Giter Club home page Giter Club logo

gor-cak's Introduction

Weedmaps Scraper Module for Nest

Scrapes every strain on Weedmaps and helps you organize by price and location.

Requirements

  • MongoDB up and running
  • Node

Installation

git clone https://github.com/dsalehipour/nest-weedmaps.git
cd nest-weedmaps
npm install

Also, make sure MongoDB is up and running. See Install MongoDB.

Usage

  1. Scrape Weedmaps by running node index.js

What's happening?

After running index.js, the workers (scraper bots) will go to the strains directory, scrape the 40 strains in the grid, store those scraped items in the database, and queue scraping jobs to those strains by their href. Then, it will paginate and scrape the next page of the strains directory.

Meanwhile, the other workers will pick the jobs in the queue, scrape the strain pages, and update the strain in the database by their href.

Try looking at the scraped data using mongo's native REPL:

mongo nest
> db.items.count()
> db.items.find().pretty()

Have fun.

gor-cak's People

Contributors

q0323 avatar dependabot[bot] avatar mend-bolt-for-github[bot] avatar

Stargazers

avatar

Watchers

avatar

gor-cak's Issues

CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Library - ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/table/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • eslint-3.19.0.tgz (Root Library)
    • table-3.8.3.tgz
      • string-width-2.1.1.tgz
        • strip-ansi-4.0.0.tgz
          • ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (eslint): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-23337 (High) detected in lodash-4.17.20.tgz

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • eslint-3.19.0.tgz (Root Library)
    • lodash-4.17.20.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (eslint): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-24999 (High) detected in qs-6.5.2.tgz

CVE-2022-24999 - High Severity Vulnerability

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • phantom-4.0.12.tgz
      • phantomjs-prebuilt-2.1.16.tgz
        • request-2.88.2.tgz
          • qs-6.5.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (node-nest): 0.8.0

Step up your Open Source Security Game with Mend here

CVE-2021-23566 (Medium) detected in nanoid-2.1.11.tgz - autoclosed

CVE-2021-23566 - Medium Severity Vulnerability

Vulnerable Library - nanoid-2.1.11.tgz

A tiny (119 bytes), secure URL-friendly unique string ID generator

Library home page: https://registry.npmjs.org/nanoid/-/nanoid-2.1.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nanoid/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • shortid-2.2.16.tgz
      • nanoid-2.1.11.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package nanoid before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Publish Date: 2022-01-14

URL: CVE-2021-23566

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23566

Release Date: 2022-01-14

Fix Resolution: nanoid - 3.1.31

Step up your Open Source Security Game with WhiteSource here

CVE-2020-15366 (Medium) detected in ajv-4.11.8.tgz

CVE-2020-15366 - Medium Severity Vulnerability

Vulnerable Library - ajv-4.11.8.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-4.11.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/table/node_modules/ajv/package.json

Dependency Hierarchy:

  • eslint-3.19.0.tgz (Root Library)
    • table-3.8.3.tgz
      • ajv-4.11.8.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-15

Fix Resolution (ajv): 6.12.3

Direct dependency fix Resolution (eslint): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-28500 (Medium) detected in lodash-4.17.20.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • eslint-3.19.0.tgz (Root Library)
    • lodash-4.17.20.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (eslint): 4.0.0

Step up your Open Source Security Game with Mend here

WS-2018-0347 (Medium) detected in eslint-3.19.0.tgz

WS-2018-0347 - Medium Severity Vulnerability

Vulnerable Library - eslint-3.19.0.tgz

An AST-based pattern checker for JavaScript.

Library home page: https://registry.npmjs.org/eslint/-/eslint-3.19.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/eslint/package.json

Dependency Hierarchy:

  • eslint-3.19.0.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

A vulnerability was descovered in eslint before 4.18.2. One of the regexes in eslint is vulnerable to catastrophic backtracking.

Publish Date: 2018-02-27

URL: WS-2018-0347

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-02-27

Fix Resolution: 4.18.2

Step up your Open Source Security Game with Mend here

CVE-2023-26115 (High) detected in word-wrap-1.2.3.tgz

CVE-2023-26115 - High Severity Vulnerability

Vulnerable Library - word-wrap-1.2.3.tgz

Wrap words to a specified length.

Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/word-wrap/package.json

Dependency Hierarchy:

  • eslint-3.19.0.tgz (Root Library)
    • optionator-0.8.3.tgz
      • word-wrap-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

Publish Date: 2023-06-22

URL: CVE-2023-26115

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8xg-fqg3-53r7

Release Date: 2023-06-22

Fix Resolution: word-wrap - 1.2.4

Step up your Open Source Security Game with Mend here

WS-2019-0311 (Medium) detected in mongodb-2.2.34.tgz

WS-2019-0311 - Medium Severity Vulnerability

Vulnerable Library - mongodb-2.2.34.tgz

The official MongoDB driver for Node.js

Library home page: https://registry.npmjs.org/mongodb/-/mongodb-2.2.34.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongodb/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • mongoose-4.13.21.tgz
      • mongodb-2.2.34.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

In 'node-mongodb-native', versions prior to v3.1.13 are vulnerable against DOS as a result of a potential crash when a collection name is invalid and the DB doesn't exist.

Publish Date: 2019-01-23

URL: WS-2019-0311

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1203

Release Date: 2019-01-23

Fix Resolution: mongodb - 3.1.13

Step up your Open Source Security Game with Mend here

CVE-2021-23438 (Critical) detected in mpath-0.5.1.tgz

CVE-2021-23438 - Critical Severity Vulnerability

Vulnerable Library - mpath-0.5.1.tgz

{G,S}et object values using MongoDB-like path notation

Library home page: https://registry.npmjs.org/mpath/-/mpath-0.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mpath/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • mongoose-4.13.21.tgz
      • mpath-0.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['proto']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.

Publish Date: 2021-09-01

URL: CVE-2021-23438

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23438

Release Date: 2021-09-01

Fix Resolution: mpath - 0.8.4

Step up your Open Source Security Game with Mend here

CVE-2022-0144 (High) detected in shelljs-0.7.8.tgz

CVE-2022-0144 - High Severity Vulnerability

Vulnerable Library - shelljs-0.7.8.tgz

Portable Unix shell commands for Node.js

Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.7.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/shelljs/package.json

Dependency Hierarchy:

  • eslint-3.19.0.tgz (Root Library)
    • shelljs-0.7.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

shelljs is vulnerable to Improper Privilege Management

Publish Date: 2022-01-11

URL: CVE-2022-0144

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-11

Fix Resolution (shelljs): 0.8.5

Direct dependency fix Resolution (eslint): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-25883 (High) detected in semver-5.7.1.tgz

CVE-2022-25883 - High Severity Vulnerability

Vulnerable Library - semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver/package.json

Dependency Hierarchy:

  • eslint-plugin-import-2.22.1.tgz (Root Library)
    • read-pkg-up-2.0.0.tgz
      • read-pkg-2.0.0.tgz
        • normalize-package-data-2.5.0.tgz
          • semver-5.7.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 5.7.2

Direct dependency fix Resolution (eslint-plugin-import): 2.25.0

Step up your Open Source Security Game with Mend here

CVE-2021-23362 (Medium) detected in hosted-git-info-2.8.8.tgz

CVE-2021-23362 - Medium Severity Vulnerability

Vulnerable Library - hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hosted-git-info/package.json

Dependency Hierarchy:

  • eslint-plugin-import-2.22.1.tgz (Root Library)
    • read-pkg-up-2.0.0.tgz
      • read-pkg-2.0.0.tgz
        • normalize-package-data-2.5.0.tgz
          • hosted-git-info-2.8.8.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution (hosted-git-info): 2.8.9

Direct dependency fix Resolution (eslint-plugin-import): 2.23.0

Step up your Open Source Security Game with Mend here

WS-2020-0042 (High) detected in acorn-5.7.4.tgz - autoclosed

WS-2020-0042 - High Severity Vulnerability

Vulnerable Library - acorn-5.7.4.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/acorn/package.json

Dependency Hierarchy:

  • eslint-3.19.0.tgz (Root Library)
    • espree-3.5.4.tgz
      • acorn-5.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-01

Fix Resolution (acorn): 6.4.1

Direct dependency fix Resolution (eslint): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-3803 (High) detected in nth-check-1.0.2.tgz

