-
Notifications
You must be signed in to change notification settings - Fork 0
/
tmp.py
110 lines (110 loc) · 35.4 KB
/
tmp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
result = {'actions': [
{'action': 'update', 'resolves': [
{'id': 1067342, 'path': 'react-scripts>@babel/core>json5>minimist', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067342, 'path': 'package.json>package-json>registry-auth-token>rc>minimist', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067342, 'path': 'react-scripts>@svgr/webpack>@svgr/plugin-jsx>@babel/core>json5>minimist', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067342, 'path': 'react-scripts>@svgr/webpack>@svgr/core>@svgr/plugin-jsx>@babel/core>json5>minimist', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067342, 'path': 'react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067342, 'path': 'react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067342, 'path': 'react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067342, 'path': 'react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067342, 'path': 'react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067342, 'path': 'react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067342, 'path': 'react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist', 'dev': False, 'optional': False, 'bundled': False
}
], 'module': 'minimist', 'target': '1.2.6', 'depth': 14
},
{'action': 'update', 'resolves': [
{'id': 1067407, 'path': 'axios>follow-redirects', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067407, 'path': 'localtunnel>axios>follow-redirects', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067407, 'path': 'react-scripts>webpack-dev-server>http-proxy-middleware>http-proxy>follow-redirects', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067459, 'path': 'axios>follow-redirects', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067459, 'path': 'localtunnel>axios>follow-redirects', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067459, 'path': 'react-scripts>webpack-dev-server>http-proxy-middleware>http-proxy>follow-redirects', 'dev': False, 'optional': False, 'bundled': False
}
], 'module': 'follow-redirects', 'target': '1.15.1', 'depth': 5
},
{'action': 'update', 'resolves': [
{'id': 1067452, 'path': 'react-scripts>webpack-dev-server>selfsigned>node-forge', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1067471, 'path': 'react-scripts>webpack-dev-server>selfsigned>node-forge', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1070354, 'path': 'react-scripts>webpack-dev-server>selfsigned>node-forge', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1070355, 'path': 'react-scripts>webpack-dev-server>selfsigned>node-forge', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1070356, 'path': 'react-scripts>webpack-dev-server>selfsigned>node-forge', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1081840, 'path': 'react-scripts>webpack-dev-server>selfsigned>node-forge', 'dev': False, 'optional': False, 'bundled': False
}
], 'module': 'webpack-dev-server', 'target': '4.9.3', 'depth': 2
},
{'action': 'update', 'resolves': [
{'id': 1070412, 'path': 'react-scripts>workbox-webpack-plugin>workbox-build>@surma/rollup-plugin-off-main-thread>ejs', 'dev': False, 'optional': False, 'bundled': False
}
], 'module': 'ejs', 'target': '3.1.8', 'depth': 5
},
{'action': 'update', 'resolves': [
{'id': 1070440, 'path': 'react-scripts>webpack-dev-server>portfinder>async', 'dev': False, 'optional': False, 'bundled': False
}
], 'module': 'async', 'target': '2.6.4', 'depth': 4
},
{'action': 'update', 'resolves': [
{'id': 1081481, 'path': 'react-scripts>postcss>nanoid', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1081481, 'path': 'react-scripts>css-loader>postcss>nanoid', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1081481, 'path': 'react-scripts>tailwindcss>postcss-js>postcss>nanoid', 'dev': False, 'optional': False, 'bundled': False
}
], 'module': 'nanoid', 'target': '3.3.4', 'depth': 5
},
{'action': 'update', 'resolves': [
{'id': 1081698, 'path': 'react-scripts>terser-webpack-plugin>terser', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1081698, 'path': 'react-scripts>html-webpack-plugin>html-minifier-terser>terser', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1081698, 'path': 'react-scripts>workbox-webpack-plugin>workbox-build>rollup-plugin-terser>terser', 'dev': False, 'optional': False, 'bundled': False
}
], 'module': 'terser', 'target': '5.14.2', 'depth': 5
},
{'action': 'review', 'module': 'nth-check', 'resolves': [
{'id': 1070415, 'path': 'react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check', 'dev': False, 'optional': False, 'bundled': False
}
]
},
{'action': 'review', 'module': 'got', 'resolves': [
{'id': 1080920, 'path': 'package.json>package-json>got', 'dev': False, 'optional': False, 'bundled': False
}
]
},
{'action': 'review', 'module': 'parse-url', 'resolves': [
{'id': 1080970, 'path': 'package.json>git-source>git-url-parse>git-up>parse-url', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1080971, 'path': 'package.json>git-source>git-url-parse>git-up>parse-url', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1080972, 'path': 'package.json>git-source>git-url-parse>git-up>parse-url', 'dev': False, 'optional': False, 'bundled': False
},
{'id': 1080973, 'path': 'package.json>git-source>git-url-parse>git-up>parse-url', 'dev': False, 'optional': False, 'bundled': False
}
]
}
], 'advisories': {'1067342': {'findings': [
{'version': '1.2.5', 'paths': ['react-scripts>@babel/core>json5>minimist', 'package.json>package-json>registry-auth-token>rc>minimist', 'react-scripts>@svgr/webpack>@svgr/plugin-jsx>@babel/core>json5>minimist', 'react-scripts>@svgr/webpack>@svgr/core>@svgr/plugin-jsx>@babel/core>json5>minimist', 'react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist', 'react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist', 'react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist', 'react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist', 'react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist', 'react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist', 'react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist'
]
}
], 'metadata': None, 'vulnerable_versions': '<1.2.6', 'module_name': 'minimist', 'severity': 'critical', 'github_advisory_id': 'GHSA-xvch-5gv4-984h', 'cves': ['CVE-2021-44906' ], 'access': 'public', 'patched_versions': '>=1.2.6', 'cvss': {'score': 9.8, 'vectorString': 'CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}, 'updated': '2022-04-04T21: 39: 39.000Z', 'recommendation': 'Upgrade to version 1.2.6 or later', 'cwe': ['CWE-1321'], 'found_by': None, 'deleted': None, 'id': 1067342, 'references': '- https: //nvd.nist.gov/vuln/detail/CVE-2021-44906\n- https://github.com/substack/minimist/issues/164\n- https://github.com/substack/minimist/blob/master/index.js#L69\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068\n- https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip\n- https://github.com/advisories/GHSA-xvch-5gv4-984h', 'created': '2022-03-18T00:01:09.000Z', 'reported_by': None, 'title': 'Prototype Pollution in minimist', 'npm_advisory_id': None, 'overview': 'Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).', 'url': 'https://github.com/advisories/GHSA-xvch-5gv4-984h'}, '1067407': {'findings': [{'version': '1.14.1', 'paths': ['axios>follow-redirects', 'localtunnel>axios>follow-redirects', 'react-scripts>webpack-dev-server>http-proxy-middleware>http-proxy>follow-redirects']}], 'metadata': None, 'vulnerable_versions': '<1.14.8', 'module_name': 'follow-redirects', 'severity': 'moderate', 'github_advisory_id': 'GHSA-pw2r-vq6v-hr8c', 'cves': ['CVE-2022-0536'], 'access': 'public', 'patched_versions': '>=1.14.8', 'cvss': {'score': 5.9, 'vectorString': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}, 'updated': '2022-02-14T22:27:57.000Z', 'recommendation': 'Upgrade to version 1.14.8 or later', 'cwe': ['CWE-200'], 'found_by': None, 'deleted': None, 'id': 1067407, 'references': '- https://nvd.nist.gov/vuln/detail/CVE-2022-0536\n- https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445\n- https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db\n- https://github.com/advisories/GHSA-pw2r-vq6v-hr8c', 'created': '2022-02-10T00:00:31.000Z', 'reported_by': None, 'title': 'Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects', 'npm_advisory_id': None, 'overview': 'Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.', 'url': 'https://github.com/advisories/GHSA-pw2r-vq6v-hr8c'}, '1067452': {'findings': [{'version': '0.10.0', 'paths': ['react-scripts>webpack-dev-server>selfsigned>node-forge']}], 'metadata': None, 'vulnerable_versions': '<1.0.0', 'module_name': 'node-forge', 'severity': 'moderate', 'github_advisory_id': 'GHSA-8fr3-hfg3-gpgp', 'cves': ['CVE-2022-0122'], 'access': 'public', 'patched_versions': '>=1.0.0', 'cvss': {'score': 0, 'vectorString': None}, 'updated': '2022-01-21T23:36:19.000Z', 'recommendation': 'Upgrade to version 1.0.0 or later', 'cwe': ['CWE-601'], 'found_by': None, 'deleted': None, 'id': 1067452, 'references': '- https://nvd.nist.gov/vuln/detail/CVE-2022-0122\n- https://github.com/digitalbazaar/forge/commit/db8016c805371e72b06d8e2edfe0ace0df934a5e\n- https://huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae\n- https://github.com/advisories/GHSA-8fr3-hfg3-gpgp', 'created': '2022-01-21T23:36:19.000Z', 'reported_by': None, 'title': 'Open Redirect in node-forge', 'npm_advisory_id': None, 'overview': 'parseUrl functionality in node-forge mishandles certain uses of backslash such as https:/\\/\\/\\ and interprets the URI as a relative path. ', 'url': 'https://github.com/advisories/GHSA-8fr3-hfg3-gpgp'}, '1067459': {'findings': [{'version': '1.14.1', 'paths': ['axios>follow-redirects', 'localtunnel>axios>follow-redirects', 'react-scripts>webpack-dev-server>http-proxy-middleware>http-proxy>follow-redirects']}], 'metadata': None, 'vulnerable_versions': '<1.14.7', 'module_name': 'follow-redirects', 'severity': 'high', 'github_advisory_id': 'GHSA-74fj-2j2h-c42q', 'cves': ['CVE-2022-0155'], 'access': 'public', 'patched_versions': '>=1.14.7', 'cvss': {'score': 8, 'vectorString': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}, 'updated': '2022-01-20T15:34:49.000Z', 'recommendation': 'Upgrade to version 1.14.7 or later', 'cwe': ['CWE-359'], 'found_by': None, 'deleted': None, 'id': 1067459, 'references': '- https://nvd.nist.gov/vuln/detail/CVE-2022-0155\n- https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22\n- https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406\n- https://github.com/advisories/GHSA-74fj-2j2h-c42q', 'created': '2022-01-12T22:46:26.000Z', 'reported_by': None, 'title': 'Exposure of sensitive information in follow-redirects', 'npm_advisory_id': None, 'overview': 'follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor', 'url': 'https://github.com/advisories/GHSA-74fj-2j2h-c42q'}, '1067471': {'findings': [{'version': '0.10.0', 'paths': ['react-scripts>webpack-dev-server>selfsigned>node-forge']}], 'metadata': None, 'vulnerable_versions': '<1.0.0', 'module_name': 'node-forge', 'severity': 'low', 'github_advisory_id': 'GHSA-5rrq-pxf6-6jx5', 'cves': [], 'access': 'public', 'patched_versions': '>=1.0.0', 'cvss': {'score': 0, 'vectorString': None}, 'updated': '2022-01-08T00:22:42.000Z', 'recommendation': 'Upgrade to version 1.0.0 or later', 'cwe': ['CWE-1321'], 'found_by': None, 'deleted': None, 'id': 1067471, 'references': '- https://github.com/digitalbazaar/forge/security/advisories/GHSA-5rrq-pxf6-6jx5\n- https://github.com/advisories/GHSA-5rrq-pxf6-6jx5', 'created': '2022-01-08T00:22:42.000Z', 'reported_by': None, 'title': 'Prototype Pollution in node-forge debug API.', 'npm_advisory_id': None, 'overview': "### Impact\nThe `forge.debug` API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.\n\n### Patches\nThe `forge.debug` API and related functions were removed in 1.0.0.\n\n### Workarounds\nDon't use the `forge.debug` API directly or indirectly with untrusted input.\n\n### References\n- https://www.huntr.dev/bounties/1-npm-node-forge/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge).\n* Email us at support@digitalbazaar.com.", 'url': 'https://github.com/advisories/GHSA-5rrq-pxf6-6jx5'}, '1070354': {'findings': [{'version': '0.10.0', 'paths': ['react-scripts>webpack-dev-server>selfsigned>node-forge']}], 'metadata': None, 'vulnerable_versions': '<1.3.0', 'module_name': 'node-forge', 'severity': 'moderate', 'github_advisory_id': 'GHSA-2r2c-g63r-vccr', 'cves': ['CVE-2022-24773'], 'access': 'public', 'patched_versions': '>=1.3.0', 'cvss': {'score': 5.3, 'vectorString': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}, 'updated': '2022-05-13T18:50:27.000Z', 'recommendation': 'Upgrade to version 1.3.0 or later', 'cwe': ['CWE-347'], 'found_by': None, 'deleted': None, 'id': 1070354, 'references': '- https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24773\n- https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1\n- https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2\n- https://github.com/advisories/GHSA-2r2c-g63r-vccr', 'created': '2022-03-18T23:10:48.000Z', 'reported_by': None, 'title': 'Improper Verification of Cryptographic Signature in `node-forge`', 'npm_advisory_id': None, 'overview': '### Impact\n\nRSA PKCS#1 v1.5 signature verification code is not properly checking `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.\n\n### Patches\n\nThe issue has been addressed in `node-forge` `1.3.0`.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\n* Email us at [example email address](mailto:security@digitalbazaar.com)', 'url': 'https://github.com/advisories/GHSA-2r2c-g63r-vccr'}, '1070355': {'findings': [{'version': '0.10.0', 'paths': ['react-scripts>webpack-dev-server>selfsigned>node-forge']}], 'metadata': None, 'vulnerable_versions': '<1.3.0', 'module_name': 'node-forge', 'severity': 'high', 'github_advisory_id': 'GHSA-x4jg-mjrx-434g', 'cves': ['CVE-2022-24772'], 'access': 'public', 'patched_versions': '>=1.3.0', 'cvss': {'score': 7.5, 'vectorString': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}, 'updated': '2022-05-13T18:50:27.000Z', 'recommendation': 'Upgrade to version 1.3.0 or later', 'cwe': ['CWE-347'], 'found_by': None, 'deleted': None, 'id': 1070355, 'references': '- https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24772\n- https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1\n- https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2\n- https://github.com/advisories/GHSA-x4jg-mjrx-434g', 'created': '2022-03-18T23:10:28.000Z', 'reported_by': None, 'title': 'Improper Verification of Cryptographic Signature in node-forge', 'npm_advisory_id': None, 'overview': '### Impact\n\nRSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used.\n\n### Patches\n\nThe issue has been addressed in `node-forge` `1.3.0`.\n\n### References\n\nFor more information, please see\n["Bleichenbacher\'s RSA signature forgery based on implementation error"](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/)\nby Hal Finney.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\n* Email us at [example email address](mailto:security@digitalbazaar.com)', 'url': 'https://github.com/advisories/GHSA-x4jg-mjrx-434g'}, '1070356': {'findings': [{'version': '0.10.0', 'paths': ['react-scripts>webpack-dev-server>selfsigned>node-forge']}], 'metadata': None, 'vulnerable_versions': '<1.3.0', 'module_name': 'node-forge', 'severity': 'high', 'github_advisory_id': 'GHSA-cfm4-qjh2-4765', 'cves': ['CVE-2022-24771'], 'access': 'public', 'patched_versions': '>=1.3.0', 'cvss': {'score': 7.5, 'vectorString': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}, 'updated': '2022-05-13T18:50:27.000Z', 'recommendation': 'Upgrade to version 1.3.0 or later', 'cwe': ['CWE-347'], 'found_by': None, 'deleted': None, 'id': 1070356, 'references': '- https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24771\n- https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1\n- https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2\n- https://github.com/advisories/GHSA-cfm4-qjh2-4765', 'created': '2022-03-18T23:09:54.000Z', 'reported_by': None, 'title': 'Improper Verification of Cryptographic Signature in node-forge', 'npm_advisory_id': None, 'overview': '### Impact\n\nRSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used.\n\n### Patches\n\nThe issue has been addressed in `node-forge` `1.3.0`.\n\n### References\n\nFor more information, please see\n["Bleichenbacher\'s RSA signature forgery based on implementation error"](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/)\nby Hal Finney.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\n* Email us at [example email address](mailto:security@digitalbazaar.com)', 'url': 'https://github.com/advisories/GHSA-cfm4-qjh2-4765'}, '1070412': {'findings': [{'version': '3.1.6', 'paths': ['react-scripts>workbox-webpack-plugin>workbox-build>@surma/rollup-plugin-off-main-thread>ejs']}], 'metadata': None, 'vulnerable_versions': '<3.1.7', 'module_name': 'ejs', 'severity': 'critical', 'github_advisory_id': 'GHSA-phwq-j96m-2c2q', 'cves': ['CVE-2022-29078'], 'access': 'public', 'patched_versions': '>=3.1.7', 'cvss': {'score': 9.8, 'vectorString': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}, 'updated': '2022-05-26T19:38:41.000Z', 'recommendation': 'Upgrade to version 3.1.7 or later', 'cwe': ['CWE-74'], 'found_by': None, 'deleted': None, 'id': 1070412, 'references': '- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q', 'created': '2022-04-26T00:00:40.000Z', 'reported_by': None, 'title': 'Template injection in ejs', 'npm_advisory_id': None, 'overview': 'The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).', 'url': 'https://github.com/advisories/GHSA-phwq-j96m-2c2q'}, '1070415': {'findings': [{'version': '1.0.2', 'paths': ['react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check']}], 'metadata': None, 'vulnerable_versions': '<2.0.1', 'module_name': 'nth-check', 'severity': 'high', 'github_advisory_id': 'GHSA-rp65-9cf3-cjxr', 'cves': ['CVE-2021-3803'], 'access': 'public', 'patched_versions': '>=2.0.1', 'cvss': {'score': 7.5, 'vectorString': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}, 'updated': '2022-05-26T19:57:03.000Z', 'recommendation': 'Upgrade to version 2.0.1 or later', 'cwe': ['CWE-1333'], 'found_by': None, 'deleted': None, 'id': 1070415, 'references': '- https://nvd.nist.gov/vuln/detail/CVE-2021-3803\n- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726\n- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0\n- https://github.com/advisories/GHSA-rp65-9cf3-cjxr', 'created': '2021-09-20T20:47:31.000Z', 'reported_by': None, 'title': 'Inefficient Regular Expression Complexity in nth-check', 'npm_advisory_id': None, 'overview': 'nth-check is vulnerable to Inefficient Regular Expression Complexity', 'url': 