st-0.2.4.tgz: 5 vulnerabilities (highest severity is: 7.5)

[mend-bolt-for-github]

Vulnerable Library - st-0.2.4.tgz

A module for serving static files. Does etags, caching, etc.

Library home page: https://registry.npmjs.org/st/-/st-0.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/st/package.json

Found in HEAD commit: da47719753959d0828901e4fc615a2a867435543

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (st version)	Remediation Available
CVE-2016-10539	High	7.5	negotiator-0.2.8.tgz	Transitive	1.1.0	❌
CVE-2017-16138	High	7.5	mime-1.2.11.tgz	Transitive	1.2.1	❌
CVE-2014-3744	High	7.5	st-0.2.4.tgz	Direct	0.2.5	❌
WS-2019-0153	High	7.5	st-0.2.4.tgz	Direct	1.2.2	❌
CVE-2017-16224	Medium	6.1	st-0.2.4.tgz	Direct	1.2.2	❌

Details

CVE-2016-10539

Vulnerable Library - negotiator-0.2.8.tgz

HTTP content negotiation

Library home page: https://registry.npmjs.org/negotiator/-/negotiator-0.2.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/st/node_modules/negotiator/package.json

Dependency Hierarchy:

• st-0.2.4.tgz (Root Library)
  • ❌ negotiator-0.2.8.tgz (Vulnerable Library)

Found in HEAD commit: da47719753959d0828901e4fc615a2a867435543

Found in base branch: master

Vulnerability Details

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Publish Date: 2018-05-31

URL: CVE-2016-10539

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/106

Release Date: 2018-04-26

Fix Resolution (negotiator): 0.6.1

Direct dependency fix Resolution (st): 1.1.0

Step up your Open Source Security Game with Mend here

CVE-2017-16138

Vulnerable Library - mime-1.2.11.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.2.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/form-data/node_modules/mime/package.json,/node_modules/st/node_modules/mime/package.json

Dependency Hierarchy:

• st-0.2.4.tgz (Root Library)
  • ❌ mime-1.2.11.tgz (Vulnerable Library)

Found in HEAD commit: da47719753959d0828901e4fc615a2a867435543

Found in base branch: master

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Mend Note: Converted from WS-2017-0330, on 2022-11-08.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-06-07

Fix Resolution (mime): 1.4.1

Direct dependency fix Resolution (st): 1.2.1

Step up your Open Source Security Game with Mend here

CVE-2014-3744

Vulnerable Library - st-0.2.4.tgz

A module for serving static files. Does etags, caching, etc.

Library home page: https://registry.npmjs.org/st/-/st-0.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/st/package.json

Dependency Hierarchy:

• ❌ st-0.2.4.tgz (Vulnerable Library)

Found in HEAD commit: da47719753959d0828901e4fc615a2a867435543

Found in base branch: master

Vulnerability Details

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.

Publish Date: 2017-10-23

URL: CVE-2014-3744

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3744

Release Date: 2017-10-23

Fix Resolution: 0.2.5

Step up your Open Source Security Game with Mend here

WS-2019-0153

Vulnerable Library - st-0.2.4.tgz

A module for serving static files. Does etags, caching, etc.

Library home page: https://registry.npmjs.org/st/-/st-0.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/st/package.json

Dependency Hierarchy:

• ❌ st-0.2.4.tgz (Vulnerable Library)

Found in HEAD commit: da47719753959d0828901e4fc615a2a867435543

Found in base branch: master

Vulnerability Details

yjmyjmyjm all versions has Directory Traversal vulnerability when resolving relative file paths

Publish Date: 2017-10-13

URL: WS-2019-0153

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0153

Release Date: 2017-10-13

Fix Resolution: 1.2.2

Step up your Open Source Security Game with Mend here

CVE-2017-16224

Vulnerable Library - st-0.2.4.tgz

A module for serving static files. Does etags, caching, etc.

Library home page: https://registry.npmjs.org/st/-/st-0.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/st/package.json

Dependency Hierarchy:

• ❌ st-0.2.4.tgz (Vulnerable Library)

Found in HEAD commit: da47719753959d0828901e4fc615a2a867435543

Found in base branch: master

Vulnerability Details

st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used. Mitigating factor: In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e").
Mend Note: Converted from WS-2019-0154, on 2021-08-19.

Publish Date: 2018-06-07

URL: CVE-2017-16224

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16224

Release Date: 2018-06-07

Fix Resolution: 1.2.2

Step up your Open Source Security Game with Mend here