CVE-2021-3803 - High Severity Vulnerability

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nth-check/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • cheerio-1.0.0-rc.3.tgz
      • css-select-1.2.0.tgz
        • nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-17

Fix Resolution (nth-check): 2.0.1

Direct dependency fix Resolution (node-nest): 0.8.0

Step up your Open Source Security Game with Mend here

CVE-2019-2391 (Medium) detected in bson-1.0.9.tgz

CVE-2019-2391 - Medium Severity Vulnerability

Vulnerable Library - bson-1.0.9.tgz

A bson parser for node.js and the browser

Library home page: https://registry.npmjs.org/bson/-/bson-1.0.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/bson/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • mongoose-4.13.21.tgz
      • bson-1.0.9.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to.

Publish Date: 2020-03-31

URL: CVE-2019-2391

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2391

Release Date: 2020-03-31

Fix Resolution: bson - 1.1.4

Step up your Open Source Security Game with Mend here

CVE-2021-43138 (High) detected in async-2.6.0.tgz

CVE-2021-43138 - High Severity Vulnerability

Vulnerable Library - async-2.6.0.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • mongoose-4.13.21.tgz
      • async-2.6.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution: async - 2.6.4,3.2.2

Step up your Open Source Security Game with Mend here

CVE-2021-44906 (Critical) detected in minimist-1.2.5.tgz

CVE-2021-44906 - Critical Severity Vulnerability

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

  • eslint-3.19.0.tgz (Root Library)
    • mkdirp-0.5.5.tgz
      • minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (eslint): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-46175 (High) detected in json5-1.0.1.tgz

CVE-2022-46175 - High Severity Vulnerability

Vulnerable Library - json5-1.0.1.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json5/package.json

Dependency Hierarchy:

  • eslint-plugin-import-2.22.1.tgz (Root Library)
    • tsconfig-paths-3.9.0.tgz
      • json5-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 1.0.2

Direct dependency fix Resolution (eslint-plugin-import): 2.23.0

Step up your Open Source Security Game with Mend here

CVE-2022-24304 (High) detected in mongoose-4.13.21.tgz - autoclosed

CVE-2022-24304 - High Severity Vulnerability

Vulnerable Library - mongoose-4.13.21.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-4.13.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • mongoose-4.13.21.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-2564. Reason: This candidate is a duplicate of CVE-2022-2564. Notes: All CVE users should reference CVE-2022-2564 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Publish Date: 2022-08-26

URL: CVE-2022-24304

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-08-26

Fix Resolution: mongoose - 6.4.6

Step up your Open Source Security Game with Mend here

CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz

CVE-2022-3517 - High Severity Vulnerability

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

  • eslint-plugin-import-2.22.1.tgz (Root Library)
    • minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-23343 (High) detected in path-parse-1.0.6.tgz

CVE-2021-23343 - High Severity Vulnerability

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-parse/package.json

Dependency Hierarchy:

  • eslint-plugin-import-2.22.1.tgz (Root Library)
    • resolve-1.18.1.tgz
      • path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (eslint-plugin-import): 2.23.0

Step up your Open Source Security Game with Mend here

CVE-2023-3696 (Critical) detected in mongoose-4.13.21.tgz

CVE-2023-3696 - Critical Severity Vulnerability

Vulnerable Library - mongoose-4.13.21.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-4.13.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • mongoose-4.13.21.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.

Publish Date: 2023-07-17

URL: CVE-2023-3696

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467/

Release Date: 2023-07-17

Fix Resolution: mongoose - 6.11.3,7.3.4

Step up your Open Source Security Game with Mend here

CVE-2022-2564 (Critical) detected in mongoose-4.13.21.tgz

CVE-2022-2564 - Critical Severity Vulnerability

Vulnerable Library - mongoose-4.13.21.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-4.13.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • mongoose-4.13.21.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.

