melsorg / github-scanner-test Goto Github PK
View Code? Open in Web Editor NEWThis project forked from whitesource/github-scanner-test
Dummy repository for testing the GitHub scanner
This project forked from whitesource/github-scanner-test
Dummy repository for testing the GitHub scanner
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
Publish Date: 2015-07-14
URL: CVE-2015-5143
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5143
Release Date: 2015-07-14
Fix Resolution: 1.4.21,1.7.9,1.8.3
Step up your Open Source Security Game with WhiteSource here
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.
Publish Date: 2016-03-01
URL: CVE-2016-0800
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0800
Release Date: 2016-03-01
Fix Resolution: 1.0.1s,1.0.2g
Step up your Open Source Security Game with WhiteSource here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/iojs/io.js.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values.
Publish Date: 2014-08-13
URL: CVE-2014-3506
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3506
Release Date: 2014-08-13
Fix Resolution: 0.9.8zb,1.0.0n,1.0.1i
Step up your Open Source Security Game with Mend here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/nodejs/node.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via a crafted string.
Publish Date: 2016-02-23
URL: CVE-2016-2537
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2537
Release Date: 2016-02-23
Fix Resolution: 2.12.4
Step up your Open Source Security Game with WhiteSource here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/iojs/io.js.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition.
Publish Date: 2014-08-13
URL: CVE-2014-3505
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3505
Release Date: 2014-08-13
Fix Resolution: 0.9.8zb,1.0.0n,1.0.1i
Step up your Open Source Security Game with Mend here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/iojs/io.js.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.
Publish Date: 2014-08-13
URL: CVE-2014-3511
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3511
Release Date: 2014-08-13
Fix Resolution: 1.0.1i
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.
Publish Date: 2014-08-26
URL: CVE-2014-0483
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0483
Release Date: 2014-08-26
Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7.1
Step up your Open Source Security Game with WhiteSource here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/iojs/io.js.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.
Publish Date: 2014-06-05
URL: CVE-2014-0195
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0195
Release Date: 2014-06-05
Fix Resolution: 0.9.8za,1.0.0m,1.0.1h
Step up your Open Source Security Game with Mend here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/iojs/io.js.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.
Publish Date: 2015-03-19
URL: CVE-2015-0293
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-0293
Release Date: 2015-03-19
Fix Resolution: 0.9.8zf,1.0.0r,1.0.1m,1.0.2a
Step up your Open Source Security Game with Mend here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/iojs/io.js.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
Found in base branch: master
The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
Publish Date: 2016-03-02
URL: CVE-2016-0703
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0703
Release Date: 2016-03-02
Fix Resolution: 0.9.8zf,1.0.0r,1.0.1m,1.0.2a
Step up your Open Source Security Game with Mend here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/iojs/io.js.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
Publish Date: 2016-03-02
URL: CVE-2016-0704
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0704
Release Date: 2016-03-02
Fix Resolution: 0.9.8zf,1.0.0r,1.0.1m,1.0.2a
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
Publish Date: 2015-07-14
URL: CVE-2015-5143
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5143
Release Date: 2015-07-14
Fix Resolution: 1.4.21,1.7.9,1.8.3
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."
Publish Date: 2014-04-23
URL: CVE-2014-0472
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0472
Release Date: 2014-04-23
Fix Resolution: 1.4.11,1.5.6,1.6.3,1.7 beta 2
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.
Publish Date: 2014-08-26
URL: CVE-2014-0480
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0480
Release Date: 2014-08-26
Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7.1
Step up your Open Source Security Game with WhiteSource here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.
Publish Date: 2014-08-26
URL: CVE-2014-0482
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0482
Release Date: 2014-08-26
Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7
Step up your Open Source Security Game with Mend here
Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.
Publish Date: 2012-05-14
URL: CVE-2012-2333
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-2333
Release Date: 2012-05-14
Fix Resolution: 0.9.8x,1.0.0j,1.0.1c
Step up your Open Source Security Game with Mend here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/nodejs/node.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via a crafted string.
Publish Date: 2016-02-23
URL: CVE-2016-2537
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2537
Release Date: 2016-02-23
Fix Resolution: 2.12.4
Step up your Open Source Security Game with WhiteSource here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/iojs/io.js.git
Found in base branch: master
The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.
Publish Date: 2016-09-16
URL: CVE-2016-2179
Base Score Metrics:
Type: Upgrade version
Origin: https://www.openssl.org/news/secadv/20160922.txt
Release Date: 2016-09-16
Fix Resolution: 1.0.1u,1.0.2i
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.
Publish Date: 2014-08-26
URL: CVE-2014-0483
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0483
Release Date: 2014-08-26
Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7
Step up your Open Source Security Game with WhiteSource here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
Publish Date: 2015-07-14
URL: CVE-2015-5144
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5144
Release Date: 2015-07-14
Fix Resolution: 1.4.21,1.7.9,1.8.3
Step up your Open Source Security Game with WhiteSource here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/nodejs/node.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.
Publish Date: 2015-03-19
URL: CVE-2015-0293
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-0293
Release Date: 2015-03-19
Fix Resolution: 0.9.8zf,1.0.0r,1.0.1m,1.0.2a
Step up your Open Source Security Game with WhiteSource here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
Publish Date: 2015-07-14
URL: CVE-2015-5144
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5144
Release Date: 2015-07-14
Fix Resolution: 1.4.21,1.7.9,1.8.3
Step up your Open Source Security Game with Mend here
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://api.nuget.org/packages/bootstrap.4.0.0-alpha6.nupkg
Path to vulnerable library: /github-scanner-test/nuget/bootstrap.4.0.0-alpha6.nupkg
Dependency Hierarchy:
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
XSS in data-target in bootstrap (3.3.7 and before)
Publish Date: 2017-06-27
URL: WS-2018-0021
Type: Change files
Origin: twbs/bootstrap@d9be1da
Release Date: 2017-08-25
Fix Resolution: Replace or update the following files: alert.js, carousel.js, collapse.js, dropdown.js, modal.js
Step up your Open Source Security Game with WhiteSource here
The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
Publish Date: 2014-01-01
URL: CVE-2013-6450
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-6450
Release Date: 2014-01-01
Fix Resolution: 1.0.0l,1.0.1f
Step up your Open Source Security Game with Mend here
OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.
Publish Date: 2014-10-19
URL: CVE-2014-3568
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3568
Release Date: 2014-10-19
Fix Resolution: 0.9.8zc,1.0.0o,1.0.1j
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.
Publish Date: 2014-04-23
URL: CVE-2014-0473
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0473
Release Date: 2014-04-23
Fix Resolution: 1.4.11,1.5.6,1.6.3,1.7 beta 2
Step up your Open Source Security Game with WhiteSource here
Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message.
Publish Date: 2014-10-19
URL: CVE-2014-3513
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3513
Release Date: 2014-10-19
Fix Resolution: 1.0.1j
Step up your Open Source Security Game with Mend here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/nodejs/node.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.
Publish Date: 2015-06-12
URL: CVE-2015-1791
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-1791
Release Date: 2015-06-12
Fix Resolution: 0.9.8zg,1.0.0s,1.0.1n,1.0.2b
Step up your Open Source Security Game with WhiteSource here
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
Publish Date: 2014-04-07
URL: CVE-2014-0160
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0160
Release Date: 2014-04-07
Fix Resolution: 1.0.1g
Step up your Open Source Security Game with Mend here
OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
Publish Date: 2016-06-20
URL: CVE-2016-2177
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2177
Release Date: 2016-06-20
Fix Resolution: openssl - 1.0.2.i-1;lib32-openssl - 1:1.0.2.i-1
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.
Publish Date: 2014-08-26
URL: CVE-2014-0480
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0480
Release Date: 2014-08-26
Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7.1
Step up your Open Source Security Game with Mend here
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.
Publish Date: 2016-03-01
URL: CVE-2016-0800
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0800
Release Date: 2016-03-01
Fix Resolution: 1.0.1s,1.0.2g
Step up your Open Source Security Game with Mend here
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
Publish Date: 2014-10-15
URL: CVE-2014-3566
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3566
Release Date: 2014-10-15
Fix Resolution: openssl - 1.0.2;openssl-android - 1.0.2
Step up your Open Source Security Game with Mend here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/nodejs/node.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.
Publish Date: 2014-12-24
URL: CVE-2014-3569
Type: Upgrade version
Origin: http://www.securitytracker.com/id/1033378
Fix Resolution: HP has issued a fix (7.5.0).
The HP advisory is available at:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04765115
Step up your Open Source Security Game with WhiteSource here
Library home page: git://git.code.sf.net/p/libpng-apng/code
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.
Publish Date: 2017-01-30
URL: CVE-2016-10087
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10087
Release Date: 2017-01-30
Fix Resolution: 1.0.67,1.2.57,1.4.20,1.5.28,1.6.27
Step up your Open Source Security Game with Mend here
OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
Publish Date: 2016-06-20
URL: CVE-2016-2177
Base Score Metrics:
Type: Upgrade version
Origin: https://security.gentoo.org/glsa/201612-16
Release Date: 2016-12-07
Fix Resolution: All OpenSSL users should upgrade to the latest version >= openssl-1.0.2j
Step up your Open Source Security Game with WhiteSource here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
Publish Date: 2014-04-23
URL: CVE-2014-0474
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0474
Release Date: 2014-04-23
Fix Resolution: 1.4.11,1.5.6,1.6.3,1.7 beta 2
Step up your Open Source Security Game with WhiteSource here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/iojs/io.js.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
Found in base branch: master
ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.
Publish Date: 2016-02-15
URL: CVE-2015-3197
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-3197
Release Date: 2016-02-15
Fix Resolution: 1.0.1r,1.0.2f
Step up your Open Source Security Game with Mend here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/iojs/io.js.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.
Publish Date: 2015-06-12
URL: CVE-2015-1791
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-1791
Release Date: 2015-06-12
Fix Resolution: 0.9.8zg,1.0.0s,1.0.1n,1.0.2b
Step up your Open Source Security Game with Mend here
The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.
Publish Date: 2016-09-16
URL: CVE-2016-2179
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2179
Release Date: 2016-09-16
Fix Resolution: 1.1.0
Step up your Open Source Security Game with WhiteSource here
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
Publish Date: 2014-10-15
URL: CVE-2014-3566
Base Score Metrics:
Type: Upgrade version
Origin: https://security.gentoo.org/glsa/201411-10
Release Date: 2014-11-23
Fix Resolution: All Asterisk users should upgrade to the latest version >= asterisk-11.13.1
Step up your Open Source Security Game with WhiteSource here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
Publish Date: 2014-04-23
URL: CVE-2014-0474
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0474
Release Date: 2014-04-23
Fix Resolution: 1.4.11,1.5.6,1.6.3,1.7 beta 2
Step up your Open Source Security Game with Mend here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/iojs/io.js.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
Publish Date: 2014-06-05
URL: CVE-2014-0221
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0221
Release Date: 2014-06-05
Fix Resolution: 0.9.8za,1.0.0m,1.0.1h
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."
Publish Date: 2014-04-23
URL: CVE-2014-0472
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0472
Release Date: 2014-04-23
Fix Resolution: 1.4.11,1.5.6,1.6.3,1.7 beta 2
Step up your Open Source Security Game with WhiteSource here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/nodejs/node.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
Version of is-my-json-valid before 1.4.1 or 2.17.2 are vulnerable to regular expression denial of service (ReDoS) via the email validation function.
Publish Date: 2018-04-21
URL: WS-2018-0069
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/572
Release Date: 2018-01-24
Fix Resolution: 1.4.1
Step up your Open Source Security Game with WhiteSource here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/iojs/io.js.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.
Publish Date: 2014-12-24
URL: CVE-2014-3569
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3569
Release Date: 2014-12-24
Fix Resolution: OpenSSL_1_0_2a
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.
Publish Date: 2014-04-23
URL: CVE-2014-0473
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0473
Release Date: 2014-04-23
Fix Resolution: 1.4.11,1.5.6,1.6.3,1.7 beta 2
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.
Publish Date: 2014-08-26
URL: CVE-2014-0482
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0482
Release Date: 2014-08-26
Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7.1
Step up your Open Source Security Game with WhiteSource here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/nodejs/node.git
Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
Publish Date: 2016-03-02
URL: CVE-2016-0704
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0704
Release Date: 2016-03-02
Fix Resolution: 0.9.8zf,1.0.0r,1.0.1m,1.0.2a
Step up your Open Source Security Game with WhiteSource here
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/iojs/io.js.git
Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02
Found in base branch: master
Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.
Publish Date: 2014-08-13
URL: CVE-2014-3507
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3507
Release Date: 2014-08-13
Fix Resolution: 0.9.8zb,1.0.0n,1.0.1i
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.