'https://github.com/advisories/GHSA-rp65-9cf3-cjxr'}, '1070440': {'findings': [{'version': '2.6.3', 'paths': ['react-scripts>webpack-dev-server>portfinder>async']}], 'metadata': None, 'vulnerable_versions': '>=2.0.0 <2.6.4', 'module_name': 'async', 'severity': 'high', 'github_advisory_id': 'GHSA-fwr7-v2mv-hh25', 'cves': ['CVE-2021-43138'], 'access': 'public', 'patched_versions': '>=2.6.4', 'cvss': {'score': 7.8, 'vectorString': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}, 'updated': '2022-06-02T17:28:57.000Z', 'recommendation': 'Upgrade to version 2.6.4 or later', 'cwe': ['CWE-1321'], 'found_by': None, 'deleted': None, 'id': 1070440, 'references': '- https://nvd.nist.gov/vuln/detail/CVE-2021-43138\n- https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d\n- https://github.com/caolan/async/blob/master/lib/internal/iterator.js\n- https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js\n- https://jsfiddle.net/oz5twjd9/\n- https://github.com/caolan/async/pull/1828\n- https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2\n- https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264\n- https://github.com/advisories/GHSA-fwr7-v2mv-hh25', 'created': '2022-04-07T00:00:17.000Z', 'reported_by': None, 'title': 'Prototype Pollution in async', 'npm_advisory_id': None, 'overview': 'A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the `mapValues()` method.', 'url': 'https://github.com/advisories/GHSA-fwr7-v2mv-hh25'}, '1080920': {'findings': [{'version': '5.6.0', 'paths': ['package.json>package-json>got']}], 'metadata': None, 'vulnerable_versions': '<11.8.5', 'module_name': 'got', 'severity': 'moderate', 'github_advisory_id': 'GHSA-pfrx-2q88-qq97', 'cves': ['CVE-2022-33987'], 'access': 'public', 'patched_versions': '>=11.8.5', 'cvss': {'score': 5.3, 'vectorString': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}, 'updated': '2022-07-05T21:24:52.000Z', 'recommendation': 'Upgrade to version 11.8.5 or later', 'cwe': [], 'found_by': None, 'deleted': None, 'id': 1080920, 'references': '- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97', 'created': '2022-06-19T00:00:21.000Z', 'reported_by': None, 'title': 'Got allows a redirect to a UNIX socket', 'npm_advisory_id': None, 'overview': 'The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.', 'url': 'https://github.com/advisories/GHSA-pfrx-2q88-qq97'}, '1080970': {'findings': [{'version': '1.3.11', 'paths': ['package.json>git-source>git-url-parse>git-up>parse-url']}], 'metadata': None, 'vulnerable_versions': '<6.0.1', 'module_name': 'parse-url', 'severity': 'moderate', 'github_advisory_id': 'GHSA-q6wq-5p59-983w', 'cves': ['CVE-2022-2217'], 'access': 'public', 'patched_versions': '>=6.0.1', 'cvss': {'score': 6.1, 'vectorString': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}, 'updated': '2022-07-07T17:15:33.000Z', 'recommendation': 'Upgrade to version 6.0.1 or later', 'cwe': ['CWE-79'], 'found_by': None, 'deleted': None, 'id': 1080970, 'references': '- https://nvd.nist.gov/vuln/detail/CVE-2022-2217\n- https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3\n- https://huntr.dev/bounties/4e046c63-b1ca-4bcc-b418-29796918a71b\n- https://github.com/advisories/GHSA-q6wq-5p59-983w', 'created': '2022-06-28T00:01:02.000Z', 'reported_by': None, 'title': 'Cross site scripting in parse-url', 'npm_advisory_id': None, 'overview': 'Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 6.0.1', 'url': 'https://github.com/advisories/GHSA-q6wq-5p59-983w'}, '1080971': {'findings': [{'version': '1.3.11', 'paths': ['package.json>git-source>git-url-parse>git-up>parse-url']}], 'metadata': None, 'vulnerable_versions': '<6.0.1', 'module_name': 'parse-url', 'severity': 'critical', 'github_advisory_id': 'GHSA-7f3x-x4pr-wqhj', 'cves': ['CVE-2022-2216'], 'access': 'public', 'patched_versions': '>=6.0.1', 'cvss': {'score': 9.8, 