-
Notifications
You must be signed in to change notification settings - Fork 3
/
yarn-audit-known-issues
1 lines (1 loc) · 49.9 KB
/
yarn-audit-known-issues
1
{"actions":[],"advisories":{"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"found_by":null,"deleted":null,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","id":1088208,"npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","reported_by":null,"title":"Improper Privilege Management in shelljs","metadata":null,"cves":[],"access":"public","severity":"moderate","module_name":"shelljs","vulnerable_versions":"<0.8.5","github_advisory_id":"GHSA-64g7-mvw6-v9qj","recommendation":"Upgrade to version 0.8.5 or later","patched_versions":">=0.8.5","updated":"2023-01-11T05:03:39.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-269"],"url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088811":{"findings":[{"version":"11.1.1","paths":["protractor-screenshot-utils>protractor>yargs>yargs-parser","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>yargs-parser"]}],"found_by":null,"deleted":null,"references":"- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381\n- https://www.npmjs.com/advisories/1500\n- https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2\n- https://nvd.nist.gov/vuln/detail/CVE-2020-7608\n- https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36\n- https://github.com/advisories/GHSA-p9pc-299p-vxgp","created":"2020-09-04T18:00:54.000Z","id":1088811,"npm_advisory_id":null,"overview":"Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.\n\n\n\n## Recommendation\n\nUpgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.","reported_by":null,"title":"yargs-parser Vulnerable to Prototype Pollution","metadata":null,"cves":["CVE-2020-7608"],"access":"public","severity":"moderate","module_name":"yargs-parser","vulnerable_versions":">=6.0.0 <13.1.2","github_advisory_id":"GHSA-p9pc-299p-vxgp","recommendation":"Upgrade to version 13.1.2 or later","patched_versions":">=13.1.2","updated":"2023-01-27T05:00:51.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},"cwe":["CWE-915","CWE-1321"],"url":"https://github.com/advisories/GHSA-p9pc-299p-vxgp"},"1088948":{"findings":[{"version":"6.7.1","paths":["openid-client>got","@hmcts/rpx-xui-node-lib>openid-client>got"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","id":1088948,"npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","reported_by":null,"title":"Got allows a redirect to a UNIX socket","metadata":null,"cves":["CVE-2022-33987"],"access":"public","severity":"moderate","module_name":"got","vulnerable_versions":"<11.8.5","github_advisory_id":"GHSA-pfrx-2q88-qq97","recommendation":"Upgrade to version 11.8.5 or later","patched_versions":">=11.8.5","updated":"2023-01-27T05:05:01.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"cwe":[],"url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1093150":{"findings":[{"version":"0.2.5","paths":["multer>busboy>dicer"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-24434\n- https://github.com/mscdex/busboy/issues/250\n- https://github.com/mscdex/dicer/pull/22\n- https://snyk.io/vuln/SNYK-JS-DICER-2311764\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865\n- https://github.com/mscdex/dicer/commit/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac\n- https://github.com/advisories/GHSA-wm7h-9275-46v2","created":"2022-05-21T00:00:25.000Z","id":1093150,"npm_advisory_id":null,"overview":"This affects all versions of the package `dicer`. A malicious attacker can send a modified form to the server and crash the Node.js service. A complete denial of service can be achieved by sending the malicious form in a loop.","reported_by":null,"title":"Crash in HeaderParser in dicer","metadata":null,"cves":["CVE-2022-24434"],"access":"public","severity":"high","module_name":"dicer","vulnerable_versions":"<=0.3.1","github_advisory_id":"GHSA-wm7h-9275-46v2","recommendation":"None","patched_versions":"<0.0.0","updated":"2023-08-28T14:22:55.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-248"],"url":"https://github.com/advisories/GHSA-wm7h-9275-46v2"},"1093639":{"findings":[{"version":"0.4.1","paths":["passport","@hmcts/rpx-xui-node-lib>passport"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","id":1093639,"npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","metadata":null,"cves":["CVE-2022-25896"],"access":"public","severity":"moderate","module_name":"passport","vulnerable_versions":"<0.6.0","github_advisory_id":"GHSA-v923-w3x8-wh69","recommendation":"Upgrade to version 0.6.0 or later","patched_versions":">=0.6.0","updated":"2023-09-11T16:22:18.000Z","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"cwe":["CWE-384"],"url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1095126":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","id":1095126,"npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","reported_by":null,"title":"Improper Privilege Management in shelljs","metadata":null,"cves":["CVE-2022-0144"],"access":"public","severity":"high","module_name":"shelljs","vulnerable_versions":"<0.8.5","github_advisory_id":"GHSA-4rq4-32rv-6wp6","recommendation":"Upgrade to version 0.8.5 or later","patched_versions":">=0.8.5","updated":"2023-11-29T22:21:11.000Z","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"cwe":["CWE-269"],"url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1095531":{"findings":[{"version":"6.2.1","paths":["log4js"]}],"found_by":null,"deleted":null,"references":"- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q\n- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76\n- https://github.com/log4js-node/streamroller/pull/87\n- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21704\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html\n- https://github.com/advisories/GHSA-82v2-mx6x-wq7q","created":"2022-01-21T18:53:27.000Z","id":1095531,"npm_advisory_id":null,"overview":"### Impact\r\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\r\n\r\n### Patches\r\nFixed by:\r\n* https://github.com/log4js-node/log4js-node/pull/1141\r\n* https://github.com/log4js-node/streamroller/pull/87\r\n\r\nReleased to NPM in log4js@6.4.0\r\n\r\n### Workarounds\r\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\r\n\r\n### References\r\n\r\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @lamweili for fixing the problem.\r\n\r\n### For more information\r\nIf you have any questions or comments about this advisory:\r\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\r\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\r\n* Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)\r\n","reported_by":null,"title":"Incorrect Default Permissions in log4js","metadata":null,"cves":["CVE-2022-21704"],"access":"public","severity":"moderate","module_name":"log4js","vulnerable_versions":"<6.4.0","github_advisory_id":"GHSA-82v2-mx6x-wq7q","recommendation":"Upgrade to version 6.4.0 or later","patched_versions":">=6.4.0","updated":"2024-01-24T08:54:14.000Z","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"cwe":["CWE-276"],"url":"https://github.com/advisories/GHSA-82v2-mx6x-wq7q"},"1096693":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://fluidattacks.com/advisories/myers\n- https://github.com/Leonidas-from-XIV/node-xml2js\n- https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","id":1096693,"npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","metadata":null,"cves":["CVE-2023-0842"],"access":"public","severity":"moderate","module_name":"xml2js","vulnerable_versions":"<0.5.0","github_advisory_id":"GHSA-776f-qx25-q3cc","recommendation":"Upgrade to version 0.5.0 or later","patched_versions":">=0.5.0","updated":"2024-03-14T21:47:27.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1096727":{"findings":[{"version":"2.88.2","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://security.netapp.com/advisory/ntap-20230413-0007\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","id":1096727,"npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","reported_by":null,"title":"Server-Side Request Forgery in Request","metadata":null,"cves":["CVE-2023-28155"],"access":"public","severity":"moderate","module_name":"request","vulnerable_versions":"<=2.88.2","github_advisory_id":"GHSA-p8p7-x288-28g6","recommendation":"None","patched_versions":"<0.0.0","updated":"2024-03-21T17:47:21.000Z","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"cwe":["CWE-918"],"url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1096832":{"findings":[{"version":"1.28.2","paths":["openid-client>jose","@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"found_by":null,"deleted":null,"references":"- https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q\n- https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314\n- https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28176\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG\n- https://github.com/advisories/GHSA-hhhv-q57g-882q","created":"2024-03-07T17:40:57.000Z","id":1096832,"npm_advisory_id":null,"overview":"A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.\n\nNote that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory.\n\n### Impact\n\nUnder certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.\n\n### Affected users\n\nThe impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.