logzio / apollo Goto Github PK

Vulnerable Library - ws-0.4.32.tgz

simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455

path: /tmp/git/apollo/ui/node_modules/ws/package.json

Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz

Dependency Hierarchy:

• karma-0.12.37.tgz (Root Library)
  • socket.io-0.9.16.tgz
    • socket.io-client-0.9.16.tgz
      • ❌ ws-0.4.32.tgz (Vulnerable Library)

Vulnerability Details

A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.

Publish Date: 2018-05-31

URL: CVE-2016-10518

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10518

Release Date: 2018-05-31

Fix Resolution: 1.0.0

Vulnerability Details

The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

Publish Date: 2018-05-31

URL: CVE-2014-10064

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/28

Release Date: 2014-08-06

Fix Resolution: Update to version 1.0.0 or later

Vulnerability Details

Request is an http client. If a request is made using multipart, and the body type is a number, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.

Publish Date: 2018-06-04

URL: CVE-2017-16026

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16026

Release Date: 2018-06-04

Fix Resolution: 2.47.1,2.67.1

Vulnerability Details

UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification.

Publish Date: 2015-08-24

URL: WS-2015-0024

CVSS 2 Score Details (8.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: mishoo/UglifyJS@905b601

Release Date: 2017-01-31

Fix Resolution: v2.4.24

Vulnerable Library - ws-0.4.32.tgz

simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455

path: /tmp/git/apollo/ui/node_modules/ws/package.json

Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz

Dependency Hierarchy:

• karma-0.12.37.tgz (Root Library)
  • socket.io-0.9.16.tgz
    • socket.io-client-0.9.16.tgz
      • ❌ ws-0.4.32.tgz (Vulnerable Library)

Vulnerability Details

By sending an overly long websocket payload to a ws server, it is possible to crash the node process.

Publish Date: 2016-06-24

URL: WS-2016-0040

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/120

Release Date: 2016-06-24

Fix Resolution: Update to version 1.1.1 of ws, or if that is not possible, set the `maxpayload` option for the `ws` server - make sure the value is less than 256MB.

Vulnerability Details

Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.

Publish Date: 2017-09-27

URL: WS-2017-0330

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Vulnerable Library - moment-2.8.4.min.js

Parse, validate, manipulate, and display dates

path: /apollo/ui/app/index.html

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.8.4/moment.min.js

Dependency Hierarchy:

• ❌ moment-2.8.4.min.js (Vulnerable Library)

Vulnerability Details

Regular expression denial of service vulnerability in the moment package, by using a specific 40 characters long string in the "format" method.

Publish Date: 2016-10-24

URL: WS-2016-0075

CVSS 2 Score Details (5.8)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: moment/moment@663f33e

Release Date: 2016-10-24

Fix Resolution: Replace or update the following files: month.js, lt.js

Vulnerable Library - ws-0.4.32.tgz

simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455

path: /tmp/git/apollo/ui/node_modules/ws/package.json

Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz

Dependency Hierarchy:

• karma-0.12.37.tgz (Root Library)
  • socket.io-0.9.16.tgz
    • socket.io-client-0.9.16.tgz
      • ❌ ws-0.4.32.tgz (Vulnerable Library)

Vulnerability Details

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a ws server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.

Publish Date: 2018-05-31

URL: CVE-2016-10542

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2018-12-15

Fix Resolution: v2.4.24

Vulnerable Library - cli-0.6.6.tgz

A tool for rapidly building command line apps

path: /tmp/git/apollo/ui/node_modules/cli/package.json

Library home page: http://registry.npmjs.org/cli/-/cli-0.6.6.tgz

Dependency Hierarchy:

• grunt-contrib-htmlmin-0.3.0.tgz (Root Library)
  • html-minifier-0.6.9.tgz
    • ❌ cli-0.6.6.tgz (Vulnerable Library)

Vulnerability Details

The package node-cli before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Publish Date: 2018-05-31

URL: CVE-2016-10538

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10538

Release Date: 2018-05-31

Fix Resolution: 1.0.0

Vulnerability Details

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Publish Date: 2018-06-26

URL: CVE-2017-7657

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041194

Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).

9.2.25.v20180606, 9.3.24.v20180605

The vendor advisory is available at:

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/534

Release Date: 2017-09-27

Fix Resolution: Version 2.x.x: Update to version 2.6.9 or later. Version 3.x.x: Update to version 3.1.0 or later.

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3728

Release Date: 2018-03-30

Fix Resolution: 4.2.0,5.0.3

Vulnerable Library - cli-0.6.6.tgz

A tool for rapidly building command line apps

path: /tmp/git/apollo/ui/node_modules/cli/package.json

Library home page: http://registry.npmjs.org/cli/-/cli-0.6.6.tgz

Dependency Hierarchy:

• grunt-contrib-htmlmin-0.3.0.tgz (Root Library)
  • html-minifier-0.6.9.tgz
    • ❌ cli-0.6.6.tgz (Vulnerable Library)

Vulnerability Details

The package node-cli insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Publish Date: 2016-06-15

URL: WS-2016-0036

CVSS 2 Score Details (1.9)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: node-js-libs/cli@fd6bc4d

Release Date: 2017-01-31

Fix Resolution: 1.0.0

Vulnerable Library - http-signature-0.10.1.tgz

Reference implementation of Joyent's HTTP Signature scheme.

path: /tmp/git/apollo/ui/node_modules/google-cdn/node_modules/http-signature/package.json

Library home page: http://registry.npmjs.org/http-signature/-/http-signature-0.10.1.tgz

Dependency Hierarchy:

• grunt-google-cdn-0.4.3.tgz (Root Library)
  • google-cdn-0.7.0.tgz
    • bower-1.3.12.tgz
      • request-2.42.0.tgz
        • ❌ http-signature-0.10.1.tgz (Vulnerable Library)

Vulnerability Details

Affected versions (before 1.0.0) of the http-signature package are vulnerable to Timing Attacks.

Publish Date: 2017-06-28

URL: WS-2017-0266

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: TritonDataCenter/node-http-signature#36

Release Date: 2017-01-31

Fix Resolution: 1.0.0

Vulnerable Library - moment-2.8.4.min.js

Parse, validate, manipulate, and display dates

path: /apollo/ui/app/index.html

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.8.4/moment.min.js

Dependency Hierarchy:

• ❌ moment-2.8.4.min.js (Vulnerable Library)

Vulnerability Details

The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2016-4055

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4055

Release Date: 2017-01-23

Fix Resolution: 2.11.2

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

Vulnerable Library - ms-0.7.0.tgz

Tiny ms conversion utility

path: /tmp/git/apollo/ui/node_modules/grunt-usemin/node_modules/ms/package.json

Library home page: http://registry.npmjs.org/ms/-/ms-0.7.0.tgz

Dependency Hierarchy:

• grunt-usemin-2.6.2.tgz (Root Library)
  • debug-2.1.3.tgz
    • ❌ ms-0.7.0.tgz (Vulnerable Library)

Vulnerability Details

Ms is vulnerable to regular expression denial of service (ReDoS) when extremely long version strings are parsed.

Publish Date: 2015-10-24

URL: WS-2015-0015

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/46

Release Date: 2015-10-24

Fix Resolution: Update to version 0.7.1 or greater. An alternative would be to limit the input length of the user input before passing it into ms.

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-05-15

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: vercel/ms@305f2dd

Release Date: 2017-04-12

Fix Resolution: Replace or update the following file: index.js

Vulnerability Details

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Publish Date: 2018-06-26

URL: CVE-2017-7658

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041194

Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).

9.2.25.v20180606, 9.3.24.v20180605

The vendor advisory is available at:

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - c3p0-0.9.5.2.jar

a JDBC Connection pooling / Statement caching library

path: /root/.m2/repository/com/mchange/c3p0/0.9.5.2/c3p0-0.9.5.2.jar

Library home page: https://github.com/swaldman/c3p0

Dependency Hierarchy:

• rapidoid-quick-5.3.4.jar (Root Library)
  • ❌ c3p0-0.9.5.2.jar (Vulnerable Library)

Vulnerability Details

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

Publish Date: 2018-12-24

URL: CVE-2018-20433

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: zhutougg/c3p0@2eb0ea9

Release Date: 2018-12-20

Fix Resolution: Replace or update the following file: C3P0ConfigXmlUtils.java

Vulnerability Details

Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().

Publish Date: 2015-10-24

URL: WS-2015-0017

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/48

Release Date: 2015-10-24

Fix Resolution: Update to version 2.6.0 or later

Vulnerable Library - jetty-server-9.4.5.v20170502.jar

The core jetty server artifact.

path: /root/.m2/repository/org/eclipse/jetty/jetty-server/9.4.5.v20170502/jetty-server-9.4.5.v20170502.jar

Library home page: http://www.eclipse.org/jetty

Dependency Hierarchy:

• javax-websocket-server-impl-9.4.5.v20170502.jar (Root Library)
  • websocket-server-9.4.5.v20170502.jar
    • jetty-servlet-9.4.5.v20170502.jar
      • jetty-security-9.4.5.v20170502.jar
        • ❌ jetty-server-9.4.5.v20170502.jar (Vulnerable Library)

Vulnerability Details

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Publish Date: 2018-06-22

URL: CVE-2018-12538

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041194

Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).

9.2.25.v20180606, 9.3.24.v20180605

The vendor advisory is available at:

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html

Vulnerability Details

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Publish Date: 2018-05-31

URL: CVE-2016-10539

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/106

Release Date: 2016-06-16

Fix Resolution: Upgrade to at least version 0.6.1

Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the acceptsLanguages function call in your application will tell you if you are using this functionality.

