express-4.13.4.tgz: 5 vulnerabilities (highest severity is: 7.5) #6
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mime/package.json
Found in HEAD commit: d4b1a638cfba6a686bca29d893e8936e2310ecd8
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - negotiator-0.5.3.tgz
HTTP content negotiation
Library home page: https://registry.npmjs.org/negotiator/-/negotiator-0.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/negotiator/package.json
Dependency Hierarchy:
Found in HEAD commit: d4b1a638cfba6a686bca29d893e8936e2310ecd8
Found in base branch: main
Vulnerability Details
negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.
Publish Date: 2018-05-31
URL: CVE-2016-10539
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/106
Release Date: 2018-04-26
Fix Resolution (negotiator): 0.6.1
Direct dependency fix Resolution (express): 4.14.0
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - qs-4.0.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: d4b1a638cfba6a686bca29d893e8936e2310ecd8
Found in base branch: main
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.2.4
Direct dependency fix Resolution (express): 4.15.0
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - qs-4.0.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: d4b1a638cfba6a686bca29d893e8936e2310ecd8
Found in base branch: main
Vulnerability Details
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-17
URL: CVE-2017-1000048
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048
Release Date: 2017-07-13
Fix Resolution (qs): 6.0.4
Direct dependency fix Resolution (express): 4.14.0
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - mime-1.3.4.tgz
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mime/package.json
Dependency Hierarchy:
Found in HEAD commit: d4b1a638cfba6a686bca29d893e8936e2310ecd8
Found in base branch: main
Vulnerability Details
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Mend Note: Converted from WS-2017-0330, on 2022-11-08.
Publish Date: 2018-06-07
URL: CVE-2017-16138
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-04-26
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (express): 4.16.0
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - fresh-0.3.0.tgz
HTTP response freshness testing
Library home page: https://registry.npmjs.org/fresh/-/fresh-0.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fresh/package.json
Dependency Hierarchy:
Found in HEAD commit: d4b1a638cfba6a686bca29d893e8936e2310ecd8
Found in base branch: main
Vulnerability Details
Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Publish Date: 2018-06-07
URL: CVE-2017-16119
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/526
Release Date: 2018-04-26
Fix Resolution (fresh): 0.5.2
Direct dependency fix Resolution (express): 4.15.5
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
The text was updated successfully, but these errors were encountered: