From c844fa9927b14a3a0a82afbbf7202eef756f0a61 Mon Sep 17 00:00:00 2001 From: OgunyemiO Date: Tue, 31 Oct 2023 12:09:43 +0000 Subject: [PATCH] yarn audit for pipeline fix --- yarn-audit-known-issues | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index b805f656b..6b65f7c9f 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1 +1 @@ -{"actions":[],"advisories":{"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088659":{"findings":[{"version":"2.1.2","paths":["@hmcts/nodejs-healthcheck>superagent>cookiejar"]}],"metadata":null,"vulnerable_versions":"<2.1.4","module_name":"cookiejar","severity":"moderate","github_advisory_id":"GHSA-h452-7996-h45h","cves":["CVE-2022-25901"],"access":"public","patched_versions":">=2.1.4","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-23T16:59:53.000Z","recommendation":"Upgrade to version 2.1.4 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1088659,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/bmeck/node-cookiejar/pull/39\n- https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681\n- https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984\n- https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73\n- https://github.com/advisories/GHSA-h452-7996-h45h","created":"2023-01-18T06:31:03.000Z","reported_by":null,"title":"cookiejar Regular Expression Denial of Service via Cookie.parse function","npm_advisory_id":null,"overview":"Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```","url":"https://github.com/advisories/GHSA-h452-7996-h45h"},"1088948":{"findings":[{"version":"6.7.1","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089067":{"findings":[{"version":"0.2.3","paths":["class-transformer"]}],"metadata":null,"vulnerable_versions":"<0.3.1","module_name":"class-transformer","severity":"moderate","github_advisory_id":"GHSA-6gp3-h3jj-prx4","cves":["CVE-2020-7637"],"access":"public","patched_versions":">=0.3.1","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:08:29.000Z","recommendation":"Upgrade to version 0.3.1 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1089067,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-7637\n- https://github.com/typestack/class-transformer/blob/a650d9f490573443f62508bc063b857bcd5e2525/src/ClassTransformer.ts#L29-L31,\n- https://snyk.io/vuln/SNYK-JS-CLASSTRANSFORMER-564431\n- https://github.com/typestack/class-transformer/commit/8f04eb9db02de708f1a20f6f2d2bb309b2fed01e\n- https://github.com/advisories/GHSA-6gp3-h3jj-prx4","created":"2020-04-07T15:47:40.000Z","reported_by":null,"title":"Prototype pollution in class-transformer","npm_advisory_id":null,"overview":"class-transformer through 0.2.3 is vulnerable to Prototype Pollution. The 'classToPlainFromExist' function could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.","url":"https://github.com/advisories/GHSA-6gp3-h3jj-prx4"},"1089189":{"findings":[{"version":"1.23.0","paths":["ngx-md>prismjs"]}],"metadata":null,"vulnerable_versions":"<1.25.0","module_name":"prismjs","severity":"moderate","github_advisory_id":"GHSA-hqhp-5p83-hx96","cves":["CVE-2021-3801"],"access":"public","patched_versions":">=1.25.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-01-29T05:02:55.000Z","recommendation":"Upgrade to version 1.25.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089189,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3801\n- https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9\n- https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a\n- https://github.com/advisories/GHSA-hqhp-5p83-hx96","created":"2021-09-20T20:44:48.000Z","reported_by":null,"title":"prismjs Regular Expression Denial of Service vulnerability","npm_advisory_id":null,"overview":"Prism is a syntax highlighting library. The prismjs package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted HTML comment as input may cause an application to consume an excessive amount of CPU.","url":"https://github.com/advisories/GHSA-hqhp-5p83-hx96"},"1089196":{"findings":[{"version":"3.0.2","paths":["redis","@hmcts/rpx-xui-node-lib>redis"]}],"metadata":null,"vulnerable_versions":">=2.6.0 <3.1.1","module_name":"redis","severity":"high","github_advisory_id":"GHSA-35q2-47q7-3pc3","cves":["CVE-2021-29469"],"access":"public","patched_versions":">=3.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-01-29T05:02:31.000Z","recommendation":"Upgrade to version 3.1.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089196,"references":"- https://github.com/NodeRedis/node-redis/security/advisories/GHSA-35q2-47q7-3pc3\n- https://nvd.nist.gov/vuln/detail/CVE-2021-29469\n- https://github.com/NodeRedis/node-redis/commit/2d11b6dc9b9774464a91fb4b448bad8bf699629e\n- https://github.com/NodeRedis/node-redis/releases/tag/v3.1.1\n- https://security.netapp.com/advisory/ntap-20210611-0010/\n- https://github.com/advisories/GHSA-35q2-47q7-3pc3","created":"2021-04-27T15:56:03.000Z","reported_by":null,"title":"Node-Redis potential exponential regex in monitor mode","npm_advisory_id":null,"overview":"### Impact\nWhen a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service.\n\n### Patches\nThe problem was fixed in commit [`2d11b6d`](https://github.com/NodeRedis/node-redis/commit/2d11b6dc9b9774464a91fb4b448bad8bf699629e) and was released in version `3.1.1`.\n\n### References\n#1569 (GHSL-2021-026)","url":"https://github.com/advisories/GHSA-35q2-47q7-3pc3"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089434":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-8cf7-32gw-wr33","cves":["CVE-2022-23539"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":0,"vectorString":null},"updated":"2023-01-31T05:01:09.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-327"],"found_by":null,"deleted":null,"id":1089434,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23539\n- https://github.com/advisories/GHSA-8cf7-32gw-wr33","created":"2022-12-22T03:32:22.000Z","reported_by":null,"title":"jsonwebtoken unrestricted key type could lead to legacy keys usage ","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. \n\n# Am I affected?\n\nYou are affected if you are using an algorithm and a key type other than the combinations mentioned below\n\n| Key type | algorithm |\n|----------|------------------------------------------|\n| ec | ES256, ES384, ES512 |\n| rsa | RS256, RS384, RS512, PS256, PS384, PS512 |\n| rsa-pss | PS256, PS384, PS512 |\n\nAnd for Elliptic Curve algorithms:\n\n| `alg` | Curve |\n|-------|------------|\n| ES256 | prime256v1 |\n| ES384 | secp384r1 |\n| ES512 | secp521r1 |\n\n# How do I fix it?\n\nUpdate to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.\n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility. \n\n","url":"https://github.com/advisories/GHSA-8cf7-32gw-wr33"},"1089512":{"findings":[{"version":"6.2.1","paths":["log4js"]}],"metadata":null,"vulnerable_versions":"<6.4.0","module_name":"log4js","severity":"moderate","github_advisory_id":"GHSA-82v2-mx6x-wq7q","cves":["CVE-2022-21704"],"access":"public","patched_versions":">=6.4.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"updated":"2023-02-01T05:01:40.000Z","recommendation":"Upgrade to version 6.4.0 or later","cwe":["CWE-276"],"found_by":null,"deleted":null,"id":1089512,"references":"- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q\n- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76\n- https://github.com/log4js-node/streamroller/pull/87\n- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21704\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html\n- https://github.com/advisories/GHSA-82v2-mx6x-wq7q","created":"2022-01-21T18:53:27.000Z","reported_by":null,"title":"Incorrect Default Permissions in log4js","npm_advisory_id":null,"overview":"### Impact\r\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\r\n\r\n### Patches\r\nFixed by:\r\n* https://github.com/log4js-node/log4js-node/pull/1141\r\n* https://github.com/log4js-node/streamroller/pull/87\r\n\r\nReleased to NPM in log4js@6.4.0\r\n\r\n### Workarounds\r\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\r\n\r\n### References\r\n\r\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @lamweili for fixing the problem.\r\n\r\n### For more information\r\nIf you have any questions or comments about this advisory:\r\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\r\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\r\n* Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)\r\n","url":"https://github.com/advisories/GHSA-82v2-mx6x-wq7q"},"1089630":{"findings":[{"version":"1.5.0","paths":["@hmcts/rpx-xui-node-lib>passport-oauth2"]}],"metadata":null,"vulnerable_versions":"<1.6.1","module_name":"passport-oauth2","severity":"moderate","github_advisory_id":"GHSA-f794-r6xc-hf3v","cves":["CVE-2021-41580"],"access":"public","patched_versions":">=1.6.1","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},"updated":"2023-02-01T05:06:26.000Z","recommendation":"Upgrade to version 1.6.1 or later","cwe":["CWE-287"],"found_by":null,"deleted":null,"id":1089630,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-41580\n- https://github.com/jaredhanson/passport-oauth2/pull/144\n- https://github.com/jaredhanson/passport-oauth2/commit/8e3bcdff145a2219033bd782fc517229fe3e05ea\n- https://github.com/jaredhanson/passport-oauth2/compare/v1.6.0...v1.6.1\n- https://medium.com/passportjs/no-access-token-no-service-7fb017c9e262\n- https://github.com/advisories/GHSA-f794-r6xc-hf3v","created":"2021-09-29T17:18:32.000Z","reported_by":null,"title":"Improper Access Control in passport-oauth2","npm_advisory_id":null,"overview":"The passport-oauth2 package before 1.6.1 for Node.js mishandles the error condition of failure to obtain an access token. This is exploitable in certain use cases where an OAuth identity provider uses an HTTP 200 status code for authentication-failure error reports, and an application grants authorization upon simply receiving the access token (i.e., does not try to use the token). NOTE: the passport-oauth2 vendor does not consider this a passport-oauth2 vulnerability.","url":"https://github.com/advisories/GHSA-f794-r6xc-hf3v"},"1089682":{"findings":[{"version":"6.0.5","paths":["@pact-foundation/pact-node>tar","@pact-foundation/pact>@pact-foundation/pact-node>tar","playwright>fsevents>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.1.1","module_name":"tar","severity":"high","github_advisory_id":"GHSA-3jfq-g458-7qm9","cves":["CVE-2021-32804"],"access":"public","patched_versions":">=6.1.1","cvss":{"score":8.2,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},"updated":"2023-02-01T05:05:55.000Z","recommendation":"Upgrade to version 6.1.1 or later","cwe":["CWE-22"],"found_by":null,"deleted":null,"id":1089682,"references":"- https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9\n- https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4\n- https://www.npmjs.com/advisories/1770\n- https://www.npmjs.com/package/tar\n- https://nvd.nist.gov/vuln/detail/CVE-2021-32804\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\n- https://github.com/advisories/GHSA-3jfq-g458-7qm9","created":"2021-08-03T19:06:36.000Z","reported_by":null,"title":"Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization","npm_advisory_id":null,"overview":"### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\n`node-tar` aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. \n\nThis logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. \n\n### Patches\n\n3.2.2 || 4.4.14 || 5.0.6 || 6.1.1\n\nNOTE: an adjacent issue [CVE-2021-32803](https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw) affects this release level. Please ensure you update to the latest patch levels that address CVE-2021-32803 as well if this adjacent issue affects your `node-tar` use case.\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths.\n\n```js\nconst path = require('path')\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n // either add this function...\n onentry: (entry) => {\n if (path.isAbsolute(entry.path)) {\n entry.path = sanitizeAbsolutePathSomehow(entry.path)\n entry.absolute = path.resolve(entry.path)\n }\n },\n\n // or this one\n filter: (file, entry) => {\n if (path.isAbsolute(entry.path)) {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.","url":"https://github.com/advisories/GHSA-3jfq-g458-7qm9"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1089716":{"findings":[{"version":"1.23.0","paths":["ngx-md>prismjs"]}],"metadata":null,"vulnerable_versions":"<1.24.0","module_name":"prismjs","severity":"high","github_advisory_id":"GHSA-gj77-59wh-66hg","cves":["CVE-2021-32723"],"access":"public","patched_versions":">=1.24.0","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:49.000Z","recommendation":"Upgrade to version 1.24.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089716,"references":"- https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg\n- https://github.com/PrismJS/prism/pull/2688\n- https://github.com/PrismJS/prism/pull/2774\n- https://github.com/PrismJS/prism/commit/d85e30da6755fdbe7f8559f8e75d122297167018\n- https://nvd.nist.gov/vuln/detail/CVE-2021-32723\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-gj77-59wh-66hg","created":"2021-06-28T18:33:18.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in Prism","npm_advisory_id":null,"overview":"Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS).\n\n### Impact\n\nWhen Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.\n\n- ASCIIDoc\n- ERB\n\nOther languages are __not__ affected and can be used to highlight untrusted text.\n\n### Patches\nThis problem has been fixed in Prism v1.24.