Giter Club home page Giter Club logo

realogy-1's People

realogy-1's Issues

WS-2018-0210 Low Severity Vulnerability detected by WhiteSource

WS-2018-0210 - Low Severity Vulnerability

Vulnerable Library - lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

path: /tmp/git/realogy-1/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Dependency Hierarchy:

  • gulp-3.9.1.tgz (Root Library)
    • vinyl-fs-0.3.14.tgz
      • glob-watcher-0.0.6.tgz
        • gaze-0.5.2.tgz
          • globule-0.1.0.tgz
            • lodash-1.0.2.tgz (Vulnerable Library)

Vulnerability Details

In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2018-11-25

URL: WS-2018-0210

CVSS 2 Score Details (3.5)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: lodash/lodash@90e6199

Release Date: 2018-08-31

Fix Resolution: Replace or update the following files: lodash.js, test.js

Step up your Open Source Security Game with WhiteSource here

CVE-2018-16487 High Severity Vulnerability detected by WhiteSource

CVE-2018-16487 - High Severity Vulnerability

Vulnerable Library - lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

path: /tmp/git/realogy-1/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Dependency Hierarchy:

  • gulp-3.9.1.tgz (Root Library)
    • vinyl-fs-0.3.14.tgz
      • glob-watcher-0.0.6.tgz
        • gaze-0.5.2.tgz
          • globule-0.1.0.tgz
            • lodash-1.0.2.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Step up your Open Source Security Game with WhiteSource here

CVE-2016-10540 High Severity Vulnerability detected by WhiteSource

CVE-2016-10540 - High Severity Vulnerability

Vulnerable Libraries - minimatch-2.0.10.tgz, minimatch-0.2.14.tgz

minimatch-2.0.10.tgz

a glob matcher in javascript

path: /tmp/git/realogy-1/node_modules/minimatch/package.json

Library home page: http://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz

Dependency Hierarchy:

  • gulp-3.9.1.tgz (Root Library)
    • vinyl-fs-0.3.14.tgz
      • glob-stream-3.1.18.tgz
        • minimatch-2.0.10.tgz (Vulnerable Library)
minimatch-0.2.14.tgz

a glob matcher in javascript

path: /tmp/git/realogy-1/node_modules/globule/node_modules/minimatch/package.json

Library home page: http://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz

Dependency Hierarchy:

  • gulp-3.9.1.tgz (Root Library)
    • vinyl-fs-0.3.14.tgz
      • glob-watcher-0.0.6.tgz
        • gaze-0.5.2.tgz
          • globule-0.1.0.tgz
            • minimatch-0.2.14.tgz (Vulnerable Library)

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

Step up your Open Source Security Game with WhiteSource here

CVE-2018-3721 Medium Severity Vulnerability detected by WhiteSource

CVE-2018-3721 - Medium Severity Vulnerability

Vulnerable Library - lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

path: /tmp/git/realogy-1/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Dependency Hierarchy:

  • gulp-3.9.1.tgz (Root Library)
    • vinyl-fs-0.3.14.tgz
      • glob-watcher-0.0.6.tgz
        • gaze-0.5.2.tgz
          • globule-0.1.0.tgz
            • lodash-1.0.2.tgz (Vulnerable Library)

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

Step up your Open Source Security Game with WhiteSource here

WS-2018-0076 Medium Severity Vulnerability detected by WhiteSource

WS-2018-0076 - Medium Severity Vulnerability

Vulnerable Library - tunnel-agent-0.4.3.tgz

HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.

path: /tmp/git/realogy-1/node_modules/tunnel-agent/package.json

Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz

Dependency Hierarchy:

  • gulp-imagemin-3.4.0.tgz (Root Library)
    • imagemin-gifsicle-5.2.0.tgz
      • gifsicle-3.0.4.tgz
        • bin-build-2.2.0.tgz
          • download-4.4.3.tgz
            • caw-1.2.0.tgz
              • tunnel-agent-0.4.3.tgz (Vulnerable Library)

Vulnerability Details

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure.

This is exploitable if user supplied input is provided to the auth value and is a number.

Publish Date: 2018-04-25

URL: WS-2018-0076

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/598

Release Date: 2018-01-27

Fix Resolution: 0.6.0

Step up your Open Source Security Game with WhiteSource here

WS-2019-0019 Medium Severity Vulnerability detected by WhiteSource

WS-2019-0019 - Medium Severity Vulnerability

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

path: /tmp/git/realogy-1/node_modules/decompress/node_modules/braces/package.json

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Dependency Hierarchy:

  • gulp-imagemin-3.4.0.tgz (Root Library)
    • imagemin-gifsicle-5.2.0.tgz
      • gifsicle-3.0.4.tgz
        • bin-build-2.2.0.tgz
          • decompress-3.0.0.tgz
            • vinyl-fs-2.4.4.tgz
              • glob-stream-5.3.5.tgz
                • micromatch-2.3.11.tgz
                  • braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-02-21

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.