redjax / dotfiles Goto Github PK

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/dotfiles/Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/package.json

Path to vulnerable library: /tmp/ws-scm/dotfiles/Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/lodash/package.json

Dependency Hierarchy:

• jest-24.9.0.tgz (Root Library)
  • jest-cli-24.9.0.tgz
    • jest-config-24.9.0.tgz
      • core-7.9.6.tgz
        • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: fbbae0b4511878f8397880f72fb46c47f18ab762

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Libraries - kind-of-3.2.2.tgz, kind-of-4.0.0.tgz, kind-of-5.1.0.tgz

Found in HEAD commit: 62c4b9c46c652dc0b44ecb53df7d2e950d9bab8c

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: None

Vulnerable Library - jquery-1.11.3.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.js

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/int64-buffer/test/test.html

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/int64-buffer/test/test.html

Dependency Hierarchy:

• ❌ jquery-1.11.3.js (Vulnerable Library)

Found in HEAD commit: 62c4b9c46c652dc0b44ecb53df7d2e950d9bab8c

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/package.json

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/request/package.json

Dependency Hierarchy:

• jest-24.9.0.tgz (Root Library)
  • jest-cli-24.9.0.tgz
    • jest-config-24.9.0.tgz
      • jest-environment-jsdom-24.9.0.tgz
        • jsdom-11.12.0.tgz
          • ❌ request-2.88.2.tgz (Vulnerable Library)

Found in HEAD commit: fbbae0b4511878f8397880f72fb46c47f18ab762

Found in base branch: master

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - acorn-5.7.4.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/package.json

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/acorn/package.json

Dependency Hierarchy:

• jest-24.9.0.tgz (Root Library)
  • jest-cli-24.9.0.tgz
    • jest-config-24.9.0.tgz
      • jest-environment-jsdom-24.9.0.tgz
        • jsdom-11.12.0.tgz
          • ❌ acorn-5.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 62c4b9c46c652dc0b44ecb53df7d2e950d9bab8c

Found in base branch: master

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-01

Fix Resolution (acorn): 6.4.1

Direct dependency fix Resolution (jest): 25.0.0

Vulnerable Library - jquery-1.11.3.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.js

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/int64-buffer/test/test.html

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/int64-buffer/test/test.html

Dependency Hierarchy:

• ❌ jquery-1.11.3.js (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Vulnerable Library - log4js-5.3.0.tgz

Port of Log4js to work with node.

Library home page: https://registry.npmjs.org/log4js/-/log4js-5.3.0.tgz

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/package.json

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/log4js/package.json

Dependency Hierarchy:

• ❌ log4js-5.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 62c4b9c46c652dc0b44ecb53df7d2e950d9bab8c

Found in base branch: master

Vulnerability Details

log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.

Publish Date: 2022-01-19

URL: CVE-2022-21704

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-82v2-mx6x-wq7q

Release Date: 2022-01-19

Fix Resolution: 6.4.0

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/package.json

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/decode-uri-component/package.json

Dependency Hierarchy:

• jest-24.9.0.tgz (Root Library)
  • jest-cli-24.9.0.tgz
    • core-24.9.0.tgz
      • micromatch-3.1.10.tgz
        • snapdragon-0.8.2.tgz
          • source-map-resolve-0.5.3.tgz
            • ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in HEAD commit: fbbae0b4511878f8397880f72fb46c47f18ab762

Found in base branch: master

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution (decode-uri-component): 0.2.1

Direct dependency fix Resolution (jest): 25.0.0

Vulnerable Library - yargs-parser-10.1.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/package.json

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/ts-jest/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• ts-jest-24.3.0.tgz (Root Library)
  • ❌ yargs-parser-10.1.0.tgz (Vulnerable Library)

Found in HEAD commit: fbbae0b4511878f8397880f72fb46c47f18ab762

Found in base branch: master

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 13.1.2

Direct dependency fix Resolution (ts-jest): 25.2.1

Vulnerable Library - mocha-2.2.5.min.js

simple, flexible, fun test framework

Library home page: https://cdnjs.cloudflare.com/ajax/libs/mocha/2.2.5/mocha.min.js

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/int64-buffer/test/test.html

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/int64-buffer/test/test.html

Dependency Hierarchy:

• ❌ mocha-2.2.5.min.js (Vulnerable Library)

Found in HEAD commit: fbbae0b4511878f8397880f72fb46c47f18ab762

Found in base branch: master

Vulnerability Details

Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.