\n\n### References\n\n- PrismJS/prism#2774\n- PrismJS/prism#2688\n","url":"https://github.com/advisories/GHSA-gj77-59wh-66hg"},"1090424":{"findings":[{"version":"1.23.0","paths":["ngx-md>prismjs"]}],"metadata":null,"vulnerable_versions":">=1.14.0 <1.27.0","module_name":"prismjs","severity":"high","github_advisory_id":"GHSA-3949-f494-cm99","cves":["CVE-2022-23647"],"access":"public","patched_versions":">=1.27.0","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L"},"updated":"2023-02-03T05:06:26.000Z","recommendation":"Upgrade to version 1.27.0 or later","cwe":["CWE-79"],"found_by":null,"deleted":null,"id":1090424,"references":"- https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23647\n- https://github.com/PrismJS/prism/pull/3341\n- https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c\n- https://github.com/advisories/GHSA-3949-f494-cm99","created":"2022-02-22T19:32:18.000Z","reported_by":null,"title":"Cross-site Scripting in Prism","npm_advisory_id":null,"overview":"### Impact\nPrism's [Command line plugin](https://prismjs.com/plugins/command-line/) can be used by attackers to achieve an XSS attack. The Command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code.\n\nServer-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted.\n\n### Patches\nThis bug has been fixed in v1.27.0.\n\n### Workarounds\nDo not use the Command line plugin on untrusted inputs, or sanitized all code blocks (remove all HTML code text) from all code blocks that use the Command line plugin.\n\n### References\n- https://github.com/PrismJS/prism/pull/3341","url":"https://github.com/advisories/GHSA-3949-f494-cm99"},"1091087":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-hjrf-2m68-5959","cves":["CVE-2022-23541"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-01-29T05:06:34.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287"],"found_by":null,"deleted":null,"id":1091087,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23541\n- https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0\n- https://github.com/advisories/GHSA-hjrf-2m68-5959","created":"2022-12-22T03:33:19.000Z","reported_by":null,"title":"jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. \n\n# Am I affected?\n\nYou will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. \n\n# How do I fix it?\n \nUpdate to version 9.0.0.\n\n# Will the fix impact my users?\n\nThere is no impact for end users","url":"https://github.com/advisories/GHSA-hjrf-2m68-5959"},"1091311":{"findings":[{"version":"6.0.5","paths":["@pact-foundation/pact-node>tar","@pact-foundation/pact>@pact-foundation/pact-node>tar","playwright>fsevents>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.1.2","module_name":"tar","severity":"high","github_advisory_id":"GHSA-r628-mhmh-qjhw","cves":["CVE-2021-32803"],"access":"public","patched_versions":">=6.1.2","cvss":{"score":8.2,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},"updated":"2023-03-09T16:44:58.000Z","recommendation":"Upgrade to version 6.1.2 or later","cwe":["CWE-22","CWE-23","CWE-59"],"found_by":null,"deleted":null,"id":1091311,"references":"- https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw\n- https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20\n- https://www.npmjs.com/advisories/1771\n- https://nvd.nist.gov/vuln/detail/CVE-2021-32803\n- https://www.npmjs.com/package/tar\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\n- https://github.com/isaacs/node-tar/commit/46fe35083e2676e31c4e0a81639dce6da7aaa356\n- https://github.com/isaacs/node-tar/commit/5987d9a41f6bfbf1ddab1098e1fdcf1a5618f571\n- https://github.com/isaacs/node-tar/commit/85d3a942b4064e4ff171f91696fced7975167349\n- https://github.com/isaacs/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20\n- https://github.com/advisories/GHSA-r628-mhmh-qjhw","created":"2021-08-03T19:00:40.000Z","reported_by":null,"title":"Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning","npm_advisory_id":null,"overview":"### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\n`node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created.\n\nThis logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur.\n\nBy first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\n\nThis issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.\n\n### Patches\n\n3.2.3 || 4.4.15 || 5.0.7 || 6.1.2\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom `filter` method which prevents the extraction of symbolic links.\n\n```js\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n filter: (file, entry) => {\n if (entry.type === 'SymbolicLink') {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.","url":"https://github.com/advisories/GHSA-r628-mhmh-qjhw"},"1091341":{"findings":[{"version":"6.0.5","paths":["@pact-foundation/pact-node>tar","@pact-foundation/pact>@pact-foundation/pact-node>tar","playwright>fsevents>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.1.7","module_name":"tar","severity":"high","github_advisory_id":"GHSA-9r2w-394v-53qc","cves":["CVE-2021-37701"],"access":"public","patched_versions":">=6.1.7","cvss":{"score":8.2,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},"updated":"2023-03-13T21:51:00.000Z","recommendation":"Upgrade to version 6.1.7 or later","cwe":["CWE-22","CWE-59"],"found_by":null,"deleted":null,"id":1091341,"references":"- https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc\n- https://www.npmjs.com/package/tar\n- https://nvd.nist.gov/vuln/detail/CVE-2021-37701\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.debian.org/security/2021/dsa-5008\n- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html\n- https://github.com/advisories/GHSA-9r2w-394v-53qc","created":"2021-08-31T16:05:27.000Z","reported_by":null,"title":"Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links","npm_advisory_id":null,"overview":"### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\n`node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\n\nThis logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems.\n\nBy first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\n\nAdditionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. \n\nThese issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7.\n\nThe v3 branch of `node-tar` has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of `node-tar`. If this is not possible, a workaround is available below.\n\n### Patches\n\n4.4.16 || 5.0.8 || 6.1.7\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.\n\n```js\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n filter: (file, entry) => {\n if (entry.type === 'SymbolicLink') {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.\n\n### Fix\n\nThe problem is addressed in the following ways:\n\n1. All paths are normalized to use `/` as a path separator, replacing `\\` with `/` on Windows systems, and leaving `\\` intact in the path on posix systems. This is performed in depth, at every level of the program where paths are consumed.\n2. Directory cache pruning is performed case-insensitively. This _may_ result in undue cache misses on case-sensitive file systems, but the performance impact is negligible.\n\n#### Caveat\n\nNote that this means that the `entry` objects exposed in various parts of tar's API will now always use `/` as a path separator, even on Windows systems. This is not expected to cause problems, as `/` is a valid path separator on Windows systems, but _may_ result in issues if `entry.path` is compared against a path string coming from some other API such as `fs.realpath()` or `path.resolve()`.\n\nUsers are encouraged to always normalize paths using a well-tested method such as `path.resolve()` before comparing paths to one another.","url":"https://github.com/advisories/GHSA-9r2w-394v-53qc"},"1091344":{"findings":[{"version":"6.0.5","paths":["@pact-foundation/pact-node>tar","@pact-foundation/pact>@pact-foundation/pact-node>tar","playwright>fsevents>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.1.9","module_name":"tar","severity":"high","github_advisory_id":"GHSA-5955-9wpr-37jh","cves":["CVE-2021-37713"],"access":"public","patched_versions":">=6.1.9","cvss":{"score":8.2,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},"updated":"2023-03-13T21:47:38.000Z","recommendation":"Upgrade to version 6.1.9 or later","cwe":["CWE-22"],"found_by":null,"deleted":null,"id":1091344,"references":"- https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh\n- https://www.npmjs.com/package/tar\n- https://nvd.nist.gov/vuln/detail/CVE-2021-37713\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\n- https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946\n- https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc\n- https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598\n- https://github.com/advisories/GHSA-5955-9wpr-37jh","created":"2021-08-31T16:05:05.000Z","reported_by":null,"title":"Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization","npm_advisory_id":null,"overview":"### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\nnode-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory.\n\nThis logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\\path`. If the drive letter does not match the extraction target, for example `D:\\extraction\\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory.\n\nAdditionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path.\n\nThis only affects users of `node-tar` on Windows systems.\n\n### Patches\n\n4.4.18 || 5.0.10 || 6.1.9\n\n### Workarounds\n\nThere is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does.\n\nUsers are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.\n\n### Fix\n\nThe fixed versions strip path roots from all paths prior to being resolved against the extraction target folder, even if such paths are not \"absolute\".\n\nAdditionally, a path starting with a drive letter and then two dots, like `c:../`, would bypass the check for `..` path portions. This is checked properly in the patched versions.\n\nFinally, a defense in depth check is added, such that if the `entry.absolute` is outside of the extraction taret, and we are not in preservePaths:true mode, a warning is raised on that entry, and it is skipped. Currently, it is believed that this check is redundant, but it did catch some oversights in development.\n","url":"https://github.com/advisories/GHSA-5955-9wpr-37jh"},"1091430":{"findings":[{"version":"2.29.0","paths":["@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>moment"]}],"metadata":null,"vulnerable_versions":"<2.29.2","module_name":"moment","severity":"high","github_advisory_id":"GHSA-8hfj-j24r-96c4","cves":["CVE-2022-24785"],"access":"public","patched_versions":">=2.29.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},"updated":"2023-03-20T22:35:12.000Z","recommendation":"Upgrade to version 2.29.2 or later","cwe":["CWE-22","CWE-27"],"found_by":null,"deleted":null,"id":1091430,"references":"- https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24785\n- https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5\n- https://www.tenable.com/security/tns-2022-09\n- https://security.netapp.com/advisory/ntap-20220513-0006/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/\n- https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html\n- https://github.com/advisories/GHSA-8hfj-j24r-96c4","created":"2022-04-04T21:25:48.000Z","reported_by":null,"title":"Path Traversal: 'dir/../../filename' in moment.locale","npm_advisory_id":null,"overview":"### Impact\nThis vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale.\n\n### Patches\nThis problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).\n\n### Workarounds\nSanitize user-provided locale name before passing it to moment.js.\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [moment repo](https://github.com/moment/moment)\n","url":"https://github.com/advisories/GHSA-8hfj-j24r-96c4"},"1091441":{"findings":[{"version":"2.29.0","paths":["@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>moment"]}],"metadata":null,"vulnerable_versions":">=2.18.0 <2.29.4","module_name":"moment","severity":"high","github_advisory_id":"GHSA-wc69-rhjr-hc9g","cves":["CVE-2022-31129"],"access":"public","patched_versions":">=2.29.4","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-03-20T23:29:32.000Z","recommendation":"Upgrade to version 2.29.4 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1091441,"references":"- https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g\n- https://github.com/moment/moment/pull/6015#issuecomment-1152961973\n- https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-31129\n- https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/\n- https://security.netapp.com/advisory/ntap-20221014-0003/\n- https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html\n- https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4\n- https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe\n- https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504\n- https://github.com/advisories/GHSA-wc69-rhjr-hc9g","created":"2022-07-06T18:38:49.000Z","reported_by":null,"title":"Moment.js vulnerable to Inefficient Regular Expression Complexity","npm_advisory_id":null,"overview":"### Impact\n\n* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs\n* noticeable slowdown is observed with inputs above 10k characters\n* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks\n\n### Patches\nThe problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.\n\n### Workarounds\nIn general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.\n\n### References\nThere is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=\n\n### Details\nThe issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment(\"(\".repeat(500000))` will take a few minutes to process, which is unacceptable.","url":"https://github.com/advisories/GHSA-wc69-rhjr-hc9g"},"1091453":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-03-21T20:10:17.