Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bulk vulnerability fix - Lockfile fix #2

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

debricked[bot]
Copy link

@debricked debricked bot commented Aug 9, 2021

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2021–23343
debricked–149688
CVE–2017–16028
CVE–2018–16492
  • Description

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

    The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

    GitHub

    Prototype Pollution in extend

    Versions of extend prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The extend() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.

    Recommendation

    If you're using extend 3.x upgrade to 3.0.2 or later.
    If you're using extend 2.x upgrade to 2.0.2 or later.

    NVD

    A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

  • CVSS details - 9.8

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality High
    Integrity High
    Availability High
  • References

        HackerOne
        Prototype Pollution in extend · CVE-2018-16492 · GitHub Advisory Database · GitHub
        NVD - CVE-2018-16492

CVE–2017–15010
CVE–2019–13173
CVE–2020–7733
CVE–2020–7793
CVE–2021–27292
CVE–2017–16099
  • Description

    Uncontrolled Resource Consumption

    The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

    GitHub

    Regular Expression Denial of Service in no-case

    Affected versions of no-case are vulnerable to a regular expression denial of service when parsing untrusted user input.

    Recommendation

    Update to version 2.3.2 or later.

    NVD

    The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        nodesecurity.io -&nbspnodesecurity Resources and Information.
        THIRD PARTY
        Regular Expression Denial of Service in no-case · CVE-2017-16099 · GitHub Advisory Database · GitHub
        NVD - CVE-2017-16099

CVE–2021–23369
CVE–2021–23383
debricked–160898
CVE–2018–3737
  • Description

    Incorrect Regular Expression

    The software specifies a regular expression in a way that causes data to be improperly matched or compared.

    GitHub

    Regular Expression Denial of Service in sshpk

    Versions of sshpk before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

    Recommendation

    Update to version 1.13.2, 1.14.1 or later.

    NVD

    sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        HackerOne
        Regular Expression Denial of Service in sshpk · CVE-2018-3737 · GitHub Advisory Database · GitHub
        NVD - CVE-2018-3737

CVE–2018–16469
  • Description

    Improper Input Validation

    The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

    GitHub

    Prototype Pollution in merge

    Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype.

    Recommendation

    Update to version 1.2.1 or later.

    NVD

    The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        HackerOne
        Prototype Pollution in merge · CVE-2018-16469 · GitHub Advisory Database · GitHub
        NVD - CVE-2018-16469

CVE–2018–6342
  • Description

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

    The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

    GitHub

    Remote Code Execution in react-dev-utils

    react-dev-utils on Windows is vulnerable to remote code execution.

    Recommendation

    Update to one of the follow versions, depending on the release line that you are using.

    • 1.0.4
    • 2.0.2
    • 3.1.2
    • 4.2.2
    • 5.0.2
    • 6.0.0-next.a671462c

    NVD

    react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

  • CVSS details - 9.8

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality High
    Integrity High
    Availability High
  • References

        Use file name whitelist to prevent RCE by acdlite · Pull Request #4866 · facebook/create-react-app · GitHub
        Release v1.1.5 · facebook/create-react-app · GitHub
        Remote Code Execution in react-dev-utils · CVE-2018-6342 · GitHub Advisory Database · GitHub
        NVD - CVE-2018-6342

CVE–2018–3774
CVE–2020–8124
  • Description

    Improper Input Validation

    The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

    NVD

    Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.

  • CVSS details - 5.3

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity Low
    Availability None
  • References

        NVD - CVE-2020-8124
        HackerOne

CVE–2021–27515
debricked–160897
CVE–2020–7662
CVE–2020–26291
CVE–2021–27516
CVE–2020–28498
CVE–2021–23386
  • Description

    Exposure of Sensitive Information to an Unauthorized Actor

    The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

    GitHub

    Potential memory exposure in dns-packet

    This affects the package dns-packet before versions 1.3.2 and 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

    NVD

    This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

  • CVSS details - 6.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required Low
    User interaction None
    Scope Unchanged
    Confidentiality High
    Integrity None
    Availability None
  • References

        HackerOne
        do trim on encodingLength as well · mafintosh/dns-packet@25f15dd · GitHub
        NVD - CVE-2021-23386
        Potential memory exposure in dns-packet · CVE-2021-23386 · GitHub Advisory Database · GitHub

CVE–2017–16119
  • Description

    Uncontrolled Resource Consumption

    The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

    GitHub

    Regular Expression Denial of Service in fresh

    Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.