Publish Date: 2019-01-24

URL: WS-2019-0425

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2019-01-24

Fix Resolution: v6.0.0

Vulnerable Library - json5-2.1.3.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-2.1.3.tgz

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/package.json

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/json5/package.json

Dependency Hierarchy:

• ts-jest-24.3.0.tgz (Root Library)
  • ❌ json5-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 62c4b9c46c652dc0b44ecb53df7d2e950d9bab8c

Found in base branch: master

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 2.2.2

Direct dependency fix Resolution (ts-jest): 25.0.0

Vulnerable Library - jquery-1.11.3.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.js

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/int64-buffer/test/test.html

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/int64-buffer/test/test.html

Dependency Hierarchy:

• ❌ jquery-1.11.3.js (Vulnerable Library)

Found in HEAD commit: 62c4b9c46c652dc0b44ecb53df7d2e950d9bab8c

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Vulnerable Library - jquery-1.11.3.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.js

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/int64-buffer/test/test.html

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/int64-buffer/test/test.html

Dependency Hierarchy:

• ❌ jquery-1.11.3.js (Vulnerable Library)

Found in HEAD commit: fbbae0b4511878f8397880f72fb46c47f18ab762

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Library - jquery-1.11.3.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.js

Path to dependency file: /tmp/ws-scm/dotfiles/Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/int64-buffer/test/test.html

Path to vulnerable library: /dotfiles/Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/int64-buffer/test/test.html

Dependency Hierarchy:

• ❌ jquery-1.11.3.js (Vulnerable Library)

Found in HEAD commit: 62c4b9c46c652dc0b44ecb53df7d2e950d9bab8c

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/package.json

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/minimatch/package.json

Dependency Hierarchy:

• ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 62c4b9c46c652dc0b44ecb53df7d2e950d9bab8c

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Vulnerable Library - set-value-2.0.1.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.1.tgz

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/package.json

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/set-value/package.json

Dependency Hierarchy:

• jest-24.9.0.tgz (Root Library)
  • jest-cli-24.9.0.tgz
    • core-24.9.0.tgz
      • micromatch-3.1.10.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • cache-base-1.0.1.tgz
              • ❌ set-value-2.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 62c4b9c46c652dc0b44ecb53df7d2e950d9bab8c

Found in base branch: master

Vulnerability Details

This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Mend Note: After conducting further research, Mend has determined that all versions of set-value up to version 4.0.0 are vulnerable to CVE-2021-23440.

Publish Date: 2021-09-12

URL: CVE-2021-23440

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-12

Fix Resolution (set-value): 4.0.1

Direct dependency fix Resolution (jest): 27.0.0

Vulnerable Library - follow-redirects-1.12.1.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.12.1.tgz

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/package.json

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/follow-redirects/package.json

Dependency Hierarchy:

• ❌ follow-redirects-1.12.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution: 1.14.7

Vulnerable Library - shell-quote-1.7.2.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/package.json

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/shell-quote/package.json

Dependency Hierarchy:

• npm-run-all-4.1.5.tgz (Root Library)
  • ❌ shell-quote-1.7.2.tgz (Vulnerable Library)

Found in HEAD commit: 62c4b9c46c652dc0b44ecb53df7d2e950d9bab8c

Found in base branch: master

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution: shell-quote - 1.7.3

Vulnerable Library - follow-redirects-1.12.1.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.12.1.tgz

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/package.json

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/follow-redirects/package.json

Dependency Hierarchy:

• ❌ follow-redirects-1.12.1.tgz (Vulnerable Library)

Found in HEAD commit: 62c4b9c46c652dc0b44ecb53df7d2e950d9bab8c

Found in base branch: master

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution: 1.14.8

Vulnerable Library - node-notifier-5.4.3.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-5.4.3.tgz

Path to dependency file: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/package.json

Path to vulnerable library: /Ubuntu_server/dots/.local/share/nvim/site/pack/coc/start/coc.nvim-release/node_modules/node-notifier/package.json

Dependency Hierarchy:

• jest-24.9.0.tgz (Root Library)
  • jest-cli-24.9.0.tgz
    • core-24.9.0.tgz
      • reporters-24.9.0.tgz
        • ❌ node-notifier-5.4.3.tgz (Vulnerable Library)

Found in HEAD commit: 62c4b9c46c652dc0b44ecb53df7d2e950d9bab8c

Found in base branch: master

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789

Release Date: 2020-12-11

Fix Resolution (node-notifier): 5.4.4

Direct dependency fix Resolution (jest): 25.0.0