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1091453,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1091470":{"findings":[{"version":"1.8.3","paths":["@pact-foundation/pact-node>underscore","@pact-foundation/pact>@pact-foundation/pact-node>underscore"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <1.12.1","module_name":"underscore","severity":"critical","github_advisory_id":"GHSA-cf4h-3jhx-xvhq","cves":["CVE-2021-23358"],"access":"public","patched_versions":">=1.12.1","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-03-23T20:56:35.000Z","recommendation":"Upgrade to version 1.12.1 or later","cwe":["CWE-94"],"found_by":null,"deleted":null,"id":1091470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23358\n- https://github.com/jashkenas/underscore/pull/2917\n- https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66\n- https://github.com/jashkenas/underscore/releases/tag/1.12.1\n- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984\n- https://www.npmjs.com/package/underscore\n- https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71\n- https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html\n- https://www.debian.org/security/2021/dsa-4883\n- https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E\n- https://www.tenable.com/security/tns-2021-14\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503\n- https://github.com/advisories/GHSA-cf4h-3jhx-xvhq","created":"2021-05-06T16:09:43.000Z","reported_by":null,"title":"Arbitrary Code Execution in underscore","npm_advisory_id":null,"overview":"The package `underscore` from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.","url":"https://github.com/advisories/GHSA-cf4h-3jhx-xvhq"},"1091472":{"findings":[{"version":"0.2.3","paths":["@pact-foundation/pact-node>request>http-signature>jsprim>json-schema","@pact-foundation/pact>@pact-foundation/pact-node>request>http-signature>jsprim>json-schema"]}],"metadata":null,"vulnerable_versions":"<0.4.0","module_name":"json-schema","severity":"critical","github_advisory_id":"GHSA-896r-f27r-55mw","cves":["CVE-2021-3918"],"access":"public","patched_versions":">=0.4.0","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-03-23T20:35:18.000Z","recommendation":"Upgrade to version 0.4.0 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1091472,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3918\n- https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741\n- https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9\n- https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a\n- https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html\n- https://github.com/advisories/GHSA-896r-f27r-55mw","created":"2021-11-19T20:16:17.000Z","reported_by":null,"title":"json-schema is vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"json-schema before version 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').","url":"https://github.com/advisories/GHSA-896r-f27r-55mw"},"1092316":{"findings":[{"version":"4.1.0","paths":["playwright>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>make-fetch-happen>http-cache-semantics","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>make-fetch-happen>http-cache-semantics","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics"]}],"metadata":null,"vulnerable_versions":"<4.1.1","module_name":"http-cache-semantics","severity":"high","github_advisory_id":"GHSA-rc47-6667-2j5j","cves":["CVE-2022-25881"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-06-22T17:26:15.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092316,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25881\n- https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332\n- https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783\n- https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74\n- https://security.netapp.com/advisory/ntap-20230622-0008/\n- https://github.com/advisories/GHSA-rc47-6667-2j5j","created":"2023-01-31T06:30:26.000Z","reported_by":null,"title":"http-cache-semantics vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.","url":"https://github.com/advisories/GHSA-rc47-6667-2j5j"},"1092423":{"findings":[{"version":"2.6.3","paths":["@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>winston>async","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>winston>async"]}],"metadata":null,"vulnerable_versions":">=2.0.0 <2.6.4","module_name":"async","severity":"high","github_advisory_id":"GHSA-fwr7-v2mv-hh25","cves":["CVE-2021-43138"],"access":"public","patched_versions":">=2.6.4","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-07-07T18:19:47.000Z","recommendation":"Upgrade to version 2.6.4 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092423,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-43138\n- https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d\n- https://github.com/caolan/async/blob/master/lib/internal/iterator.js\n- https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js\n- https://jsfiddle.net/oz5twjd9/\n- https://github.com/caolan/async/pull/1828\n- https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2\n- https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264\n- https://github.com/caolan/async/compare/v2.6.3...v2.6.4\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/\n- https://github.com/advisories/GHSA-fwr7-v2mv-hh25","created":"2022-04-07T00:00:17.000Z","reported_by":null,"title":"Prototype Pollution in async","npm_advisory_id":null,"overview":"A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the `mapValues()` method.","url":"https://github.com/advisories/GHSA-fwr7-v2mv-hh25"},"1092470":{"findings":[{"version":"2.4.3","paths":["@pact-foundation/pact-node>request>tough-cookie","@pact-foundation/pact>@pact-foundation/pact-node>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092549":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<9.0.0","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-qwph-4952-7xr6","cves":["CVE-2022-23540"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":6.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L"},"updated":"2023-07-14T22:03:14.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287","CWE-327","CWE-347"],"found_by":null,"deleted":null,"id":1092549,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23540\n- https://github.com/advisories/GHSA-qwph-4952-7xr6","created":"2022-12-22T03:32:59.000Z","reported_by":null,"title":"jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()","npm_advisory_id":null,"overview":"# Overview\n\nIn versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.\n\n# Am I affected?\nYou will be affected if all the following are true in the `jwt.verify()` function:\n- a token with no signature is received\n- no algorithms are specified \n- a falsy (e.g. null, false, undefined) secret or key is passed \n\n# How do I fix it?\n \nUpdate to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. \n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n","url":"https://github.com/advisories/GHSA-qwph-4952-7xr6"},"1092636":{"findings":[{"version":"1.28.1","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <=1.28.1","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-jv3g-j58f-9mq9","cves":["CVE-2022-36083"],"access":"public","patched_versions":">=1.28.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-21T21:33:36.000Z","recommendation":"Upgrade to version 1.28.2 or later","cwe":["CWE-400","CWE-834"],"found_by":null,"deleted":null,"id":1092636,"references":"- https://github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9\n- https://nvd.nist.gov/vuln/detail/CVE-2022-36083\n- https://github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d\n- https://github.com/panva/jose/releases/tag/v4.9.2\n- https://github.com/advisories/GHSA-jv3g-j58f-9mq9","created":"2022-09-16T17:44:42.000Z","reported_by":null,"title":"JOSE vulnerable to resource exhaustion via specifically crafted JWE","npm_advisory_id":null,"overview":"The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` ([PBES2 Count](https://www.rfc-editor.org/rfc/rfc7518.html#section-4.8.1.2)), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive.\n\nThis makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish.\n\n### Impact\n\nUnder certain conditions (see below) it is possible to have the user's environment consume unreasonable amount of CPU time.\n\n### Affected users\n\nThe impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means.\n\nThe PBKDF2-based JWE Key Management Algorithm Identifiers are\n\n- `PBES2-HS256+A128KW`\n- `PBES2-HS384+A192KW`\n- `PBES2-HS512+A256KW`\n\ne.g.\n\n```js\nconst secret = new Uint8Array(16)\nconst jwe = '...' // JWE from an untrusted party\n\nawait jose.compactDecrypt(jwe, secret)\n```\n\nYou are NOT affected if any of the following applies to you\n\n- Your code does not use the JWE APIs\n- Your code only produces JWE tokens\n- Your code only decrypts JWEs using an asymmetric JWE Key Management Algorithm (this means you're providing an asymmetric key object to the JWE decryption API)\n- Your code only accepts JWEs produced by trusted sources\n- Your code limits the accepted JWE Key Management Algorithms using the `keyManagementAlgorithms` decryption option not including any of the PBKDF2-based JWE key management algorithms\n\n### Patches\n\n`v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option.\n\n### Workarounds\n\nAll users should be able to upgrade given all stable semver major release lines have had new a patch release introduced which limits the PBKDF2 iteration count to `10000` by default. This removes the ability to craft JWEs that would consume unreasonable amount of CPU time.\n\nIf users are unable to upgrade their required library version they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms.\n\n- they can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether\n- they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-jv3g-j58f-9mq9%20advisory%20question)\n* Email me at [panva.ip@gmail.com](mailto:panva.ip@gmail.com)\n","url":"https://github.com/advisories/GHSA-jv3g-j58f-9mq9"},"1092964":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:04:30.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092964,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1092969":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:03:59.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1092969,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1092972":{"findings":[{"version":"2.88.2","paths":["@pact-foundation/pact-node>request","@pact-foundation/pact>@pact-foundation/pact-node>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1092990":{"findings":[{"version":"6.0.5","paths":["@pact-foundation/pact-node>tar","@pact-foundation/pact>@pact-foundation/pact-node>tar","playwright>fsevents>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.1.9","module_name":"tar","severity":"high","github_advisory_id":"GHSA-qq89-hq3f-393p","cves":["CVE-2021-37712"],"access":"public","patched_versions":">=6.1.9","cvss":{"score":8.2,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},"updated":"2023-08-15T22:50:55.000Z","recommendation":"Upgrade to version 6.1.9 or later","cwe":["CWE-22","CWE-59"],"found_by":null,"deleted":null,"id":1092990,"references":"- https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p\n- https://www.npmjs.com/package/tar\n- https://nvd.nist.gov/vuln/detail/CVE-2021-37712\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.debian.org/security/2021/dsa-5008\n- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html\n- https://github.com/isaacs/node-tar/commit/1739408d3122af897caefd09662bce2ea477533b\n- https://github.com/isaacs/node-tar/commit/b6162c7fafe797f856564ef37f4b82747f051455\n- https://github.com/isaacs/node-tar/commit/bb93ba243746f705092905da1955ac3b0509ba1e\n- https://github.com/advisories/GHSA-qq89-hq3f-393p","created":"2021-08-31T16:05:17.000Z","reported_by":null,"title":"Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links","npm_advisory_id":null,"overview":"### Impact\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\nnode-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\n\nThis logic was insufficient when extracting tar files that contained two directories and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \"short path\" counterparts. A specially crafted tar archive could thus include directories with two forms of the path that resolve to the same file system entity, followed by a symbolic link with a name in the first form, lastly followed by a file using the second form. It led to bypassing node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\n\nThe v3 branch of `node-tar` has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of `node-tar`. If this is not possible, a workaround is available below.\n\n### Patches\n\n6.1.9 || 5.0.10 || 4.4.18\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.\n\n```js\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n filter: (file, entry) => {\n if (entry.type === 'SymbolicLink') {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.\n\n#### Fix\n\nThe problem is addressed in the following ways, when comparing paths in the directory cache and path reservation systems:\n\n1. The `String.normalize('NFKD')` method is used to first normalize all unicode to its maximally compatible and multi-code-point form.\n2. All slashes are normalized to `/` on Windows systems (on posix systems, `\\` is a valid filename character, and thus left intact).\n3. When a symbolic link is encountered on Windows systems, the entire directory cache is cleared. Collisions related to use of 8.3 short names to replace directories with other (non-symlink) types of entries may make archives fail to extract properly, but will not result in arbitrary file writes.\n","url":"https://github.com/advisories/GHSA-qq89-hq3f-393p"},"1093264":{"findings":[{"version":"7.0.0","paths":["global-agent>semver","@hmcts/nodejs-healthcheck>superagent>semver","playwright>fsevents>node-gyp>semver","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>semver","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=7.5.