osgirl / uw-lib-callcontrol Goto Github PK

Vulnerable Library - netdatav1.5.0

Real-time performance monitoring, done right! https://my-netdata.io/

Library home page: https://github.com/netdata/netdata.git

Library Source Files (16)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/emitter.py
• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/error.py
• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/reader.py
• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/serializer.py
• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/dumper.py
• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/constructor.py
• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/tokens.py
• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/resolver.py
• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/representer.py
• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/events.py
• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/nodes.py
• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/composer.py
• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/loader.py
• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/cyaml.py
• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/scanner.py
• /uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/support/pyyaml-src/parser.py

Vulnerability Details

In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.

Publish Date: 2018-06-27

URL: CVE-2017-18342

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-18342

Release Date: 2018-06-27

Fix Resolution: 4.1

Vulnerable Library - uglify-js-1.3.5.tgz

JavaScript parser and compressor/beautifier toolkit

path: /tmp/git/uw-lib-callcontrol/node_modules/build/node_modules/uglify-js/package.json

Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-1.3.5.tgz

Dependency Hierarchy:

• sinon-3.3.0.tgz (Root Library)
  • build-0.1.4.tgz
    • ❌ uglify-js-1.3.5.tgz (Vulnerable Library)

Vulnerability Details

UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification.

Publish Date: 2015-08-24

URL: WS-2015-0024

CVSS 2 Score Details (8.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: mishoo/UglifyJS@905b601

Release Date: 2017-01-31

Fix Resolution: v2.4.24

Vulnerable Library - timespan-2.3.0.tgz

A JavaScript TimeSpan library for node.js (and soon the browser)

path: /tmp/git/uw-lib-callcontrol/node_modules/timespan/package.json

Library home page: http://registry.npmjs.org/timespan/-/timespan-2.3.0.tgz

Dependency Hierarchy:

• sinon-3.3.0.tgz (Root Library)
  • build-0.1.4.tgz
    • ❌ timespan-2.3.0.tgz (Vulnerable Library)

Vulnerability Details

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

Publish Date: 2018-06-07

URL: CVE-2017-16115

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - uglify-js-1.3.5.tgz

JavaScript parser and compressor/beautifier toolkit

path: /tmp/git/uw-lib-callcontrol/node_modules/build/node_modules/uglify-js/package.json

Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-1.3.5.tgz

Dependency Hierarchy:

• sinon-3.3.0.tgz (Root Library)
  • build-0.1.4.tgz
    • ❌ uglify-js-1.3.5.tgz (Vulnerable Library)

Vulnerability Details

Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().

Publish Date: 2015-10-24

URL: WS-2015-0017

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/48

Release Date: 2015-10-24

Fix Resolution: Update to version 2.6.0 or later

Vulnerable Library - js-yaml-0.3.7.tgz

YAML 1.1 Parser

path: /tmp/git/uw-lib-callcontrol/node_modules/jxLoader/node_modules/js-yaml/package.json

Library home page: http://registry.npmjs.org/js-yaml/-/js-yaml-0.3.7.tgz

Dependency Hierarchy:

• sinon-3.3.0.tgz (Root Library)
  • build-0.1.4.tgz
    • jxLoader-0.1.1.tgz
      • ❌ js-yaml-0.3.7.tgz (Vulnerable Library)

Vulnerability Details

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation.

Publish Date: 2013-06-28

URL: CVE-2013-4660

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-4660

Release Date: 2013-06-28

Fix Resolution: 2.0.5

Vulnerable Library - uglify-js-1.3.5.tgz

JavaScript parser and compressor/beautifier toolkit

path: /tmp/git/uw-lib-callcontrol/node_modules/build/node_modules/uglify-js/package.json

Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-1.3.5.tgz

Dependency Hierarchy:

• sinon-3.3.0.tgz (Root Library)
  • build-0.1.4.tgz
    • ❌ uglify-js-1.3.5.tgz (Vulnerable Library)

Vulnerability Details

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8858

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2018-12-15

Fix Resolution: v2.6.0

Vulnerable Library - uglify-js-1.3.5.tgz

JavaScript parser and compressor/beautifier toolkit

path: /tmp/git/uw-lib-callcontrol/node_modules/build/node_modules/uglify-js/package.json

Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-1.3.5.tgz

Dependency Hierarchy:

• sinon-3.3.0.tgz (Root Library)
  • build-0.1.4.tgz
    • ❌ uglify-js-1.3.5.tgz (Vulnerable Library)

Vulnerability Details

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.

Publish Date: 2017-01-23

URL: CVE-2015-8857

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2018-12-15

Fix Resolution: v2.4.24

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

path: /tmp/git/uw-lib-callcontrol/node_modules/braces/package.json

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Dependency Hierarchy:

• jest-20.0.4.tgz (Root Library)
  • jest-cli-20.0.4.tgz
    • micromatch-2.3.11.tgz
      • ❌ braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-02-21

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1