json

Dependency Hierarchy:

  • serve-14.0.1.tgz (Root Library)
    • serve-handler-6.1.3.tgz
      • โŒ minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

cypress-12.16.0.tgz: 1 vulnerabilities (highest severity is: 6.5) - autoclosed

Vulnerable Library - cypress-12.16.0.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/tough-cookie/package.json

Found in HEAD commit: d83736ca464bc276989041aecbfee3634e4fe2fb

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (cypress version) Remediation Available
CVE-2023-26136 Medium 6.5 tough-cookie-2.5.0.tgz Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • cypress-12.16.0.tgz (Root Library)
    • request-2.88.11.tgz
      • โŒ tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: d83736ca464bc276989041aecbfee3634e4fe2fb

Found in base branch: master

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution: tough-cookie - 4.1.3

Step up your Open Source Security Game with Mend here

Flask_Cors-4.0.0-py2.py3-none-any.whl: 1 vulnerabilities (highest severity is: 5.3) - autoclosed

Vulnerable Library - Flask_Cors-4.0.0-py2.py3-none-any.whl

A Flask extension adding a decorator for CORS support

Library home page: https://files.pythonhosted.org/packages/10/69/1e6cfb87117568a9de088c32d6258219e9d1ff7c131abf74249ef2031279/Flask_Cors-4.0.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/backend/requirements.txt

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Flask_Cors version) Remediation Possible**
CVE-2024-1681 Medium 5.3 Flask_Cors-4.0.0-py2.py3-none-any.whl Direct N/A โŒ

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-1681

Vulnerable Library - Flask_Cors-4.0.0-py2.py3-none-any.whl

A Flask extension adding a decorator for CORS support

Library home page: https://files.pythonhosted.org/packages/10/69/1e6cfb87117568a9de088c32d6258219e9d1ff7c131abf74249ef2031279/Flask_Cors-4.0.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/backend/requirements.txt

Dependency Hierarchy:

  • โŒ Flask_Cors-4.0.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.

Publish Date: 2024-04-19

URL: CVE-2024-1681

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

Flask-2.2.4-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - Flask-2.2.4-py3-none-any.whl

A simple framework for building complex web applications.

Library home page: https://files.pythonhosted.org/packages/cf/e6/cfd7227e18fc44a56594a7b7df21b7ac63954ea652987e6da7707aba6064/Flask-2.2.4-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/backend/requirements.txt,/requirements.txt,/backend/requirements.txt

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Flask version) Remediation Available
CVE-2023-30861 High 7.5 Flask-2.2.4-py3-none-any.whl Direct flask - 2.2.5,2.3.2 โŒ

Details

CVE-2023-30861

Vulnerable Library - Flask-2.2.4-py3-none-any.whl

A simple framework for building complex web applications.

Library home page: https://files.pythonhosted.org/packages/cf/e6/cfd7227e18fc44a56594a7b7df21b7ac63954ea652987e6da7707aba6064/Flask-2.2.4-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/backend/requirements.txt,/requirements.txt,/backend/requirements.txt

Dependency Hierarchy:

  • โŒ Flask-2.2.4-py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.

  1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
  2. The application sets session.permanent = True
  3. The application does not access or modify the session at any point during a request.
  4. SESSION_REFRESH_EACH_REQUEST enabled (the default).
  5. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.

This happens because vulnerable versions of Flask only set the Vary: Cookie header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.

Publish Date: 2023-05-02

URL: CVE-2023-30861

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-30861

Release Date: 2023-05-02

Fix Resolution: flask - 2.2.5,2.3.2

Step up your Open Source Security Game with Mend here

setuptools-68.0.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 8.8) - autoclosed

Vulnerable Library - setuptools-68.0.0-py3-none-any.whl

Easily download, build, install, upgrade, and uninstall Python packages

Library home page: https://files.pythonhosted.org/packages/c7/42/be1c7bbdd83e1bfb160c94b9cafd8e25efc7400346cf7ccdbdb452c467fa/setuptools-68.0.0-py3-none-any.whl

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt,/requirements.txt

Found in HEAD commit: e73ec3d70e4e0680871ada7ab00a7d14c086ef51

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (setuptools version) Remediation Possible**
CVE-2024-6345 High 8.8 setuptools-68.0.0-py3-none-any.whl Direct setuptools - 70.0.0 โŒ

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-6345

Vulnerable Library - setuptools-68.0.0-py3-none-any.whl

Easily download, build, install, upgrade, and uninstall Python packages

Library home page: https://files.pythonhosted.org/packages/c7/42/be1c7bbdd83e1bfb160c94b9cafd8e25efc7400346cf7ccdbdb452c467fa/setuptools-68.0.0-py3-none-any.whl

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt,/requirements.txt

Dependency Hierarchy:

  • โŒ setuptools-68.0.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: e73ec3d70e4e0680871ada7ab00a7d14c086ef51

Found in base branch: master

Vulnerability Details

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

Publish Date: 2024-07-15

URL: CVE-2024-6345

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-6345

Release Date: 2024-07-15

Fix Resolution: setuptools - 70.0.0

Step up your Open Source Security Game with Mend here

axios-1.7.3.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - axios-1.7.3.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.7.3.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/axios/package.json

Found in HEAD commit: e73ec3d70e4e0680871ada7ab00a7d14c086ef51

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (axios version) Remediation Possible**
CVE-2024-39338 High 7.5 axios-1.7.3.tgz Direct axios - 1.7.4 โŒ

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-39338

Vulnerable Library - axios-1.7.3.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.7.3.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/axios/package.json

Dependency Hierarchy:

  • โŒ axios-1.7.3.tgz (Vulnerable Library)

Found in HEAD commit: e73ec3d70e4e0680871ada7ab00a7d14c086ef51

Found in base branch: master

Vulnerability Details

axios 1.3.2 to 1.7.3 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

Publish Date: 2024-08-09

URL: CVE-2024-39338

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8hc4-vh64-cxmj

Release Date: 2024-08-09

Fix Resolution: axios - 1.7.4

Step up your Open Source Security Game with Mend here

cli-service-5.0.4.tgz: 1 vulnerabilities (highest severity is: 7.8) - autoclosed

Vulnerable Library - cli-service-5.0.4.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/portfinder/node_modules/async/package.json

Found in HEAD commit: 8ca68497d7fd4ce446ed25939c8e90eec122fe64

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-43138 High 7.8 async-2.6.3.tgz Transitive N/A โŒ

Details

CVE-2021-43138

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/portfinder/node_modules/async/package.json

Dependency Hierarchy:

  • cli-service-5.0.4.tgz (Root Library)
    • portfinder-1.0.28.tgz
      • โŒ async-2.6.3.tgz (Vulnerable Library)

Found in HEAD commit: 8ca68497d7fd4ce446ed25939c8e90eec122fe64

Found in base branch: master

Vulnerability Details

A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2) , which could let a malicious user obtain privileges via the mapValues() method.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution: async - v3.2.2

Step up your Open Source Security Game with WhiteSource here

cypress-12.17.1.tgz: 1 vulnerabilities (highest severity is: 6.5) - autoclosed

Vulnerable Library - cypress-12.17.1.tgz

Path to vulnerable library: /frontend/node_modules/tough-cookie/package.json

Found in HEAD commit: 9fc6d32a2bebf0bfb429663ff9a23f5949e4151b

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (cypress version) Remediation Available
CVE-2023-26136 Medium 6.5 tough-cookie-2.5.0.tgz Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • cypress-12.17.1.tgz (Root Library)
    • request-2.88.11.tgz
      • โŒ tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 9fc6d32a2bebf0bfb429663ff9a23f5949e4151b

Found in base branch: master

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution: tough-cookie - 4.1.3

Step up your Open Source Security Game with Mend here

webpack-dev-server-5.0.4.tgz: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - webpack-dev-server-5.0.4.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/micromatch/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (webpack-dev-server version) Remediation Possible**
CVE-2024-4067 High 7.5 micromatch-4.0.7.tgz Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-4067

Vulnerable Library - micromatch-4.0.7.tgz

Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.7.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/micromatch/package.json

Dependency Hierarchy:

  • webpack-dev-server-5.0.4.tgz (Root Library)
    • http-proxy-middleware-2.0.6.tgz
      • โŒ micromatch-4.0.7.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 should not reflect a Medium security risk that reflects the NVD score, but should be kept for users' awareness.

Publish Date: 2024-05-14

URL: CVE-2024-4067

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Warning

These dependencies are deprecated:

Datasource Name Replacement PR?
npm node-sass Unavailable

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

github-actions
.github/workflows/codeql-analysis.yml
  • actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
  • github/codeql-action v3@f0f3afee809481da311ca3a6ff1ff51d81dbeb24
  • github/codeql-action v3@f0f3afee809481da311ca3a6ff1ff51d81dbeb24
  • github/codeql-action v3@f0f3afee809481da311ca3a6ff1ff51d81dbeb24
npm
frontend/package.json
  • axios 1.7.4
  • buefy 1.0.0
  • core-js 3.38.0
  • cypress 13.13.3
  • minimalist 1.0.0
  • serve 14.2.3
  • vue 3.4.38
  • vue-router 4.4.3
  • vuex 4.1.0
  • webpack-dev-server 5.0.4
  • @snyk/protect 1.1292.4
  • @vue/cli-plugin-babel 5.0.8
  • @vue/cli-plugin-e2e-cypress 5.0.8
  • @vue/cli-plugin-eslint 5.0.8
  • @vue/cli-plugin-unit-jest 5.0.8
  • @vue/cli-service 5.0.8
  • @vue/eslint-config-prettier 9.0.0
  • @vue/test-utils 2.4.6
  • babel-core 6.26.3
  • @babel/eslint-parser 7.25.1
  • babel-jest 29.7.0
  • eslint 9.9.0
  • eslint-plugin-prettier 5.2.1
  • eslint-plugin-vue 9.27.0
  • jest-mock-axios 4.7.3
  • node-sass 9.0.0
  • prettier 3.3.3
  • sass-loader 16.0.1
  • vue-template-compiler 2.7.16
  • minimist 1.2.8
  • mkdir 0.0.2
  • yargs-parser 21.1.1
pip_requirements
backend/requirements.txt
  • setuptools >=70.0.0
  • werkzeug >=3.0.1
  • zipp >=3.19.1
requirements.txt
  • setuptools >=70.0.0
  • werkzeug >=3.0.1
  • zipp >=3.19.1
travis
.travis.yml
  • Check this box to trigger a request for Renovate to run again on this repository

webpack-dev-server-4.9.3.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - webpack-dev-server-4.9.3.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/glob-parent/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-35065 High 7.5 glob-parent-5.1.2.tgz Transitive N/A โŒ

Details

CVE-2021-35065

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • webpack-dev-server-4.9.3.tgz (Root Library)
    • chokidar-3.5.3.tgz
      • โŒ glob-parent-5.1.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1

Step up your Open Source Security Game with Mend here

Werkzeug-2.2.3-py3-none-any.whl: 2 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - Werkzeug-2.2.3-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/backend/requirements.txt

Found in HEAD commit: e73ec3d70e4e0680871ada7ab00a7d14c086ef51

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Werkzeug version) Remediation Possible**
CVE-2024-34069 High 7.5 Werkzeug-2.2.3-py3-none-any.whl Direct Werkzeug - 3.0.3 โŒ
CVE-2023-46136 High 7.5 Werkzeug-2.2.3-py3-none-any.whl Direct werkzeug - 2.3.8,3.0.1 โŒ

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-34069

Vulnerable Library - Werkzeug-2.2.3-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/backend/requirements.txt

Dependency Hierarchy:

  • โŒ Werkzeug-2.2.3-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: e73ec3d70e4e0680871ada7ab00a7d14c086ef51

Found in base branch: master

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.

Publish Date: 2024-05-06

URL: CVE-2024-34069

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2g68-c3qc-8985

Release Date: 2024-05-06

Fix Resolution: Werkzeug - 3.0.3

Step up your Open Source Security Game with Mend here

CVE-2023-46136

Vulnerable Library - Werkzeug-2.2.3-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/backend/requirements.txt

Dependency Hierarchy:

  • โŒ Werkzeug-2.2.3-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: e73ec3d70e4e0680871ada7ab00a7d14c086ef51

Found in base branch: master

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.

Publish Date: 2023-10-25

URL: CVE-2023-46136

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hrfv-mqp8-q5rw

Release Date: 2023-10-25

Fix Resolution: werkzeug - 2.3.8,3.0.1

Step up your Open Source Security Game with Mend here

cypress-12.17.0.tgz: 1 vulnerabilities (highest severity is: 6.5) - autoclosed

Vulnerable Library - cypress-12.17.0.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/tough-cookie/package.json

Found in HEAD commit: 3f5aa7752c43de191268147892e92932225842f3

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (cypress version) Remediation Available
CVE-2023-26136 Medium 6.5 tough-cookie-2.5.0.tgz Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • cypress-12.17.0.tgz (Root Library)
    • request-2.88.11.tgz
      • โŒ tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 3f5aa7752c43de191268147892e92932225842f3

Found in base branch: master

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution: tough-cookie - 4.1.3

Step up your Open Source Security Game with Mend here

cypress-12.17.3.tgz: 1 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - cypress-12.17.3.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/tough-cookie/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (cypress version) Remediation Available
CVE-2023-26136 Critical 9.8 tough-cookie-2.5.0.tgz Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • cypress-12.17.3.tgz (Root Library)
    • request-2.88.11.tgz
      • โŒ tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution: tough-cookie - 4.1.3

Step up your Open Source Security Game with Mend here

cypress-12.17.2.tgz: 1 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - cypress-12.17.2.tgz

Path to vulnerable library: /frontend/node_modules/tough-cookie/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (cypress version) Remediation Available
CVE-2023-26136 Critical 9.8 tough-cookie-2.5.0.tgz Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • cypress-12.17.2.tgz (Root Library)
    • request-2.88.11.tgz
      • โŒ tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution: tough-cookie - 4.1.3

Step up your Open Source Security Game with Mend here

cypress-9.5.4.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - cypress-9.5.4.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/qs/package.json

Found in HEAD commit: 0e0b0f1819ba51e677cd562325e419e7846715a2

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-44907 High 7.5 qs-6.5.3.tgz Transitive N/A โŒ

Details

CVE-2021-44907

Vulnerable Library - qs-6.5.3.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.3.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/qs/package.json

Dependency Hierarchy:

  • cypress-9.5.4.tgz (Root Library)
    • request-2.88.10.tgz
      • โŒ qs-6.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 0e0b0f1819ba51e677cd562325e419e7846715a2

Found in base branch: master

Vulnerability Details

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.

Publish Date: 2022-03-17

URL: CVE-2021-44907

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44907

Release Date: 2022-03-17

Fix Resolution: qs - 6.8.1

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.