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-09-01T23:43:55.000Z","recommendation":"Upgrade to version 7.5.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1093264,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1093429":{"findings":[{"version":"2.6.1","paths":["node-fetch","isomorphic-fetch>node-fetch"]}],"metadata":null,"vulnerable_versions":"<2.6.7","module_name":"node-fetch","severity":"high","github_advisory_id":"GHSA-r683-j2x4-v87g","cves":["CVE-2022-0235"],"access":"public","patched_versions":">=2.6.7","cvss":{"score":8.8,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-09-07T18:38:42.000Z","recommendation":"Upgrade to version 2.6.7 or later","cwe":["CWE-173","CWE-200","CWE-601"],"found_by":null,"deleted":null,"id":1093429,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0235\n- https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10\n- https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7\n- https://github.com/node-fetch/node-fetch/pull/1453\n- https://github.com/node-fetch/node-fetch/commit/5c32f002fdd65b1c6a8f1e3620210813d45c7e60\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html\n- https://github.com/node-fetch/node-fetch/pull/1449/commits/5c32f002fdd65b1c6a8f1e3620210813d45c7e60\n- https://github.com/node-fetch/node-fetch/commit/1ef4b560a17e644a02a3bfdea7631ffeee578b35\n- https://github.com/advisories/GHSA-r683-j2x4-v87g","created":"2022-01-21T23:55:52.000Z","reported_by":null,"title":"node-fetch forwards secure headers to untrusted sites","npm_advisory_id":null,"overview":"node-fetch forwards secure headers such as `authorization`, `www-authenticate`, `cookie`, & `cookie2` when redirecting to a untrusted site.","url":"https://github.com/advisories/GHSA-r683-j2x4-v87g"},"1093500":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-09-07T21:28:03.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1093500,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094087":{"findings":[{"version":"0.2.0","paths":["http-proxy-middleware>micromatch>snapdragon>source-map-resolve>decode-uri-component","http-proxy-middleware>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>extglob>expand-brackets>snapdragon>source-map-resolve>decode-uri-component"]}],"metadata":null,"vulnerable_versions":"<0.2.1","module_name":"decode-uri-component","severity":"high","github_advisory_id":"GHSA-w573-4hg7-7wgq","cves":["CVE-2022-38900"],"access":"public","patched_versions":">=0.2.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-09-21T22:16:39.000Z","recommendation":"Upgrade to version 0.2.1 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1094087,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-38900\n- https://github.com/SamVerschueren/decode-uri-component/issues/5\n- https://github.com/sindresorhus/query-string/issues/345\n- https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9\n- https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/\n- https://github.com/advisories/GHSA-w573-4hg7-7wgq","created":"2022-11-28T15:30:24.000Z","reported_by":null,"title":"decode-uri-component vulnerable to Denial of Service (DoS)","npm_advisory_id":null,"overview":"decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.","url":"https://github.com/advisories/GHSA-w573-4hg7-7wgq"},"1094091":{"findings":[{"version":"4.1.0","paths":["@pact-foundation/pact>cli-color>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>strip-ansi>ansi-regex","playwright>fsevents>node-gyp>npmlog>gauge>strip-ansi>ansi-regex","playwright>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>wide-align>string-width>strip-ansi>ansi-regex"]}],"metadata":null,"vulnerable_versions":">=4.0.0 <4.1.1","module_name":"ansi-regex","severity":"high","github_advisory_id":"GHSA-93q8-gq69-wqmw","cves":["CVE-2021-3807"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-09-21T22:14:52.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-697","CWE-1333"],"found_by":null,"deleted":null,"id":1094091,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3807\n- https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9\n- https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311\n- https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774\n- https://github.com/chalk/ansi-regex/releases/tag/v6.0.1\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://security.netapp.com/advisory/ntap-20221014-0002/\n- https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1\n- https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a\n- https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8\n- https://github.com/advisories/GHSA-93q8-gq69-wqmw","created":"2021-09-20T20:20:09.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in chalk/ansi-regex","npm_advisory_id":null,"overview":"ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.\n\n**Proof of Concept**\n```js\nimport ansiRegex from 'ansi-regex';\nfor(var i = 1; i <= 50000; i++) {\n var time = Date.now();\n var attack_str = \"\\u001B[\"+\";\".repeat(i*10000);\n ansiRegex().test(attack_str)\n var time_cost = Date.now() - time;\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n}\n```\nThe ReDOS is mainly due to the sub-patterns `[[\\\\]()#;?]*` and `(?:;[-a-zA-Z\\\\d\\\\/#&.:=?%@~_]*)*`","url":"https://github.com/advisories/GHSA-93q8-gq69-wqmw"},"1094219":{"findings":[{"version":"4.2.0","paths":["express-session>debug","@hmcts/nodejs-healthcheck>superagent>debug","@hmcts/rpx-xui-node-lib>express>body-parser>debug","@hmcts/rpx-xui-node-lib>express>serve-static>send>debug","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>extglob>expand-brackets>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-proxy-agent>agent-base>debug"]}],"metadata":null,"vulnerable_versions":">=4.0.0 <4.3.1","module_name":"debug","severity":"moderate","github_advisory_id":"GHSA-gxpj-cx7g-858c","cves":["CVE-2017-16137"],"access":"public","patched_versions":">=4.3.1","cvss":{"score":5.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-10-02T17:59:03.000Z","recommendation":"Upgrade to version 4.3.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1094219,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2017-16137\n- https://github.com/visionmedia/debug/issues/501\n- https://github.com/visionmedia/debug/pull/504\n- https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E\n- https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E\n- https://github.com/debug-js/debug/issues/797\n- https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020\n- https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290\n- https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac\n- https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a\n- https://github.com/advisories/GHSA-gxpj-cx7g-858c","created":"2018-08-09T20:18:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service in debug","npm_advisory_id":null,"overview":"Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.\n\nThis was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.\n\n## Recommendation\n\nVersion 2.x.x: Update to version 2.6.9 or later.\nVersion 3.1.x: Update to version 3.1.0 or later.\nVersion 3.2.x: Update to version 3.2.7 or later.\nVersion 4.x.x: Update to version 4.3.1 or later.","url":"https://github.com/advisories/GHSA-gxpj-cx7g-858c"},"1094446":{"findings":[{"version":"7.22.10","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@babel/core>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse"]}],"metadata":null,"vulnerable_versions":"<7.23.2","module_name":"@babel/traverse","severity":"critical","github_advisory_id":"GHSA-67hx-6x53-jw92","cves":["CVE-2023-45133"],"access":"public","patched_versions":">=7.23.2","cvss":{"score":9.3,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},"updated":"2023-10-24T18:32:24.000Z","recommendation":"Upgrade to version 7.23.2 or later","cwe":["CWE-184","CWE-697"],"found_by":null,"deleted":null,"id":1094446,"references":"- https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92\n- https://nvd.nist.gov/vuln/detail/CVE-2023-45133\n- https://github.com/babel/babel/pull/16033\n- https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82\n- https://github.com/babel/babel/releases/tag/v7.23.2\n- https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4\n- https://www.debian.org/security/2023/dsa-5528\n- https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html\n- https://babeljs.io/blog/2023/10/16/cve-2023-45133\n- https://github.com/advisories/GHSA-67hx-6x53-jw92","created":"2023-10-16T13:55:36.000Z","reported_by":null,"title":"Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code","npm_advisory_id":null,"overview":"### Impact\n\nUsing Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods.\n\nKnown affected plugins are:\n- `@babel/plugin-transform-runtime`\n- `@babel/preset-env` when using its [`useBuiltIns`](https://babeljs.io/docs/babel-preset-env#usebuiltins) option\n- Any \"polyfill provider\" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`\n\nNo other plugins under the `@babel/` namespace are impacted, but third-party plugins might be.\n\n**Users that only compile trusted code are not impacted.**\n\n### Patches\n\nThe vulnerability has been fixed in `@babel/traverse@7.23.2`.\n\nBabel 6 does not receive security fixes anymore (see [Babel's security policy](https://github.com/babel/babel/security/policy)), hence there is no patch planned for `babel-traverse@6`.\n\n### Workarounds\n\n- Upgrade `@babel/traverse` to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. `@babel/core` >=7.23.2 will automatically pull in a non-vulnerable version.\n- If you cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions:\n - `@babel/plugin-transform-runtime` v7.23.2\n - `@babel/preset-env` v7.23.2\n - `@babel/helper-define-polyfill-provider` v0.4.3\n - `babel-plugin-polyfill-corejs2` v0.4.6\n - `babel-plugin-polyfill-corejs3` v0.8.5\n - `babel-plugin-polyfill-es-shims` v0.10.0\n - `babel-plugin-polyfill-regenerator` v0.5.3","url":"https://github.com/advisories/GHSA-67hx-6x53-jw92"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":52,"high":136,"critical":16},"dependencies":838,"devDependencies":7,"optionalDependencies":0,"totalDependencies":845}} +{"actions":[],"advisories":{"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088659":{"findings":[{"version":"2.1.2","paths":["@hmcts/nodejs-healthcheck>superagent>cookiejar"]}],"metadata":null,"vulnerable_versions":"<2.1.4","module_name":"cookiejar","severity":"moderate","github_advisory_id":"GHSA-h452-7996-h45h","cves":["CVE-2022-25901"],"access":"public","patched_versions":">=2.1.4","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-23T16:59:53.000Z","recommendation":"Upgrade to version 2.1.4 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1088659,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/bmeck/node-cookiejar/pull/39\n- https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681\n- https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984\n- https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73\n- https://github.com/advisories/GHSA-h452-7996-h45h","created":"2023-01-18T06:31:03.000Z","reported_by":null,"title":"cookiejar Regular Expression Denial of Service via Cookie.parse function","npm_advisory_id":null,"overview":"Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```","url":"https://github.com/advisories/GHSA-h452-7996-h45h"},"1088948":{"findings":[{"version":"6.7.1","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089067":{"findings":[{"version":"0.2.3","paths":["class-transformer"]}],"metadata":null,"vulnerable_versions":"<0.3.1","module_name":"class-transformer","severity":"moderate","github_advisory_id":"GHSA-6gp3-h3jj-prx4","cves":["CVE-2020-7637"],"access":"public","patched_versions":">=0.3.1","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:08:29.000Z","recommendation":"Upgrade to version 0.3.1 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1089067,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-7637\n- https://github.com/typestack/class-transformer/blob/a650d9f490573443f62508bc063b857bcd5e2525/src/ClassTransformer.ts#L29-L31,\n- https://snyk.io/vuln/SNYK-JS-CLASSTRANSFORMER-564431\n- https://github.com/typestack/class-transformer/commit/8f04eb9db02de708f1a20f6f2d2bb309b2fed01e\n- https://github.com/advisories/GHSA-6gp3-h3jj-prx4","created":"2020-04-07T15:47:40.000Z","reported_by":null,"title":"Prototype pollution in class-transformer","npm_advisory_id":null,"overview":"class-transformer through 0.2.3 is vulnerable to Prototype Pollution. The 'classToPlainFromExist' function could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.","url":"https://github.com/advisories/GHSA-6gp3-h3jj-prx4"},"1089189":{"findings":[{"version":"1.23.0","paths":["ngx-md>prismjs"]}],"metadata":null,"vulnerable_versions":"<1.25.0","module_name":"prismjs","severity":"moderate","github_advisory_id":"GHSA-hqhp-5p83-hx96","cves":["CVE-2021-3801"],"access":"public","patched_versions":">=1.25.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-01-29T05:02:55.000Z","recommendation":"Upgrade to version 1.25.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089189,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3801\n- https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9\n- https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a\n- https://github.com/advisories/GHSA-hqhp-5p83-hx96","created":"2021-09-20T20:44:48.000Z","reported_by":null,"title":"prismjs Regular Expression Denial of Service vulnerability","npm_advisory_id":null,"overview":"Prism is a syntax highlighting library. The prismjs package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted HTML comment as input may cause an application to consume an excessive amount of CPU.","url":"https://github.com/advisories/GHSA-hqhp-5p83-hx96"},"1089196":{"findings":[{"version":"3.0.2","paths":["redis","@hmcts/rpx-xui-node-lib>redis"]}],"metadata":null,"vulnerable_versions":">=2.6.0 <3.1.1","module_name":"redis","severity":"high","github_advisory_id":"GHSA-35q2-47q7-3pc3","cves":["CVE-2021-29469"],"access":"public","patched_versions":">=3.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-01-29T05:02:31.000Z","recommendation":"Upgrade to version 3.1.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089196,"references":"- https://github.com/NodeRedis/node-redis/security/advisories/GHSA-35q2-47q7-3pc3\n- https://nvd.nist.gov/vuln/detail/CVE-2021-29469\n- https://github.com/NodeRedis/node-redis/commit/2d11b6dc9b9774464a91fb4b448bad8bf699629e\n- https://github.com/NodeRedis/node-redis/releases/tag/v3.1.1\n- https://security.netapp.com/advisory/ntap-20210611-0010/\n- https://github.com/advisories/GHSA-35q2-47q7-3pc3","created":"2021-04-27T15:56:03.000Z","reported_by":null,"title":"Node-Redis potential exponential regex in monitor mode","npm_advisory_id":null,"overview":"### Impact\nWhen a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service.\n\n### Patches\nThe problem was fixed in commit [`2d11b6d`](https://github.com/NodeRedis/node-redis/commit/2d11b6dc9b9774464a91fb4b448bad8bf699629e) and was released in version `3.1.1`.\n\n### References\n#1569 (GHSL-2021-026)","url":"https://github.com/advisories/GHSA-35q2-47q7-3pc3"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089434":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-8cf7-32gw-wr33","cves":["CVE-2022-23539"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":0,"vectorString":null},"updated":"2023-01-31T05:01:09.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-327"],"found_by":null,"deleted":null,"id":1089434,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23539\n- https://github.com/advisories/GHSA-8cf7-32gw-wr33","created":"2022-12-22T03:32:22.000Z","reported_by":null,"title":"jsonwebtoken unrestricted key type could lead to legacy keys usage ","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. \n\n# Am I affected?\n\nYou are affected if you are using an algorithm and a key type other than the combinations mentioned below\n\n| Key type | algorithm |\n|----------|------------------------------------------|\n| ec | ES256, ES384, ES512 |\n| rsa | RS256, RS384, RS512, PS256, PS384, PS512 |\n| rsa-pss | PS256, PS384, PS512 |\n\nAnd for Elliptic Curve algorithms:\n\n| `alg` | Curve |\n|-------|------------|\n| ES256 | prime256v1 |\n| ES384 | secp384r1 |\n| ES512 | secp521r1 |\n\n# How do I fix it?\n\nUpdate to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.\n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility. \n\n","url":"https://github.com/advisories/GHSA-8cf7-32gw-wr33"},"1089512":{"findings":[{"version":"6.2.1","paths":["log4js"]}],"metadata":null,"vulnerable_versions":"<6.4.0","module_name":"log4js","severity":"moderate","github_advisory_id":"GHSA-82v2-mx6x-wq7q","cves":["CVE-2022-21704"],"access":"public","patched_versions":">=6.4.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"updated":"2023-02-01T05:01:40.000Z","recommendation":"Upgrade to version 6.4.0 or later","cwe":["CWE-276"],"found_by":null,"deleted":null,"id":1089512,"references":"- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q\n- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76\n- https://github.com/log4js-node/streamroller/pull/87\n- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21704\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html\n- https://github.com/advisories/GHSA-82v2-mx6x-wq7q","created":"2022-01-21T18:53:27.000Z","reported_by":null,"title":"Incorrect Default Permissions in log4js","npm_advisory_id":null,"overview":"### Impact\r\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\r\n\r\n### Patches\r\nFixed by:\r\n* https://github.com/log4js-node/log4js-node/pull/1141\r\n* https://github.com/log4js-node/streamroller/pull/87\r\n\r\nReleased to NPM in log4js@6.4.0\r\n\r\n### Workarounds\r\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\r\n\r\n### References\r\n\r\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @lamweili for fixing the problem.\r\n\r\n### For more information\r\nIf you have any questions or comments about this advisory:\r\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\r\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\r\n* Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)\r\n","url":"https://github.com/advisories/GHSA-82v2-mx6x-wq7q"},"1089630":{"findings":[{"version":"1.5.0","paths":["@hmcts/rpx-xui-node-lib>passport-oauth2"]}],"metadata":null,"vulnerable_versions":"<1.6.1","module_name":"passport-oauth2","severity":"moderate","github_advisory_id":"GHSA-f794-r6xc-hf3v","cves":["CVE-2021-41580"],"access":"public","patched_versions":">=1.6.1","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},"updated":"2023-02-01T05:06:26.000Z","recommendation":"Upgrade to version 1.6.1 or later","cwe":["CWE-287"],"found_by":null,"deleted":null,"id":1089630,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-41580\n- https://github.com/jaredhanson/passport-oauth2/pull/144\n- https://github.com/jaredhanson/passport-oauth2/commit/8e3bcdff145a2219033bd782fc517229fe3e05ea\n- https://github.com/jaredhanson/passport-oauth2/compare/v1.6.0...v1.6.1\n- https://medium.com/passportjs/no-access-token-no-service-7fb017c9e262\n- https://github.com/advisories/GHSA-f794-r6xc-hf3v","created":"2021-09-29T17:18:32.000Z","reported_by":null,"title":"Improper Access Control in passport-oauth2","npm_advisory_id":null,"overview":"The passport-oauth2 package before 1.6.1 for Node.js mishandles the error condition of failure to obtain an access token. This is exploitable in certain use cases where an OAuth identity provider uses an HTTP 200 status code for authentication-failure error reports, and an application grants authorization upon simply receiving the access token (i.e., does not try to use the token). NOTE: the passport-oauth2 vendor does not consider this a passport-oauth2 vulnerability.","url":"https://github.com/advisories/GHSA-f794-r6xc-hf3v"},"1089682":{"findings":[{"version":"6.0.5","paths":["@pact-foundation/pact-node>tar","@pact-foundation/pact>@pact-foundation/pact-node>tar","playwright>fsevents>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.1.1","module_name":"tar","severity":"high","github_advisory_id":"GHSA-3jfq-g458-7qm9","cves":["CVE-2021-32804"],"access":"public","patched_versions":">=6.1.1","cvss":{"score":8.2,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},"updated":"2023-02-01T05:05:55.000Z","recommendation":"Upgrade to version 6.1.1 or later","cwe":["CWE-22"],"found_by":null,"deleted":null,"id":1089682,"references":"- https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9\n- https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4\n- https://www.npmjs.com/advisories/1770\n- https://www.npmjs.com/package/tar\n- https://nvd.nist.gov/vuln/detail/CVE-2021-32804\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\n- https://github.com/advisories/GHSA-3jfq-g458-7qm9","created":"2021-08-03T19:06:36.000Z","reported_by":null,"title":"Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization","npm_advisory_id":null,"overview":"### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\n`node-tar` aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. \n\nThis logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. \n\n### Patches\n\n3.2.2 || 4.4.14 || 5.0.6 || 6.1.1\n\nNOTE: an adjacent issue [CVE-2021-32803](https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw) affects this release level. Please ensure you update to the latest patch levels that address CVE-2021-32803 as well if this adjacent issue affects your `node-tar` use case.\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths.\n\n```js\nconst path = require('path')\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n // either add this function...\n onentry: (entry) => {\n if (path.isAbsolute(entry.path)) {\n entry.path = sanitizeAbsolutePathSomehow(entry.path)\n entry.absolute = path.resolve(entry.path)\n }\n },\n\n // or this one\n filter: (file, entry) => {\n if (path.isAbsolute(entry.path)) {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.","url":"https://github.com/advisories/GHSA-3jfq-g458-7qm9"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1089716":{"findings":[{"version":"1.23.0","paths":["ngx-md>prismjs"]}],"metadata":null,"vulnerable_versions":"<1.24.0","module_name":"prismjs","severity":"high","github_advisory_id":"GHSA-gj77-59wh-66hg","cves":["CVE-2021-32723"],"access":"public","patched_versions":">=1.24.0","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:49.000Z","recommendation":"Upgrade to version 1.24.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089716,"references":"- https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg\n- https://github.com/PrismJS/prism/pull/2688\n- https://github.com/PrismJS/prism/pull/2774\n- https://github.com/PrismJS/prism/commit/d85e30da6755fdbe7f8559f8e75d122297167018\n- https://nvd.nist.gov/vuln/detail/CVE-2021-32723\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-gj77-59wh-66hg","created":"2021-06-28T18:33:18.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in Prism","npm_advisory_id":null,"overview":"Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS).\n\n### Impact\n\nWhen Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.\n\n- ASCIIDoc\n- ERB\n\nOther languages are __not__ affected and can be used to highlight untrusted text.\n\n### Patches\nThis problem has been fixed in Prism v1.24.\n\n### References\n\n- PrismJS/prism#2774\n- PrismJS/prism#2688\n","url":"https://github.com/advisories/GHSA-gj77-59wh-66hg"},"1090424":{"findings":[{"version":"1.23.0","paths":["ngx-md>prismjs"]}],"metadata":null,"vulnerable_versions":">=1.14.0 <1.27.0","module_name":"prismjs","severity":"high","github_advisory_id":"GHSA-3949-f494-cm99","cves":["CVE-2022-23647"],"access":"public","patched_versions":">=1.27.0","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L"},"updated":"2023-02-03T05:06:26.000Z","recommendation":"Upgrade to version 1.27.0 or later","cwe":["CWE-79"],"found_by":null,"deleted":null,"id":1090424,"references":"- https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23647\n- https://github.com/PrismJS/prism/pull/3341\n- https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c\n- https://github.com/advisories/GHSA-3949-f494-cm99","created":"2022-02-22T19:32:18.000Z","reported_by":null,"title":"Cross-site Scripting in Prism","npm_advisory_id":null,"overview":"### Impact\nPrism's [Command line plugin](https://prismjs.com/plugins/command-line/) can be used by attackers to achieve an XSS attack. The Command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code.\n\nServer-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted.\n\n### Patches\nThis bug has been fixed in v1.27.0.\n\n### Workarounds\nDo not use the Command line plugin on untrusted inputs, or sanitized all code blocks (remove all HTML code text) from all code blocks that use the Command line plugin.\n\n### References\n- https://github.com/PrismJS/prism/pull/3341","url":"https://github.com/advisories/GHSA-3949-f494-cm99"},"1091087":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-hjrf-2m68-5959","cves":["CVE-2022-23541"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-01-29T05:06:34.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287"],"found_by":null,"deleted":null,"id":1091087,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23541\n- https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0\n- https://github.com/advisories/GHSA-hjrf-2m68-5959","created":"2022-12-22T03:33:19.000Z","reported_by":null,"title":"jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. \n\n# Am I affected?\n\nYou will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. \n\n# How do I fix it?\n \nUpdate to version 9.0.0.\n\n# Will the fix impact my users?\n\nThere is no impact for end users","url":"https://github.com/advisories/GHSA-hjrf-2m68-5959"},"1091311":{"findings":[{"version":"6.0.5","paths":["@pact-foundation/pact-node>tar","@pact-foundation/pact>@pact-foundation/pact-node>tar","playwright>fsevents>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.1.2","module_name":"tar","severity":"high","github_advisory_id":"GHSA-r628-mhmh-qjhw","cves":["CVE-2021-32803"],"access":"public","patched_versions":">=6.1.2","cvss":{"score":8.2,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},"updated":"2023-03-09T16:44:58.000Z","recommendation":"Upgrade to version 6.1.2 or later","cwe":["CWE-22","CWE-23","CWE-59"],"found_by":null,"deleted":null,"id":1091311,"references":"- https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw\n- https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20\n- https://www.npmjs.com/advisories/1771\n- https://nvd.nist.gov/vuln/detail/CVE-2021-32803\n- https://www.npmjs.com/package/tar\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\n- https://github.com/isaacs/node-tar/commit/46fe35083e2676e31c4e0a81639dce6da7aaa356\n- https://github.com/isaacs/node-tar/commit/5987d9a41f6bfbf1ddab1098e1fdcf1a5618f571\n- https://github.com/isaacs/node-tar/commit/85d3a942b4064e4ff171f91696fced7975167349\n- https://github.com/isaacs/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20\n- https://github.com/advisories/GHSA-r628-mhmh-qjhw","created":"2021-08-03T19:00:40.000Z","reported_by":null,"title":"Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning","npm_advisory_id":null,"overview":"### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\n`node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created.\n\nThis logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur.\n\nBy first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\n\nThis issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.\n\n### Patches\n\n3.2.3 || 4.4.15 || 5.0.7 || 6.1.2\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom `filter` method which prevents the extraction of symbolic links.\n\n```js\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n filter: (file, entry) => {\n if (entry.type === 'SymbolicLink') {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.","url":"https://github.com/advisories/GHSA-r628-mhmh-qjhw"},"1091341":{"findings":[{"version":"6.0.5","paths":["@pact-foundation/pact-node>tar","@pact-foundation/pact>@pact-foundation/pact-node>tar","playwright>fsevents>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.1.7","module_name":"tar","severity":"high","github_advisory_id":"GHSA-9r2w-394v-53qc","cves":["CVE-2021-37701"],"access":"public","patched_versions":">=6.1.7","cvss":{"score":8.2,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},"updated":"2023-03-13T21:51:00.000Z","recommendation":"Upgrade to version 6.1.7 or later","cwe":["CWE-22","CWE-59"],"found_by":null,"deleted":null,"id":1091341,"references":"- https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc\n- https://www.npmjs.com/package/tar\n- https://nvd.nist.gov/vuln/detail/CVE-2021-37701\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.debian.org/security/2021/dsa-5008\n- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html\n- https://github.com/advisories/GHSA-9r2w-394v-53qc","created":"2021-08-31T16:05:27.000Z","reported_by":null,"title":"Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links","npm_advisory_id":null,"overview":"### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\n`node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\n\nThis logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems.\n\nBy first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\n\nAdditionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. \n\nThese issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7.\n\nThe v3 branch of `node-tar` has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of `node-tar`. If this is not possible, a workaround is available below.\n\n### Patches\n\n4.4.16 || 5.0.8 || 6.1.7\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.\n\n```js\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n filter: (file, entry) => {\n if (entry.type === 'SymbolicLink') {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.\n\n### Fix\n\nThe problem is addressed in the following ways:\n\n1. All paths are normalized to use `/` as a path separator, replacing `\\` with `/` on Windows systems, and leaving `\\` intact in the path on posix systems. This is performed in depth, at every level of the program where paths are consumed.\n2. Directory cache pruning is performed case-insensitively. This _may_ result in undue cache misses on case-sensitive file systems, but the performance impact is negligible.\n\n#### Caveat\n\nNote that this means that the `entry` objects exposed in various parts of tar's API will now always use `/` as a path separator, even on Windows systems. This is not expected to cause problems, as `/` is a valid path separator on Windows systems, but _may_ result in issues if `entry.path` is compared against a path string coming from some other API such as `fs.realpath()` or `path.resolve()`.\n\nUsers are encouraged to always normalize paths using a well-tested method such as `path.resolve()` before comparing paths to one another.","url":"https://github.com/advisories/GHSA-9r2w-394v-53qc"},"1091344":{"findings":[{"version":"6.0.5","paths":["@pact-foundation/pact-node>tar","@pact-foundation/pact>@pact-foundation/pact-node>tar","playwright>fsevents>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.1.9","module_name":"tar","severity":"high","github_advisory_id":"GHSA-5955-9wpr-37jh","cves":["CVE-2021-37713"],"access":"public","patched_versions":">=6.1.9","cvss":{"score":8.2,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},"updated":"2023-03-13T21:47:38.000Z","recommendation":"Upgrade to version 6.1.9 or later","cwe":["CWE-22"],"found_by":null,"deleted":null,"id":1091344,"references":"- https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh\n- https://www.npmjs.com/package/tar\n- https://nvd.nist.gov/vuln/detail/CVE-2021-37713\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\n- https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946\n- https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc\n- https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598\n- https://github.com/advisories/GHSA-5955-9wpr-37jh","created":"2021-08-31T16:05:05.000Z","reported_by":null,"title":"Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization","npm_advisory_id":null,"overview":"### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\nnode-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory.\n\nThis logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\\path`. If the drive letter does not match the extraction target, for example `D:\\extraction\\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory.\n\nAdditionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path.\n\nThis only affects users of `node-tar` on Windows systems.\n\n### Patches\n\n4.4.18 || 5.0.10 || 6.1.9\n\n### Workarounds\n\nThere is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does.\n\nUsers are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.\n\n### Fix\n\nThe fixed versions strip path roots from all paths prior to being resolved against the extraction target folder, even if such paths are not \"absolute\".\n\nAdditionally, a path starting with a drive letter and then two dots, like `c:../`, would bypass the check for `..` path portions. This is checked properly in the patched versions.\n\nFinally, a defense in depth check is added, such that if the `entry.absolute` is outside of the extraction taret, and we are not in preservePaths:true mode, a warning is raised on that entry, and it is skipped. Currently, it is believed that this check is redundant, but it did catch some oversights in development.\n","url":"https://github.com/advisories/GHSA-5955-9wpr-37jh"},"1091430":{"findings":[{"version":"2.29.0","paths":["@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>moment"]}],"metadata":null,"vulnerable_versions":"<2.29.2","module_name":"moment","severity":"high","github_advisory_id":"GHSA-8hfj-j24r-96c4","cves":["CVE-2022-24785"],"access":"public","patched_versions":">=2.29.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},"updated":"2023-03-20T22:35:12.000Z","recommendation":"Upgrade to version 2.29.2 or later","cwe":["CWE-22","CWE-27"],"found_by":null,"deleted":null,"id":1091430,"references":"- https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24785\n- https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5\n- https://www.tenable.com/security/tns-2022-09\n- https://security.netapp.com/advisory/ntap-20220513-0006/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/\n- https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html\n- https://github.com/advisories/GHSA-8hfj-j24r-96c4","created":"2022-04-04T21:25:48.000Z","reported_by":null,"title":"Path Traversal: 'dir/../../filename' in moment.locale","npm_advisory_id":null,"overview":"### Impact\nThis vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale.\n\n### Patches\nThis problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).\n\n### Workarounds\nSanitize user-provided locale name before passing it to moment.js.\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [moment repo](https://github.com/moment/moment)\n","url":"https://github.com/advisories/GHSA-8hfj-j24r-96c4"},"1091441":{"findings":[{"version":"2.29.0","paths":["@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>moment"]}],"metadata":null,"vulnerable_versions":">=2.18.0 <2.29.4","module_name":"moment","severity":"high","github_advisory_id":"GHSA-wc69-rhjr-hc9g","cves":["CVE-2022-31129"],"access":"public","patched_versions":">=2.29.4","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-03-20T23:29:32.000Z","recommendation":"Upgrade to version 2.29.4 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1091441,"references":"- https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g\n- https://github.com/moment/moment/pull/6015#issuecomment-1152961973\n- https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-31129\n- https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/\n- https://security.netapp.com/advisory/ntap-20221014-0003/\n- https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html\n- https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4\n- https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe\n- https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504\n- https://github.com/advisories/GHSA-wc69-rhjr-hc9g","created":"2022-07-06T18:38:49.000Z","reported_by":null,"title":"Moment.js vulnerable to Inefficient Regular Expression Complexity","npm_advisory_id":null,"overview":"### Impact\n\n* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs\n* noticeable slowdown is observed with inputs above 10k characters\n* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks\n\n### Patches\nThe problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.\n\n### Workarounds\nIn general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.\n\n### References\nThere is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=\n\n### Details\nThe issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment(\"(\".repeat(500000))` will take a few minutes to process, which is unacceptable.","url":"https://github.com/advisories/GHSA-wc69-rhjr-hc9g"},"1091453":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-03-21T20:10:17.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1091453,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1091470":{"findings":[{"version":"1.8.3","paths":["@pact-foundation/pact-node>underscore","@pact-foundation/pact>@pact-foundation/pact-node>underscore"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <1.12.1","module_name":"underscore","severity":"critical","github_advisory_id":"GHSA-cf4h-3jhx-xvhq","cves":["CVE-2021-23358"],"access":"public","patched_versions":">=1.12.1","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-03-23T20:56:35.000Z","recommendation":"Upgrade to version 1.12.1 or later","cwe":["CWE-94"],"found_by":null,"deleted":null,"id":1091470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23358\n- https://github.com/jashkenas/underscore/pull/2917\n- https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66\n- https://github.com/jashkenas/underscore/releases/tag/1.12.1\n- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984\n- https://www.npmjs.com/package/underscore\n- https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71\n- https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html\n- https://www.debian.org/security/2021/dsa-4883\n- https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E\n- https://www.tenable.com/security/tns-2021-14\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503\n- https://github.com/advisories/GHSA-cf4h-3jhx-xvhq","created":"2021-05-06T16:09:43.000Z","reported_by":null,"title":"Arbitrary Code Execution in underscore","npm_advisory_id":null,"overview":"The package `underscore` from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.","url":"https://github.com/advisories/GHSA-cf4h-3jhx-xvhq"},"1091472":{"findings":[{"version":"0.2.3","paths":["@pact-foundation/pact-node>request>http-signature>jsprim>json-schema","@pact-foundation/pact>@pact-foundation/pact-node>request>http-signature>jsprim>json-schema"]}],"metadata":null,"vulnerable_versions":"<0.4.0","module_name":"json-schema","severity":"critical","github_advisory_id":"GHSA-896r-f27r-55mw","cves":["CVE-2021-3918"],"access":"public","patched_versions":">=0.4.0","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-03-23T20:35:18.000Z","recommendation":"Upgrade to version 0.4.0 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1091472,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3918\n- https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741\n- https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9\n- https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a\n- https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html\n- https://github.com/advisories/GHSA-896r-f27r-55mw","created":"2021-11-19T20:16:17.000Z","reported_by":null,"title":"json-schema is vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"json-schema before version 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').","url":"https://github.com/advisories/GHSA-896r-f27r-55mw"},"1092316":{"findings":[{"version":"4.1.0","paths":["playwright>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>make-fetch-happen>http-cache-semantics","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>make-fetch-happen>http-cache-semantics","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-cache-semantics"]}],"metadata":null,"vulnerable_versions":"<4.1.1","module_name":"http-cache-semantics","severity":"high","github_advisory_id":"GHSA-rc47-6667-2j5j","cves":["CVE-2022-25881"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-06-22T17:26:15.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092316,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25881\n- https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332\n- https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783\n- https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74\n- https://security.netapp.com/advisory/ntap-20230622-0008/\n- https://github.com/advisories/GHSA-rc47-6667-2j5j","created":"2023-01-31T06:30:26.000Z","reported_by":null,"title":"http-cache-semantics vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.","url":"https://github.com/advisories/GHSA-rc47-6667-2j5j"},"1092423":{"findings":[{"version":"2.6.3","paths":["@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>winston>async","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>winston>async"]}],"metadata":null,"vulnerable_versions":">=2.0.0 <2.6.4","module_name":"async","severity":"high","github_advisory_id":"GHSA-fwr7-v2mv-hh25","cves":["CVE-2021-43138"],"access":"public","patched_versions":">=2.6.4","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-07-07T18:19:47.000Z","recommendation":"Upgrade to version 2.6.4 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092423,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-43138\n- https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d\n- https://github.com/caolan/async/blob/master/lib/internal/iterator.js\n- https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js\n- https://jsfiddle.net/oz5twjd9/\n- https://github.com/caolan/async/pull/1828\n- https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2\n- https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264\n- https://github.com/caolan/async/compare/v2.6.3...v2.6.4\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/\n- https://github.com/advisories/GHSA-fwr7-v2mv-hh25","created":"2022-04-07T00:00:17.000Z","reported_by":null,"title":"Prototype Pollution in async","npm_advisory_id":null,"overview":"A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the `mapValues()` method.","url":"https://github.com/advisories/GHSA-fwr7-v2mv-hh25"},"1092470":{"findings":[{"version":"2.4.3","paths":["@pact-foundation/pact-node>request>tough-cookie","@pact-foundation/pact>@pact-foundation/pact-node>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092549":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<9.0.0","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-qwph-4952-7xr6","cves":["CVE-2022-23540"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":6.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L"},"updated":"2023-07-14T22:03:14.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287","CWE-327","CWE-347"],"found_by":null,"deleted":null,"id":1092549,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23540\n- https://github.com/advisories/GHSA-qwph-4952-7xr6","created":"2022-12-22T03:32:59.000Z","reported_by":null,"title":"jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()","npm_advisory_id":null,"overview":"# Overview\n\nIn versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.\n\n# Am I affected?\nYou will be affected if all the following are true in the `jwt.verify()` function:\n- a token with no signature is received\n- no algorithms are specified \n- a falsy (e.g. null, false, undefined) secret or key is passed \n\n# How do I fix it?\n \nUpdate to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. \n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n","url":"https://github.com/advisories/GHSA-qwph-4952-7xr6"},"1092636":{"findings":[{"version":"1.28.1","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <=1.28.1","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-jv3g-j58f-9mq9","cves":["CVE-2022-36083"],"access":"public","patched_versions":">=1.28.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-21T21:33:36.000Z","recommendation":"Upgrade to version 1.28.2 or later","cwe":["CWE-400","CWE-834"],"found_by":null,"deleted":null,"id":1092636,"references":"- https://github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9\n- https://nvd.nist.gov/vuln/detail/CVE-2022-36083\n- https://github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d\n- https://github.com/panva/jose/releases/tag/v4.9.2\n- https://github.com/advisories/GHSA-jv3g-j58f-9mq9","created":"2022-09-16T17:44:42.000Z","reported_by":null,"title":"JOSE vulnerable to resource exhaustion via specifically crafted JWE","npm_advisory_id":null,"overview":"The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` ([PBES2 Count](https://www.rfc-editor.org/rfc/rfc7518.html#section-4.8.1.2)), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive.\n\nThis makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish.\n\n### Impact\n\nUnder certain conditions (see below) it is possible to have the user's environment consume unreasonable amount of CPU time.\n\n### Affected users\n\nThe impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means.\n\nThe PBKDF2-based JWE Key Management Algorithm Identifiers are\n\n- `PBES2-HS256+A128KW`\n- `PBES2-HS384+A192KW`\n- `PBES2-HS512+A256KW`\n\ne.g.\n\n```js\nconst secret = new Uint8Array(16)\nconst jwe = '...' // JWE from an untrusted party\n\nawait jose.compactDecrypt(jwe, secret)\n```\n\nYou are NOT affected if any of the following applies to you\n\n- Your code does not use the JWE APIs\n- Your code only produces JWE tokens\n- Your code only decrypts JWEs using an asymmetric JWE Key Management Algorithm (this means you're providing an asymmetric key object to the JWE decryption API)\n- Your code only accepts JWEs produced by trusted sources\n- Your code limits the accepted JWE Key Management Algorithms using the `keyManagementAlgorithms` decryption option not including any of the PBKDF2-based JWE key management algorithms\n\n### Patches\n\n`v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option.\n\n### Workarounds\n\nAll users should be able to upgrade given all stable semver major release lines have had new a patch release introduced which limits the PBKDF2 iteration count to `10000` by default. This removes the ability to craft JWEs that would consume unreasonable amount of CPU time.\n\nIf users are unable to upgrade their required library version they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms.\n\n- they can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether\n- they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-jv3g-j58f-9mq9%20advisory%20question)\n* Email me at [panva.ip@gmail.com](mailto:panva.ip@gmail.com)\n","url":"https://github.com/advisories/GHSA-jv3g-j58f-9mq9"},"1092964":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:04:30.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092964,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1092969":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:03:59.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1092969,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1092972":{"findings":[{"version":"2.88.2","paths":["@pact-foundation/pact-node>request","@pact-foundation/pact>@pact-foundation/pact-node>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1092990":{"findings":[{"version":"6.0.5","paths":["@pact-foundation/pact-node>tar","@pact-foundation/pact>@pact-foundation/pact-node>tar","playwright>fsevents>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>tar","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>tar"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.1.9","module_name":"tar","severity":"high","github_advisory_id":"GHSA-qq89-hq3f-393p","cves":["CVE-2021-37712"],"access":"public","patched_versions":">=6.1.9","cvss":{"score":8.2,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},"updated":"2023-08-15T22:50:55.000Z","recommendation":"Upgrade to version 6.1.9 or later","cwe":["CWE-22","CWE-59"],"found_by":null,"deleted":null,"id":1092990,"references":"- https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p\n- https://www.npmjs.com/package/tar\n- https://nvd.nist.gov/vuln/detail/CVE-2021-37712\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.debian.org/security/2021/dsa-5008\n- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html\n- https://github.com/isaacs/node-tar/commit/1739408d3122af897caefd09662bce2ea477533b\n- https://github.com/isaacs/node-tar/commit/b6162c7fafe797f856564ef37f4b82747f051455\n- https://github.com/isaacs/node-tar/commit/bb93ba243746f705092905da1955ac3b0509ba1e\n- https://github.com/advisories/GHSA-qq89-hq3f-393p","created":"2021-08-31T16:05:17.000Z","reported_by":null,"title":"Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links","npm_advisory_id":null,"overview":"### Impact\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\nnode-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\n\nThis logic was insufficient when extracting tar files that contained two directories and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \"short path\" counterparts. A specially crafted tar archive could thus include directories with two forms of the path that resolve to the same file system entity, followed by a symbolic link with a name in the first form, lastly followed by a file using the second form. It led to bypassing node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\n\nThe v3 branch of `node-tar` has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of `node-tar`. If this is not possible, a workaround is available below.\n\n### Patches\n\n6.1.9 || 5.0.10 || 4.4.18\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.\n\n```js\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n filter: (file, entry) => {\n if (entry.type === 'SymbolicLink') {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.\n\n#### Fix\n\nThe problem is addressed in the following ways, when comparing paths in the directory cache and path reservation systems:\n\n1. The `String.normalize('NFKD')` method is used to first normalize all unicode to its maximally compatible and multi-code-point form.\n2. All slashes are normalized to `/` on Windows systems (on posix systems, `\\` is a valid filename character, and thus left intact).\n3. When a symbolic link is encountered on Windows systems, the entire directory cache is cleared. Collisions related to use of 8.3 short names to replace directories with other (non-symlink) types of entries may make archives fail to extract properly, but will not result in arbitrary file writes.\n","url":"https://github.com/advisories/GHSA-qq89-hq3f-393p"},"1093264":{"findings":[{"version":"7.0.0","paths":["global-agent>semver","@hmcts/nodejs-healthcheck>superagent>semver","playwright>fsevents>node-gyp>semver","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>semver","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=7.5.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-09-01T23:43:55.000Z","recommendation":"Upgrade to version 7.5.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1093264,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1093429":{"findings":[{"version":"2.6.1","paths":["node-fetch","isomorphic-fetch>node-fetch"]}],"metadata":null,"vulnerable_versions":"<2.6.7","module_name":"node-fetch","severity":"high","github_advisory_id":"GHSA-r683-j2x4-v87g","cves":["CVE-2022-0235"],"access":"public","patched_versions":">=2.6.7","cvss":{"score":8.8,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-09-07T18:38:42.000Z","recommendation":"Upgrade to version 2.6.7 or later","cwe":["CWE-173","CWE-200","CWE-601"],"found_by":null,"deleted":null,"id":1093429,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0235\n- https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10\n- https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7\n- https://github.com/node-fetch/node-fetch/pull/1453\n- https://github.com/node-fetch/node-fetch/commit/5c32f002fdd65b1c6a8f1e3620210813d45c7e60\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html\n- https://github.com/node-fetch/node-fetch/pull/1449/commits/5c32f002fdd65b1c6a8f1e3620210813d45c7e60\n- https://github.com/node-fetch/node-fetch/commit/1ef4b560a17e644a02a3bfdea7631ffeee578b35\n- https://github.com/advisories/GHSA-r683-j2x4-v87g","created":"2022-01-21T23:55:52.000Z","reported_by":null,"title":"node-fetch forwards secure headers to untrusted sites","npm_advisory_id":null,"overview":"node-fetch forwards secure headers such as `authorization`, `www-authenticate`, `cookie`, & `cookie2` when redirecting to a untrusted site.","url":"https://github.com/advisories/GHSA-r683-j2x4-v87g"},"1093500":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-09-07T21:28:03.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1093500,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094087":{"findings":[{"version":"0.2.0","paths":["http-proxy-middleware>micromatch>snapdragon>source-map-resolve>decode-uri-component","http-proxy-middleware>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>extglob>expand-brackets>snapdragon>source-map-resolve>decode-uri-component"]}],"metadata":null,"vulnerable_versions":"<0.2.1","module_name":"decode-uri-component","severity":"high","github_advisory_id":"GHSA-w573-4hg7-7wgq","cves":["CVE-2022-38900"],"access":"public","patched_versions":">=0.2.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-09-21T22:16:39.000Z","recommendation":"Upgrade to version 0.2.1 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1094087,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-38900\n- https://github.com/SamVerschueren/decode-uri-component/issues/5\n- https://github.com/sindresorhus/query-string/issues/345\n- https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9\n- https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/\n- https://github.com/advisories/GHSA-w573-4hg7-7wgq","created":"2022-11-28T15:30:24.000Z","reported_by":null,"title":"decode-uri-component vulnerable to Denial of Service (DoS)","npm_advisory_id":null,"overview":"decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.","url":"https://github.com/advisories/GHSA-w573-4hg7-7wgq"},"1094091":{"findings":[{"version":"4.1.0","paths":["@pact-foundation/pact>cli-color>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>strip-ansi>ansi-regex","playwright>fsevents>node-gyp>npmlog>gauge>strip-ansi>ansi-regex","playwright>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@pact-foundation/pact-node>bunyan>dtrace-provider>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@pact-foundation/pact>@pact-foundation/pact-node>bunyan>dtrace-provider>nan>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>string-width>strip-ansi>ansi-regex","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>npmlog>gauge>wide-align>string-width>strip-ansi>ansi-regex"]}],"metadata":null,"vulnerable_versions":">=4.0.0 <4.1.1","module_name":"ansi-regex","severity":"high","github_advisory_id":"GHSA-93q8-gq69-wqmw","cves":["CVE-2021-3807"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-09-21T22:14:52.