Vulnerability Details

Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time

Publish Date: 2014-08-06

URL: WS-2014-0005

CVSS 2 Score Details (6.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking

Release Date: 2014-08-06

Fix Resolution: Update qs to version 1.0.0 or greater

Vulnerable Library - moment-2.8.4.min.js

Parse, validate, manipulate, and display dates

path: /apollo/ui/app/index.html

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.8.4/moment.min.js

Dependency Hierarchy:

• ❌ moment-2.8.4.min.js (Vulnerable Library)

Vulnerability Details

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.

Publish Date: 2018-03-04

URL: CVE-2017-18214

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18214

Release Date: 2018-03-04

Fix Resolution: 2.19.3

Vulnerability Details

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8858

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2018-12-15

Fix Resolution: v2.6.0

Vulnerable Library - ws-0.4.32.tgz

simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455

path: /tmp/git/apollo/ui/node_modules/ws/package.json

Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz

Dependency Hierarchy:

• karma-0.12.37.tgz (Root Library)
  • socket.io-0.9.16.tgz
    • socket.io-client-0.9.16.tgz
      • ❌ ws-0.4.32.tgz (Vulnerable Library)

Vulnerability Details

DoS in ws module due to excessively large websocket message.

Publish Date: 2016-06-24

URL: WS-2016-0031

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/120

Release Date: 2016-06-24

Fix Resolution: Update to version 1.1.1 of ws, or if that is not possible, set the `maxpayload` option for the `ws` server - make sure the value is less than 256MB.

Vulnerability Details

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.

Publish Date: 2017-01-23

URL: CVE-2015-8857

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2018-12-15

Fix Resolution: v2.4.24

Vulnerable Library - ws-0.4.32.tgz

simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455

path: /tmp/git/apollo/ui/node_modules/ws/package.json

Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz

Dependency Hierarchy:

• karma-0.12.37.tgz (Root Library)
  • socket.io-0.9.16.tgz
    • socket.io-client-0.9.16.tgz
      • ❌ ws-0.4.32.tgz (Vulnerable Library)

Vulnerability Details

Depending on the JavaScript engine, Math.random can be anywhere between extremely insecure and cryptographically pseudo-random.
Versions which use Math.random can produce predictable values, thus shall not be used.

Publish Date: 2016-09-20

URL: WS-2017-0107

CVSS 2 Score Details (5.9)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: websockets/ws@7253f06

Release Date: 2016-11-25

Fix Resolution: Replace or update the following file: Sender.js

Vulnerable Library - shell-quote-1.4.3.tgz

quote and parse shell commands

path: /tmp/git/apollo/ui/node_modules/shell-quote/package.json

Library home page: http://registry.npmjs.org/shell-quote/-/shell-quote-1.4.3.tgz

Dependency Hierarchy:

• grunt-google-cdn-0.4.3.tgz (Root Library)
  • google-cdn-0.7.0.tgz
    • bower-1.3.12.tgz
      • ❌ shell-quote-1.4.3.tgz (Vulnerable Library)

Vulnerability Details

The npm module "shell-quote" cannot correctly escape "greater than" and "lower than" operator used for redirection in shell. This might be possible vulnerability for many application which depends on shell-quote.

Publish Date: 2016-06-21

URL: WS-2016-0039

CVSS 2 Score Details (8.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/117

Release Date: 2016-06-21

Fix Resolution: Upgrade to at least version 1.6.1

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerability Details

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.

Publish Date: 2014-10-19

URL: CVE-2014-7191

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191

Release Date: 2014-10-19

Fix Resolution: 1.0.0

Vulnerable Library - shell-quote-1.4.3.tgz

quote and parse shell commands

path: /tmp/git/apollo/ui/node_modules/shell-quote/package.json

Library home page: http://registry.npmjs.org/shell-quote/-/shell-quote-1.4.3.tgz

Dependency Hierarchy:

• grunt-google-cdn-0.4.3.tgz (Root Library)
  • google-cdn-0.7.0.tgz
    • bower-1.3.12.tgz
      • ❌ shell-quote-1.4.3.tgz (Vulnerable Library)

Vulnerability Details

The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.

Publish Date: 2018-05-31

URL: CVE-2016-10541

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10541

Release Date: 2018-12-15

Fix Resolution: 1.6.1

Vulnerability Details

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Publish Date: 2018-06-27

URL: CVE-2018-12536

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041194

Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).

9.2.25.v20180606, 9.3.24.v20180605

The vendor advisory is available at:

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html

Vulnerable Library - ws-0.4.32.tgz

simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455

path: /tmp/git/apollo/ui/node_modules/ws/package.json

Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz

Dependency Hierarchy:

• karma-0.12.37.tgz (Root Library)
  • socket.io-0.9.16.tgz
    • socket.io-client-0.9.16.tgz
      • ❌ ws-0.4.32.tgz (Vulnerable Library)

Vulnerability Details

Affected version of ws (0.2.6--3.3.0) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.

Publish Date: 2017-11-08

URL: WS-2017-0421

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/550/versions

Release Date: 2019-01-24

Fix Resolution: 3.3.1