'vectorString': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}, 'updated': '2022-07-07T17:15:42.000Z', 'recommendation': 'Upgrade to version 6.0.1 or later', 'cwe': ['CWE-918'], 'found_by': None, 'deleted': None, 'id': 1080971, 'references': '- https://nvd.nist.gov/vuln/detail/CVE-2022-2216\n- https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3\n- https://huntr.dev/bounties/505a3d39-2723-4a06-b1f7-9b2d133c92e1\n- https://github.com/advisories/GHSA-7f3x-x4pr-wqhj', 'created': '2022-06-28T00:01:02.000Z', 'reported_by': None, 'title': 'Server-Side Request Forgery in parse-url', 'npm_advisory_id': None, 'overview': 'Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.', 'url': 'https://github.com/advisories/GHSA-7f3x-x4pr-wqhj'}, '1080972': {'findings': [{'version': '1.3.11', 'paths': ['package.json>git-source>git-url-parse>git-up>parse-url']}], 'metadata': None, 'vulnerable_versions': '<6.0.1', 'module_name': 'parse-url', 'severity': 'moderate', 'github_advisory_id': 'GHSA-jpp7-7chh-cf67', 'cves': ['CVE-2022-2218'], 'access': 'public', 'patched_versions': '>=6.0.1', 'cvss': {'score': 6.1, 'vectorString': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}, 'updated': '2022-07-07T17:16:00.000Z', 'recommendation': 'Upgrade to version 6.0.1 or later', 'cwe': ['CWE-79'], 'found_by': None, 'deleted': None, 'id': 1080972, 'references': '- https://nvd.nist.gov/vuln/detail/CVE-2022-2218\n- https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3\n- https://huntr.dev/bounties/024912d3-f103-4daf-a1d0-567f4d9f2bf5\n- https://github.com/advisories/GHSA-jpp7-7chh-cf67', 'created': '2022-06-28T00:01:01.000Z', 'reported_by': None, 'title': 'Cross site scripting in parse-url', 'npm_advisory_id': None, 'overview': 'Cross-site Scripting (XSS) - Stored in GitHub repository ionicabizau/parse-url prior to 7.0.0.', 'url': 'https://github.com/advisories/GHSA-jpp7-7chh-cf67'}, '1080973': {'findings': [{'version': '1.3.11', 'paths': ['package.json>git-source>git-url-parse>git-up>parse-url']}], 'metadata': None, 'vulnerable_versions': '<6.0.1', 'module_name': 'parse-url', 'severity': 'high', 'github_advisory_id': 'GHSA-4p35-cfcx-8653', 'cves': ['CVE-2022-0722'], 'access': 'public', 'patched_versions': '>=6.0.1', 'cvss': {'score': 7.5, 'vectorString': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}, 'updated': '2022-07-07T17:15:51.000Z', 'recommendation': 'Upgrade to version 6.0.1 or later', 'cwe': ['CWE-200'], 'found_by': None, 'deleted': None, 'id': 1080973, 'references': '- https://nvd.nist.gov/vuln/detail/CVE-2022-0722\n- https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3\n- https://huntr.dev/bounties/2490ef6d-5577-4714-a4dd-9608251b4226\n- https://github.com/advisories/GHSA-4p35-cfcx-8653', 'created': '2022-06-28T00:01:01.000Z', 'reported_by': None, 'title': 'Hostname confusion in parse-url', 'npm_advisory_id': None, 'overview': 'Exposure of Sensitive Information to an Unauthorized Actor via hostname confusion in GitHub repository ionicabizau/parse-url prior to 6.0.1', 'url': 'https://github.com/advisories/GHSA-4p35-cfcx-8653'}, '1081481': {'findings': [{'version': '3.1.30', 'paths': ['react-scripts>postcss>nanoid', 'react-scripts>css-loader>postcss>nanoid', 'react-scripts>tailwindcss>postcss-js>postcss>nanoid']}], 'metadata': None, 'vulnerable_versions': '>=3.0.0 <3.1.31', 'module_name': 'nanoid', 'severity': 'moderate', 'github_advisory_id': 'GHSA-qrpm-p2h7-hrv2', 'cves': ['CVE-2021-23566'], 'access': 'public', 'patched_versions': '>=3.1.31', 'cvss': {'score': 5.5, 'vectorString': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}, 'updated': '2022-03-18T13:15:56.000Z', 'recommendation': 'Upgrade to version 3.1.31 or later', 'cwe': ['CWE-200'], 'found_by': None, 'deleted': None, 'id': 1081481, 'references': '- https://nvd.nist.gov/vuln/detail/CVE-2021-23566\n- https://github.com/ai/nanoid/pull/328\n- https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575\n- https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444\n- https://snyk.io/vuln/SNYK-JS-NANOID-2332193\n- https://github.com/advisories/GHSA-qrpm-p2h7-hrv2', 'created': '2022-01-21T23:57:06.000Z', 'reported_by': None, 'title': 'Exposure of Sensitive Information to an Unauthorized Actor in nanoid', 'npm_advisory_id': None, 'overview': 'The package nanoid from 3.0.0, before 3.1.31, are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.', 'url': 'https://github.com/advisories/GHSA-qrpm-p2h7-hrv2'}, '1081698': {'findings': [{'version': '5.10.0', 'paths': ['react-scripts>terser-webpack-plugin>terser', 'react-scripts>html-webpack-plugin>html-minifier-terser>terser', 'react-scripts>workbox-webpack-plugin>workbox-build>rollup-plugin-terser>terser']}], 'metadata': None, 'vulnerable_versions': '>=5.0.0 <5.14.2', 'module_name': 'terser', 'severity': 'high', 'github_advisory_id': 'GHSA-4wf5-vphf-c2xc', 'cves': ['CVE-2022-25858'], 'access': 'public', 'patched_versions': '>=5.14.2', 'cvss': {'score': 7.5, 'vectorString': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}, 'updated': '2022-07-22T16:30:35.000Z', 'recommendation': 'Upgrade to version 5.14.2 or later', 'cwe': [], 'found_by': None, 'deleted': None, 'id': 1081698, 'references': '- https://nvd.nist.gov/vuln/detail/CVE-2022-25858\n- https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b\n- https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012\n- https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722\n- https://snyk.io/vuln/SNYK-JS-TERSER-2806366\n- https://github.com/advisories/GHSA-4wf5-vphf-c2xc', 'created': '2022-07-16T00:00:20.000Z', 'reported_by': None, 'title': 'Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS', 'npm_advisory_id': None, 'overview': 'The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.', 'url': 'https://github.com/advisories/GHSA-4wf5-vphf-c2xc'}, '1081840': {'findings': [{'version': '0.10.0', 'paths': ['react-scripts>webpack-dev-server>selfsigned>node-forge']}], 'metadata': None, 'vulnerable_versions': '<1.0.0', 'module_name': 'node-forge', 'severity': 'low', 'github_advisory_id': 'GHSA-gf8q-jrpm-jvxq', 'cves': [], 'access': 'public', 'patched_versions': '>=1.0.0', 'cvss': {'score': 0, 'vectorString': None}, 'updated': '2022-07-28T20:10:17.000Z', 'recommendation': 'Upgrade to version 1.0.0 or later', 'cwe': ['CWE-601'], 'found_by': None, 'deleted': None, 'id': 1081840, 'references': '- https://github.com/digitalbazaar/forge/security/advisories/GHSA-gf8q-jrpm-jvxq\n- https://nvd.nist.gov/vuln/detail/CVE-2022-0122\n- https://www.huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae\n- https://github.com/advisories/GHSA-gf8q-jrpm-jvxq', 'created': '2022-01-08T00:22:02.000Z', 'reported_by': None, 'title': 'URL parsing in node-forge could lead to undesired behavior.', 'npm_advisory_id': None, 'overview': '### Impact\nThe regex used for the `forge.util.parseUrl` API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior.\n\n### Patches\n`forge.util.parseUrl` and other very old related URL APIs were removed in 1.0.0 in favor of letting applications use the more modern WHATWG URL Standard API.\n\n### Workarounds\nEnsure code does not directly or indirectly call `forge.util.parseUrl` with untrusted input.\n\n### References\n- https://www.huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\n* Email us at support@digitalbazaar.com\n', 'url': 'https://github.com/advisories/GHSA-gf8q-jrpm-jvxq'}}, 'muted': [], 'metadata': {'vulnerabilities': {'info': 0, 'low': 2, 'moderate': 11, 'high': 11, 'critical': 13}, 'dependencies': 1669, 'devDependencies': 0, 'optionalDependencies': 2, 'totalDependencies': 1671}}