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-697","CWE-1333"],"found_by":null,"deleted":null,"id":1094091,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3807\n- https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9\n- https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311\n- https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774\n- https://github.com/chalk/ansi-regex/releases/tag/v6.0.1\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://security.netapp.com/advisory/ntap-20221014-0002/\n- https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1\n- https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a\n- https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8\n- https://github.com/advisories/GHSA-93q8-gq69-wqmw","created":"2021-09-20T20:20:09.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in chalk/ansi-regex","npm_advisory_id":null,"overview":"ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.\n\n**Proof of Concept**\n```js\nimport ansiRegex from 'ansi-regex';\nfor(var i = 1; i <= 50000; i++) {\n var time = Date.now();\n var attack_str = \"\\u001B[\"+\";\".repeat(i*10000);\n ansiRegex().test(attack_str)\n var time_cost = Date.now() - time;\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n}\n```\nThe ReDOS is mainly due to the sub-patterns `[[\\\\]()#;?]*` and `(?:;[-a-zA-Z\\\\d\\\\/#&.:=?%@~_]*)*`","url":"https://github.com/advisories/GHSA-93q8-gq69-wqmw"},"1094219":{"findings":[{"version":"4.2.0","paths":["express-session>debug","@hmcts/nodejs-healthcheck>superagent>debug","@hmcts/rpx-xui-node-lib>express>body-parser>debug","@hmcts/rpx-xui-node-lib>express>serve-static>send>debug","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>braces>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>extglob>expand-brackets>snapdragon>debug","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>http-proxy-agent>agent-base>debug"]}],"metadata":null,"vulnerable_versions":">=4.0.0 <4.3.1","module_name":"debug","severity":"moderate","github_advisory_id":"GHSA-gxpj-cx7g-858c","cves":["CVE-2017-16137"],"access":"public","patched_versions":">=4.3.1","cvss":{"score":5.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-10-02T17:59:03.000Z","recommendation":"Upgrade to version 4.3.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1094219,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2017-16137\n- https://github.com/visionmedia/debug/issues/501\n- https://github.com/visionmedia/debug/pull/504\n- https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E\n- https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E\n- https://github.com/debug-js/debug/issues/797\n- https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020\n- https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290\n- https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac\n- https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a\n- https://github.com/advisories/GHSA-gxpj-cx7g-858c","created":"2018-08-09T20:18:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service in debug","npm_advisory_id":null,"overview":"Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.\n\nThis was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.\n\n## Recommendation\n\nVersion 2.x.x: Update to version 2.6.9 or later.\nVersion 3.1.x: Update to version 3.1.0 or later.\nVersion 3.2.x: Update to version 3.2.7 or later.\nVersion 4.x.x: Update to version 4.3.1 or later.","url":"https://github.com/advisories/GHSA-gxpj-cx7g-858c"},"1094446":{"findings":[{"version":"7.22.10","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@babel/core>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse"]}],"metadata":null,"vulnerable_versions":"<7.23.2","module_name":"@babel/traverse","severity":"critical","github_advisory_id":"GHSA-67hx-6x53-jw92","cves":["CVE-2023-45133"],"access":"public","patched_versions":">=7.23.2","cvss":{"score":9.3,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},"updated":"2023-10-24T18:32:24.000Z","recommendation":"Upgrade to version 7.23.2 or later","cwe":["CWE-184","CWE-697"],"found_by":null,"deleted":null,"id":1094446,"references":"- https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92\n- https://nvd.nist.gov/vuln/detail/CVE-2023-45133\n- https://github.com/babel/babel/pull/16033\n- https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82\n- https://github.com/babel/babel/releases/tag/v7.23.2\n- https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4\n- https://www.debian.org/security/2023/dsa-5528\n- https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html\n- https://babeljs.io/blog/2023/10/16/cve-2023-45133\n- https://github.com/advisories/GHSA-67hx-6x53-jw92","created":"2023-10-16T13:55:36.000Z","reported_by":null,"title":"Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code","npm_advisory_id":null,"overview":"### Impact\n\nUsing Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods.\n\nKnown affected plugins are:\n- `@babel/plugin-transform-runtime`\n- `@babel/preset-env` when using its [`useBuiltIns`](https://babeljs.io/docs/babel-preset-env#usebuiltins) option\n- Any \"polyfill provider\" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`\n\nNo other plugins under the `@babel/` namespace are impacted, but third-party plugins might be.\n\n**Users that only compile trusted code are not impacted.**\n\n### Patches\n\nThe vulnerability has been fixed in `@babel/traverse@7.23.2`.\n\nBabel 6 does not receive security fixes anymore (see [Babel's security policy](https://github.com/babel/babel/security/policy)), hence there is no patch planned for `babel-traverse@6`.\n\n### Workarounds\n\n- Upgrade `@babel/traverse` to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. `@babel/core` >=7.23.2 will automatically pull in a non-vulnerable version.\n- If you cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions:\n - `@babel/plugin-transform-runtime` v7.23.2\n - `@babel/preset-env` v7.23.2\n - `@babel/helper-define-polyfill-provider` v0.4.3\n - `babel-plugin-polyfill-corejs2` v0.4.6\n - `babel-plugin-polyfill-corejs3` v0.8.5\n - `babel-plugin-polyfill-es-shims` v0.10.0\n - `babel-plugin-polyfill-regenerator` v0.5.3","url":"https://github.com/advisories/GHSA-67hx-6x53-jw92"},"1094468":{"findings":[{"version":"3.3.0","paths":["crypto-js"]}],"metadata":null,"vulnerable_versions":"<4.2.0","module_name":"crypto-js","severity":"critical","github_advisory_id":"GHSA-xwcq-pm8m-c4vf","cves":["CVE-2023-46233"],"access":"public","patched_versions":">=4.2.0","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},"updated":"2023-10-27T21:06:36.000Z","recommendation":"Upgrade to version 4.2.0 or later","cwe":["CWE-328","CWE-916"],"found_by":null,"deleted":null,"id":1094468,"references":"- https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf\n- https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a\n- https://nvd.nist.gov/vuln/detail/CVE-2023-46233\n- https://github.com/advisories/GHSA-xwcq-pm8m-c4vf","created":"2023-10-25T21:15:52.000Z","reported_by":null,"title":"crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard","npm_advisory_id":null,"overview":"### Impact\n#### Summary\nCrypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and [at least 1,300,000 times weaker than current industry standard][OWASP PBKDF2 Cheatsheet]. This is because it both (1) defaults to [SHA1][SHA1 wiki], a cryptographic hash algorithm considered insecure [since at least 2005][Cryptanalysis of SHA-1] and (2) defaults to [one single iteration][one iteration src], a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to [preimage][preimage attack] and [collision][collision attack] attacks.\n\nPotential Impact:\n\n1. If used to protect passwords, the impact is high.\n2. If used to generate signatures, the impact is high.\n\nProbability / risk analysis / attack enumeration:\n\n1. [For at most $45,000][SHA1 is a Shambles], an attacker, given control of only the beginning of a crypto-js PBKDF2 input, can create a value which has _identical cryptographic signature_ to any chosen known value.\n4. Due to the [length extension attack] on SHA1, we can create a value that has identical signature to any _unknown_ value, provided it is prefixed by a known value. It does not matter if PBKDF2 applies '[salt][cryptographic salt]' or '[pepper][cryptographic pepper]' or any other secret unknown to the attacker. It will still create an identical signature.\n\n[cryptographic salt]: https://en.wikipedia.org/wiki/Salt_(cryptography) \"Salt (cryptography), Wikipedia\"\n[cryptographic pepper]: https://en.wikipedia.org/wiki/Pepper_(cryptography) \"Pepper (cryptography), Wikipedia\"\n[SHA1 wiki]: https://en.wikipedia.org/wiki/SHA-1 \"SHA-1, Wikipedia\"\n[Cryptanalysis of SHA-1]: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html \"Cryptanalysis of SHA-1\"\n[one iteration src]: https://github.com/brix/crypto-js/blob/1da3dabf93f0a0435c47627d6f171ad25f452012/src/pbkdf2.js#L22-L26 \"crypto-js/src/pbkdf2.js lines 22-26\"\n[collision attack]: https://en.wikipedia.org/wiki/Hash_collision \"Collision Attack, Wikipedia\"\n[preimage attack]: https://en.wikipedia.org/wiki/Preimage_attack \"Preimage Attack, Wikipedia\"\n[SHA1 is a Shambles]: https://eprint.iacr.org/2020/014.pdf \"SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1\nand Application to the PGP Web of Trust, Gaëtan Leurent and Thomas Peyrin\"\n[Length Extension attack]: https://en.wikipedia.org/wiki/Length_extension_attack \"Length extension attack, Wikipedia\"\n\ncrypto-js has 10,642 public users [as displayed on NPM][crypto-js, NPM], today October 11th 2023. The number of transient dependents is likely several orders of magnitude higher.\n\nA very rough GitHub search[ shows 432 files][GitHub search: affected files] cross GitHub using PBKDF2 in crypto-js in Typescript or JavaScript, but not specifying any number of iterations.\n\n[OWASP PBKDF2 Cheatsheet]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 \"OWASP PBKDF2 Cheatsheet\"\n[crypto-js, NPM]: https://www.npmjs.com/package/crypto-js \"crypto-js on NPM\"\n[GitHub search: affected files]: https://github.com/search?q=%22crypto-js%22+AND+pbkdf2+AND+%28lang%3AJavaScript+OR+lang%3ATypeScript%29++NOT+%22iterations%22&type=code&p=2 \"GitHub search: crypto-js AND pbkdf2 AND (lang:JavaScript OR lang:TypeScript) NOT iterations\"\n\n#### Affected versions\nAll versions are impacted. This code has been the same since crypto-js was first created.\n\n#### Further Cryptanalysis\n\nThe issue here is especially egregious because the length extension attack makes useless any secret that might be appended to the plaintext before calculating its signature.\n\nConsider a scheme in which a secret is created for a user's username, and that secret is used to protect e.g. their passwords. Let's say that password is 'fake-password', and their username is 'example-username'.\n\nTo encrypt the user password via symmetric encryption we might do `encrypt(plaintext: 'fake-password', encryption_key: cryptojs.pbkdf2(value: 'example username' + salt_or_pepper))`. By this means, we would, in theory, create an `encryption_key` that can be determined from the public username, but which requires the secret `salt_or_pepper` to generate. This is a common scheme for protecting passwords, as exemplified in bcrypt & scrypt. Because the encryption key is symmetric, we can use this derived key to also decrypt the ciphertext.\n\nBecause of the length extension issue, if the attacker obtains (via attack 1), a collision with 'example username', the attacker _does not need to know_ `salt_or_pepper` to decrypt their account data, only their public username.\n\n### Description\n\nPBKDF2 is a key-derivation is a key-derivation function that is used for two main purposes: (1) to stretch or squash a variable length password's entropy into a fixed size for consumption by another cryptographic operation and (2) to reduce the chance of downstream operations recovering the password input (for example, for password storage).\n\nUnlike the modern [webcrypto](https://w3c.github.io/webcrypto/#pbkdf2-operations) standard, crypto-js does not throw an error when a number of iterations is not specified, and defaults to one single iteration. In the year 2000, when PBKDF2 was originally specified, the minimum number of iterations suggested was set at 1,000. Today, [OWASP recommends 1,300,000][OWASP PBKDF2 Cheatsheet]:\n\nhttps://github.com/brix/crypto-js/blob/4dcaa7afd08f48cd285463b8f9499cdb242605fa/src/pbkdf2.js#L22-L26\n\n### Patches\nNo available patch. The package is not maintained.\n\n### Workarounds\nConsult the [OWASP PBKDF2 Cheatsheet]. Configure to use SHA256 with at least 250,000 iterations.\n\n### Coordinated disclosure\nThis issue was simultaneously submitted to [crypto-js](https://github.com/brix/crypto-js) and [crypto-es](https://github.com/entronad/crypto-es) on the 23rd of October 2023.\n\n### Caveats\n\nThis issue was found in a security review that was _not_ scoped to crypto-js. This report is not an indication that crypto-js has undergone a formal security assessment by the author.\n\n","url":"https://github.com/advisories/GHSA-xwcq-pm8m-c4vf"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":52,"high":136,"critical":17},"dependencies":838,"devDependencies":7,"optionalDependencies":0,"totalDependencies":845}}