\n\nYou are NOT affected if any of the following applies to you\n\n- Your code uses jose version v5.x where JWE Compression is not supported anymore\n- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box\n- Your code does not use the JWE decryption APIs\n- Your code only accepts JWEs produced by trusted sources\n\n### Patches\n\n`v2.0.7` and `v4.15.5` releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the `inflateRaw` decryption option implementation. In v2.x it is possible to further adjust this limit via the `inflateRawSyncLimit` decryption option.\n\n### Workarounds\n\nIf you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header\n\n```js\nconst { zip } = jose.decodeProtectedHeader(token)\nif (zip !== undefined) {\n throw new Error('JWE Compression is not supported')\n}\n```\n\nIf you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.\n\n### For more information\nIf you have any questions or comments about this advisory please open a discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-hhhv-q57g-882q%20advisory%20question)","reported_by":null,"title":"jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext","metadata":null,"cves":["CVE-2024-28176"],"access":"public","severity":"moderate","module_name":"jose","vulnerable_versions":"<2.0.7","github_advisory_id":"GHSA-hhhv-q57g-882q","recommendation":"Upgrade to version 2.0.7 or later","patched_versions":">=2.0.7","updated":"2024-03-30T06:30:42.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"cwe":["CWE-400"],"url":"https://github.com/advisories/GHSA-hhhv-q57g-882q"},"1097682":{"findings":[{"version":"2.5.0","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","id":1097682,"npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","metadata":null,"cves":["CVE-2023-26136"],"access":"public","severity":"moderate","module_name":"tough-cookie","vulnerable_versions":"<4.1.3","github_advisory_id":"GHSA-72xf-g2v4-qvf3","recommendation":"Upgrade to version 4.1.3 or later","patched_versions":">=4.1.3","updated":"2024-06-21T21:33:53.000Z","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1097684":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"found_by":null,"deleted":null,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23540\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-qwph-4952-7xr6","created":"2022-12-22T03:32:59.000Z","id":1097684,"npm_advisory_id":null,"overview":"# Overview\n\nIn versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.\n\n# Am I affected?\nYou will be affected if all the following are true in the `jwt.verify()` function:\n- a token with no signature is received\n- no algorithms are specified \n- a falsy (e.g. null, false, undefined) secret or key is passed \n\n# How do I fix it?\n \nUpdate to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. \n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n","reported_by":null,"title":"jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()","metadata":null,"cves":["CVE-2022-23540"],"access":"public","severity":"moderate","module_name":"jsonwebtoken","vulnerable_versions":"<9.0.0","github_advisory_id":"GHSA-qwph-4952-7xr6","recommendation":"Upgrade to version 9.0.0 or later","patched_versions":">=9.0.0","updated":"2024-06-21T21:34:57.000Z","cvss":{"score":6.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L"},"cwe":["CWE-287","CWE-327","CWE-347"],"url":"https://github.com/advisories/GHSA-qwph-4952-7xr6"},"1097690":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"found_by":null,"deleted":null,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23539\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-8cf7-32gw-wr33","created":"2022-12-22T03:32:22.000Z","id":1097690,"npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. \n\n# Am I affected?\n\nYou are affected if you are using an algorithm and a key type other than the combinations mentioned below\n\n| Key type | algorithm |\n|----------|------------------------------------------|\n| ec | ES256, ES384, ES512 |\n| rsa | RS256, RS384, RS512, PS256, PS384, PS512 |\n| rsa-pss | PS256, PS384, PS512 |\n\nAnd for Elliptic Curve algorithms:\n\n| `alg` | Curve |\n|-------|------------|\n| ES256 | prime256v1 |\n| ES384 | secp384r1 |\n| ES512 | secp521r1 |\n\n# How do I fix it?\n\nUpdate to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.\n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility. \n\n","reported_by":null,"title":"jsonwebtoken unrestricted key type could lead to legacy keys usage ","metadata":null,"cves":["CVE-2022-23539"],"access":"public","severity":"high","module_name":"jsonwebtoken","vulnerable_versions":"<=8.5.1","github_advisory_id":"GHSA-8cf7-32gw-wr33","recommendation":"Upgrade to version 9.0.0 or later","patched_versions":">=9.0.0","updated":"2024-06-24T21:23:39.000Z","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},"cwe":["CWE-327"],"url":"https://github.com/advisories/GHSA-8cf7-32gw-wr33"},"1097694":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"found_by":null,"deleted":null,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23541\n- https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-hjrf-2m68-5959","created":"2022-12-22T03:33:19.000Z","id":1097694,"npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. \n\n# Am I affected?\n\nYou will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. \n\n# How do I fix it?\n \nUpdate to version 9.0.0.\n\n# Will the fix impact my users?\n\nThere is no impact for end users","reported_by":null,"title":"jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC","metadata":null,"cves":["CVE-2022-23541"],"access":"public","severity":"moderate","module_name":"jsonwebtoken","vulnerable_versions":"<=8.5.1","github_advisory_id":"GHSA-hjrf-2m68-5959","recommendation":"Upgrade to version 9.0.0 or later","patched_versions":">=9.0.0","updated":"2024-06-24T21:24:07.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},"cwe":["CWE-287","CWE-1259"],"url":"https://github.com/advisories/GHSA-hjrf-2m68-5959"},"1098094":{"findings":[{"version":"3.0.2","paths":["@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>braces"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4068\n- https://github.com/micromatch/braces/issues/35\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4068\n- https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308\n- https://github.com/micromatch/braces/pull/37\n- https://github.com/micromatch/braces/pull/40\n- https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff\n- https://github.com/advisories/GHSA-grv7-fg5c-xmjg","created":"2024-05-14T18:30:54.000Z","id":1098094,"npm_advisory_id":null,"overview":"The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.\n","reported_by":null,"title":"Uncontrolled resource consumption in braces","metadata":null,"cves":["CVE-2024-4068"],"access":"public","severity":"high","module_name":"braces","vulnerable_versions":"<3.0.3","github_advisory_id":"GHSA-grv7-fg5c-xmjg","recommendation":"Upgrade to version 3.0.3 or later","patched_versions":">=3.0.3","updated":"2024-07-05T21:25:08.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-400","CWE-1050"],"url":"https://github.com/advisories/GHSA-grv7-fg5c-xmjg"},"1098583":{"findings":[{"version":"1.6.7","paths":["axios","@hmcts/rpx-xui-node-lib>axios"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-39338\n- https://github.com/axios/axios/releases\n- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html\n- https://github.com/axios/axios/issues/6463\n- https://github.com/axios/axios/pull/6539\n- https://github.com/axios/axios/pull/6543\n- https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a\n- https://github.com/axios/axios/releases/tag/v1.7.4\n- https://github.com/advisories/GHSA-8hc4-vh64-cxmj","created":"2024-08-12T15:30:49.000Z","id":1098583,"npm_advisory_id":null,"overview":"axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","reported_by":null,"title":"Server-Side Request Forgery in axios","metadata":null,"cves":["CVE-2024-39338"],"access":"public","severity":"high","module_name":"axios","vulnerable_versions":">=1.3.2 <=1.7.3","github_advisory_id":"GHSA-8hc4-vh64-cxmj","recommendation":"Upgrade to version 1.7.4 or later","patched_versions":">=1.7.4","updated":"2024-08-13T19:53:25.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-918"],"url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"},"1098681":{"findings":[{"version":"4.0.5","paths":["@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","id":1098681,"npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","metadata":null,"cves":["CVE-2024-4067"],"access":"public","severity":"moderate","module_name":"micromatch","vulnerable_versions":"<4.0.8","github_advisory_id":"GHSA-952p-6rrq-rcjv","recommendation":"Upgrade to version 4.0.8 or later","patched_versions":">=4.0.8","updated":"2024-08-28T13:12:27.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"},"1099520":{"findings":[{"version":"1.20.2","paths":["express>body-parser","@hmcts/rpx-xui-node-lib>express>body-parser"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7\n- https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45590\n- https://github.com/advisories/GHSA-qwcr-r2fm-qrc7","created":"2024-09-10T15:52:39.000Z","id":1099520,"npm_advisory_id":null,"overview":"### Impact\n\nbody-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.\n\n### Patches\n\nthis issue is patched in 1.20.3\n\n### References\n","reported_by":null,"title":"body-parser vulnerable to denial of service when url encoding is enabled","metadata":null,"cves":["CVE-2024-45590"],"access":"public","severity":"high","module_name":"body-parser","vulnerable_versions":"<1.20.3","github_advisory_id":"GHSA-qwcr-r2fm-qrc7","recommendation":"Upgrade to version 1.20.3 or later","patched_versions":">=1.20.3","updated":"2024-09-10T19:01:11.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-405"],"url":"https://github.com/advisories/GHSA-qwcr-r2fm-qrc7"},"1099562":{"findings":[{"version":"0.1.7","paths":["express>path-to-regexp","@hmcts/rpx-xui-node-lib>express>path-to-regexp"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j\n- https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f\n- https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45296\n- https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485\n- https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef\n- https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894\n- https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0\n- https://github.com/advisories/GHSA-9wv6-86v2-598j","created":"2024-09-09T20:19:15.000Z","id":1099562,"npm_advisory_id":null,"overview":"### Impact\n\nA bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b`.\n\n### Patches\n\nFor users of 0.1, upgrade to `0.1.10`. All other users should upgrade to `8.0.0`.\n\nThese versions add backtrack protection when a custom regex pattern is not provided:\n\n- [0.1.10](https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10)\n- [1.9.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0)\n- [3.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0)\n- [6.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0)\n\nThey do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.\n\nVersion [7.1.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0) can enable `strict: true` and get an error when the regular expression might be bad.\n\nVersion [8.0.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0) removes the features that can cause a ReDoS.\n\n### Workarounds\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b` to `/:a-:b([^-/]+)`.\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.\n\n### Details\n\nUsing `/:a-:b` will produce the regular expression `/^\\/([^\\/]+?)-([^\\/]+?)\\/?$/`. This can be exploited by a path such as `/a${'-a'.repeat(8_000)}/a`. [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) has a good example of why this occurs, but the TL;DR is the `/a` at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the `:a-:b` on the repeated 8,000 `-a`.\n\nBecause JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.\n\n### References\n\n* [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n* [Detailed blog post](https://blakeembrey.com/posts/2024-09-web-redos/)","reported_by":null,"title":"path-to-regexp outputs backtracking regular expressions","metadata":null,"cves":["CVE-2024-45296"],"access":"public","severity":"high","module_name":"path-to-regexp","vulnerable_versions":"<0.1.10","github_advisory_id":"GHSA-9wv6-86v2-598j","recommendation":"Upgrade to version 0.1.10 or later","patched_versions":">=0.1.10","updated":"2024-09-12T17:09:43.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-9wv6-86v2-598j"},"1099846":{"findings":[{"version":"0.4.2","paths":["csurf>cookie","@hmcts/rpx-xui-node-lib>csurf>cookie"]}],"found_by":null,"deleted":null,"references":"- https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x\n- https://github.com/jshttp/cookie/pull/167\n- https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c\n- https://github.com/advisories/GHSA-pxg6-pf52-xh8x","created":"2024-10-04T20:31:00.000Z","id":1099846,"npm_advisory_id":null,"overview":"### Impact\n\nThe cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize(\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a\", value)` would result in `\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test\"`, setting `userName` cookie to `<script>` and ignoring `value`.\n\nA similar escape can be used for `path` and `domain`, which could be abused to alter other fields of the cookie.\n\n### Patches\n\nUpgrade to 0.7.0, which updates the validation for `name`, `path`, and `domain`.\n\n### Workarounds\n\nAvoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.\n\n### References\n\n* https://github.com/jshttp/cookie/pull/167","reported_by":null,"title":"cookie accepts cookie name, path, and domain with out of bounds characters","metadata":null,"cves":["CVE-2024-47764"],"access":"public","severity":"low","module_name":"cookie","vulnerable_versions":"<0.7.0","github_advisory_id":"GHSA-pxg6-pf52-xh8x","recommendation":"Upgrade to version 0.7.0 or later","patched_versions":">=0.7.0","updated":"2024-10-04T20:31:01.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-74"],"url":"https://github.com/advisories/GHSA-pxg6-pf52-xh8x"},"1100526":{"findings":[{"version":"0.18.0","paths":["express>send","@hmcts/rpx-xui-node-lib>express>send","@hmcts/rpx-xui-node-lib>express>serve-static>send"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43799\n- https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35\n- https://github.com/advisories/GHSA-m6fv-jmcg-4jfg","created":"2024-09-10T19:42:41.000Z","id":1100526,"npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in send 0.19.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"send vulnerable to template injection that can lead to XSS","metadata":null,"cves":["CVE-2024-43799"],"access":"public","severity":"low","module_name":"send","vulnerable_versions":"<0.19.0","github_advisory_id":"GHSA-m6fv-jmcg-4jfg","recommendation":"Upgrade to version 0.19.0 or later","patched_versions":">=0.19.0","updated":"2024-11-18T16:27:12.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-m6fv-jmcg-4jfg"},"1100528":{"findings":[{"version":"1.15.0","paths":["express>serve-static","@hmcts/rpx-xui-node-lib>express>serve-static"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43800\n- https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b\n- https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa\n- https://github.com/advisories/GHSA-cm22-4g7w-348p","created":"2024-09-10T19:42:33.000Z","id":1100528,"npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in serve-static 1.16.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"serve-static vulnerable to template injection that can lead to XSS","metadata":null,"cves":["CVE-2024-43800"],"access":"public","severity":"low","module_name":"serve-static","vulnerable_versions":"<1.16.0","github_advisory_id":"GHSA-cm22-4g7w-348p","recommendation":"Upgrade to version 1.16.0 or later","patched_versions":">=1.16.0","updated":"2024-11-18T16:27:12.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-cm22-4g7w-348p"},"1100530":{"findings":[{"version":"4.19.2","paths":["express","@hmcts/rpx-xui-node-lib>express"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43796\n- https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553\n- https://github.com/advisories/GHSA-qw6h-vgh9-j6wx","created":"2024-09-10T19:41:04.000Z","id":1100530,"npm_advisory_id":null,"overview":"### Impact\n\nIn express <4.20.0, passing untrusted user input - even after sanitizing it - to `response.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in express 4.20.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"express vulnerable to XSS via response.redirect()","metadata":null,"cves":["CVE-2024-43796"],"access":"public","severity":"low","module_name":"express","vulnerable_versions":"<4.20.0","github_advisory_id":"GHSA-qw6h-vgh9-j6wx","recommendation":"Upgrade to version 4.20.0 or later","patched_versions":">=4.20.0","updated":"2024-11-18T16:27:12.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-qw6h-vgh9-j6wx"},"1100562":{"findings":[{"version":"4.0.2","paths":["dotenv-extended>cross-spawn","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-changed-files>execa>cross-spawn","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-changed-files>execa>cross-spawn"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-21538\n- https://github.com/moxystudio/node-cross-spawn/pull/160\n- https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff\n- https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f\n- https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230\n- https://github.com/moxystudio/node-cross-spawn/issues/165\n- https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349\n- https://github.com/advisories/GHSA-3xgq-45jj-v275","created":"2024-11-08T06:30:47.000Z","id":1100562,"npm_advisory_id":null,"overview":"Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in cross-spawn","metadata":null,"cves":["CVE-2024-21538"],"access":"public","severity":"high","module_name":"cross-spawn","vulnerable_versions":"<6.0.6","github_advisory_id":"GHSA-3xgq-45jj-v275","recommendation":"Upgrade to version 6.0.6 or later","patched_versions":">=6.0.6","updated":"2024-11-19T16:19:50.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-3xgq-45jj-v275"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":9,"moderate":28,"high":24,"critical":0},"dependencies":791,"devDependencies":1,"optionalDependencies":0,"totalDependencies":792}}