Publish Date: 2022-07-28

URL: CVE-2022-2564

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2564

Release Date: 2022-07-28

Fix Resolution: mongoose - 6.4.6

Step up your Open Source Security Game with Mend here

CVE-2021-3918 (Critical) detected in json-schema-0.2.3.tgz

CVE-2021-3918 - Critical Severity Vulnerability

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • phantom-4.0.12.tgz
      • phantomjs-prebuilt-2.1.16.tgz
        • request-2.88.2.tgz
          • http-signature-1.2.0.tgz
            • jsprim-1.4.1.tgz
              • json-schema-0.2.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (node-nest): 0.8.0

Step up your Open Source Security Game with Mend here

CVE-2023-28155 (Medium) detected in request-2.88.2.tgz

CVE-2023-28155 - Medium Severity Vulnerability

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • phantom-4.0.12.tgz
      • phantomjs-prebuilt-2.1.16.tgz
        • request-2.88.2.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2017-16137 (Medium) detected in debug-3.2.6.tgz

CVE-2017-16137 - Medium Severity Vulnerability

Vulnerable Library - debug-3.2.6.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-3.2.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/debug/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • debug-3.2.6.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gxpj-cx7g-858c

Release Date: 2018-04-26

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (node-nest): 0.8.0

Step up your Open Source Security Game with Mend here

## CVE-2020-7610 - High Severity Vulnerability

CVE-2020-7610 - High Severity Vulnerability

Vulnerable Library - bson-1.0.9.tgz

A bson parser for node.js and the browser

Library home page: https://registry.npmjs.org/bson/-/bson-1.0.9.tgz

Path to dependency file: GOR-CAK/package.json

Path to vulnerable library: GOR-CAK/node_modules/bson/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • mongoose-4.13.21.tgz
      • bson-1.0.9.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

Publish Date: 2020-03-30

URL: CVE-2020-7610

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/mongodb/js-bson/releases/tag/v1.1.4

Release Date: 2020-03-30

Fix Resolution: bson - 1.1.4

Step up your Open Source Security Game with WhiteSource here

Originally posted by @whitesource-bolt-for-github in #6

CVE-2023-26136 (Critical) detected in tough-cookie-2.5.0.tgz

CVE-2023-26136 - Critical Severity Vulnerability

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • request-promise-4.2.6.tgz
      • tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution: tough-cookie - 4.1.3

Step up your Open Source Security Game with Mend here

CVE-2020-35149 (Medium) detected in mquery-2.3.3.tgz

CVE-2020-35149 - Medium Severity Vulnerability

Vulnerable Library - mquery-2.3.3.tgz

Expressive query building for MongoDB

Library home page: https://registry.npmjs.org/mquery/-/mquery-2.3.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mquery/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • mongoose-4.13.21.tgz
      • mquery-2.3.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

lib/utils.js in mquery before 3.2.3 allows a pollution attack because a special property (e.g., proto) can be copied during a merge or clone operation.

Publish Date: 2020-12-11

URL: CVE-2020-35149

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-11

Fix Resolution: 3.2.3

Step up your Open Source Security Game with Mend here

CVE-2024-27088 (Low) detected in es5-ext-0.10.53.tgz

CVE-2024-27088 - Low Severity Vulnerability

Vulnerable Library - es5-ext-0.10.53.tgz

ECMAScript extensions and shims

Library home page: https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.53.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/es5-ext/package.json

Dependency Hierarchy:

  • eslint-3.19.0.tgz (Root Library)
    • escope-3.6.0.tgz
      • es6-map-0.1.5.tgz
        • es5-ext-0.10.53.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into function#copy or function#toStringTokens may cause the script to stall. The vulnerability is patched in v0.10.63.

Publish Date: 2024-02-26

URL: CVE-2024-27088

CVSS 3 Score Details (0.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-27088

Release Date: 2024-02-26

Fix Resolution (es5-ext): 0.10.63

Direct dependency fix Resolution (eslint): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-7610 (Critical) detected in bson-1.0.9.tgz

CVE-2020-7610 - Critical Severity Vulnerability

Vulnerable Library - bson-1.0.9.tgz

A bson parser for node.js and the browser

Library home page: https://registry.npmjs.org/bson/-/bson-1.0.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/bson/package.json

Dependency Hierarchy:

  • node-nest-0.7.5.tgz (Root Library)
    • mongoose-4.13.21.tgz
      • bson-1.0.9.tgz (Vulnerable Library)

Found in HEAD commit: 39dae4a34eda0bd4a8311e76dfcb3ea96b0650f4

Found in base branch: master

Vulnerability Details

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

Publish Date: 2020-03-30

URL: CVE-2020-7610

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-04-01

Fix Resolution: bson - 1.1.4

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.