    Recommendation

    Update to version 0.5.2 or later.

    NVD

    Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        nodesecurity.io -&nbspnodesecurity Resources and Information.
        NVD - CVE-2017-16119
        Regular Expression Denial of Service in fresh · CVE-2017-16119 · GitHub Advisory Database · GitHub

CVE–2017–16118
  • Description

    Uncontrolled Resource Consumption

    The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

    GitHub

    Regular Expression Denial of Service in forwarded

    Affected versions of forwarded are vulnerable to regular expression denial of service when parsing specially crafted user input.

    Recommendation

    Update to version 0.1.2 or later

    NVD

    The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        Bugtraq
        nodesecurity.io -&nbspnodesecurity Resources and Information.
        NVD - CVE-2017-16118
        Regular Expression Denial of Service in forwarded · CVE-2017-16118 · GitHub Advisory Database · GitHub

CVE–2020–7720
CVE–2021–33502
  • Description

    GitHub

    ReDoS in normalize-url

    The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

    NVD

    The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        Release v6.0.1 · sindresorhus/normalize-url · GitHub
        NVD - CVE-2021-33502
        ReDoS in normalize-url · CVE-2021-33502 · GitHub Advisory Database · GitHub

CVE–2021–26707
CVE–2020–13822
debricked–149740
debricked–149739
debricked–149694
debricked–149699
debricked–149662
CVE–2018–6341
CVE–2018–1107
CVE–2017–1000427
CVE–2017–16114
  • Description

    Uncontrolled Resource Consumption

    The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

    GitHub

    Regular Expression Denial of Service in marked

    Affected versions of marked are vulnerable to a regular expression denial of service.

    The amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds.

    Recommendation

    Update to version 0.3.9 or later.

    NVD

    The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        nodesecurity.io -&nbspnodesecurity Resources and Information.
        Vulnerable Regular Expression · Issue #937 · markedjs/marked · GitHub
        Regular Expression Denial of Service in marked · CVE-2017-16114 · GitHub Advisory Database · GitHub
        NVD - CVE-2017-16114

CVE–2019–10747
CVE–2019–20149
CVE–2019–10746
CVE–2019–15599
  • Description

    Improper Control of Generation of Code ('Code Injection')

    The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

    NVD

    A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.

  • CVSS details - 9.8

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality High
    Integrity High
    Availability High
  • References

        NVD - CVE-2019-15599
        HackerOne

CVE–2018–16472
  • Description

    Improper Input Validation

    The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

    GitHub

    Prototype Pollution in cached-path-relative

    Version of cached-path-relative before 1.0.2 are vulnerable to prototype pollution.

    Recommendation

    Update to version 1.0.2 or later.

    NVD

    A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS attack.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        HackerOne
        Prototype Pollution in cached-path-relative · CVE-2018-16472 · GitHub Advisory Database · GitHub
        NVD - CVE-2018-16472

CVE–2017–16042
CVE–2018–20835
  • Description

    Improper Input Validation

    The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

    GitHub

    High severity vulnerability that affects tar-fs

    A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

    NVD

    A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity High
    Availability None
  • References

        force hardlink targets to be in the tar · mafintosh/tar-fs@0667282 · GitHub
        HackerOne
        Comparing d590fc7...a35ce2f · mafintosh/tar-fs · GitHub
        Improper Input Validation in tar-fs · CVE-2018-20835 · GitHub Advisory Database · GitHub
        NVD - CVE-2018-20835

CVE–2020–15366
  • Description

    Improper Input Validation

    The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

    NVD

    An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

  • CVSS details - 5.6

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity High
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality Low
    Integrity Low
    Availability Low
  • References

        Release v6.12.3 · ajv-validator/ajv · GitHub
        Tags · ajv-validator/ajv · GitHub
        HackerOne

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked

 

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants