Vulnerable Library - lodash-4.17.4.tgz

Lodash modular utilities.

path: /tmp/git/vue-sample/app/node_modules/lodash/package.json

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz

Dependency Hierarchy:

• babel-core-6.26.0.tgz (Root Library)
  • ❌ lodash-4.17.4.tgz (Vulnerable Library)

Vulnerability Details

In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2018-11-25

URL: WS-2018-0210

CVSS 2 Score Details (3.5)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: lodash/lodash@90e6199

Release Date: 2018-08-31

Fix Resolution: Replace or update the following files: lodash.js, test.js

Vulnerable Library - randomatic-1.1.7.tgz

Generate randomized strings of a specified length, fast. Only the length is necessary, but you can optionally generate patterns using any combination of numeric, alpha-numeric, alphabetical, special or custom characters.

path: /tmp/git/vue-sample/app/node_modules/randomatic/package.json

Library home page: https://registry.npmjs.org/randomatic/-/randomatic-1.1.7.tgz

Dependency Hierarchy:

• webpack-dev-server-2.9.7.tgz (Root Library)
  • http-proxy-middleware-0.17.4.tgz
    • micromatch-2.3.11.tgz
      • braces-1.8.5.tgz
        • expand-range-1.8.2.tgz
          • fill-range-2.2.3.tgz
            • ❌ randomatic-1.1.7.tgz (Vulnerable Library)

Vulnerability Details

react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).

Publish Date: 2018-06-04

URL: CVE-2017-16028

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/157

Release Date: 2017-04-14

Fix Resolution: Update to version 3.0.0 or later.

Vulnerability Details

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

Publish Date: 2018-08-12

URL: CVE-2018-3774

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: unshiftio/url-parse@53b1794#diff-168726dbe96b3ce427e7fedce31bb0bc

Release Date: 2018-07-29

Fix Resolution: Replace or update the following files: index.js, test.js

Vulnerable Library - macaddress-0.2.8.tgz

Get the MAC addresses (hardware addresses) of the hosts network interfaces.

path: /tmp/git/vue-sample/app/node_modules/macaddress/package.json

Library home page: http://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz

Dependency Hierarchy:

• css-loader-0.28.7.tgz (Root Library)
  • cssnano-3.10.0.tgz
    • postcss-filter-plugins-2.0.2.tgz
      • uniqid-4.1.1.tgz
        • ❌ macaddress-0.2.8.tgz (Vulnerable Library)

Vulnerability Details

All versions of macaddress are vulnerable to command injection. For this vulnerability to be exploited an attacker needs to control the iface argument to the one method.

Publish Date: 2018-05-16

URL: WS-2018-0113

CVSS 2 Score Details (10.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/654

Release Date: 2018-05-16

Fix Resolution: No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is provided.

Vulnerable Library - lodash-4.17.4.tgz

Lodash modular utilities.

path: /tmp/git/vue-sample/app/node_modules/lodash/package.json

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz

Dependency Hierarchy:

• babel-core-6.26.0.tgz (Root Library)
  • ❌ lodash-4.17.4.tgz (Vulnerable Library)

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-3721

Fix Resolution: Upgrade to version lodash 4.17.5 or greater

Vulnerable Library - macaddress-0.2.8.tgz

Get the MAC addresses (hardware addresses) of the hosts network interfaces.

path: /tmp/git/vue-sample/app/node_modules/macaddress/package.json

Library home page: http://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz

Dependency Hierarchy:

• css-loader-0.28.7.tgz (Root Library)
  • cssnano-3.10.0.tgz
    • postcss-filter-plugins-2.0.2.tgz
      • uniqid-4.1.1.tgz
        • ❌ macaddress-0.2.8.tgz (Vulnerable Library)

Vulnerability Details

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Publish Date: 2018-07-10

URL: CVE-2018-13797

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: scravy/node-macaddress@358fd59

Release Date: 2018-06-23

Fix Resolution: Replace or update the following files: windows.js, unix.js, .travis.yml, macosx.js, package.json, linux.js