-
Notifications
You must be signed in to change notification settings - Fork 11
/
yarn-audit-known-issues
1 lines (1 loc) · 16.5 KB
/
yarn-audit-known-issues
1
{"actions":[],"advisories":{"1096410":{"findings":[{"version":"6.1.3","paths":["ldclient-node>hoek"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36604\n- https://github.com/hapijs/hoek/issues/352\n- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a\n- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90\n- https://github.com/advisories/GHSA-c429-5p7v-vgjp","created":"2022-09-25T00:00:27.000Z","id":1096410,"npm_advisory_id":null,"overview":"hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. ","reported_by":null,"title":"hoek subject to prototype pollution via the clone function.","metadata":null,"cves":["CVE-2020-36604"],"access":"public","severity":"high","module_name":"hoek","vulnerable_versions":"<=6.1.3","github_advisory_id":"GHSA-c429-5p7v-vgjp","recommendation":"None","patched_versions":"<0.0.0","updated":"2024-02-07T18:59:37.000Z","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-c429-5p7v-vgjp"},"1096727":{"findings":[{"version":"2.87.0","paths":["request","@hmcts/draft-store-client>request","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://security.netapp.com/advisory/ntap-20230413-0007\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","id":1096727,"npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","reported_by":null,"title":"Server-Side Request Forgery in Request","metadata":null,"cves":["CVE-2023-28155"],"access":"public","severity":"moderate","module_name":"request","vulnerable_versions":"<=2.88.2","github_advisory_id":"GHSA-p8p7-x288-28g6","recommendation":"None","patched_versions":"<0.0.0","updated":"2024-03-21T17:47:21.000Z","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"cwe":["CWE-918"],"url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1098094":{"findings":[{"version":"2.3.2","paths":["gulp>glob-watcher>chokidar>braces","gulp>gulp-cli>matchdep>micromatch>braces","gulp>glob-watcher>chokidar>readdirp>micromatch>braces"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4068\n- https://github.com/micromatch/braces/issues/35\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4068\n- https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308\n- https://github.com/micromatch/braces/pull/37\n- https://github.com/micromatch/braces/pull/40\n- https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff\n- https://github.com/advisories/GHSA-grv7-fg5c-xmjg","created":"2024-05-14T18:30:54.000Z","id":1098094,"npm_advisory_id":null,"overview":"The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.\n","reported_by":null,"title":"Uncontrolled resource consumption in braces","metadata":null,"cves":["CVE-2024-4068"],"access":"public","severity":"high","module_name":"braces","vulnerable_versions":"<3.0.3","github_advisory_id":"GHSA-grv7-fg5c-xmjg","recommendation":"Upgrade to version 3.0.3 or later","patched_versions":">=3.0.3","updated":"2024-07-05T21:25:08.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-400","CWE-1050"],"url":"https://github.com/advisories/GHSA-grv7-fg5c-xmjg"},"1098681":{"findings":[{"version":"4.0.5","paths":["gulp>gulp-cli>matchdep>micromatch","gulp>glob-watcher>chokidar>readdirp>micromatch"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","id":1098681,"npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","metadata":null,"cves":["CVE-2024-4067"],"access":"public","severity":"moderate","module_name":"micromatch","vulnerable_versions":"<4.0.8","github_advisory_id":"GHSA-952p-6rrq-rcjv","recommendation":"Upgrade to version 4.0.8 or later","patched_versions":">=4.0.8","updated":"2024-08-28T13:12:27.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"},"1099357":{"findings":[{"version":"2.0.1","paths":["gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-29415\n- https://github.com/indutny/node-ip/issues/150\n- https://github.com/indutny/node-ip/pull/143\n- https://github.com/indutny/node-ip/pull/144\n- https://github.com/advisories/GHSA-2p57-rm9w-gvfp","created":"2024-06-02T22:29:29.000Z","id":1099357,"npm_advisory_id":null,"overview":"The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.","reported_by":null,"title":"ip SSRF improper categorization in isPublic","metadata":null,"cves":["CVE-2024-29415"],"access":"public","severity":"high","module_name":"ip","vulnerable_versions":"<=2.0.1","github_advisory_id":"GHSA-2p57-rm9w-gvfp","recommendation":"None","patched_versions":"<0.0.0","updated":"2024-09-03T19:59:02.000Z","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"cwe":["CWE-918"],"url":"https://github.com/advisories/GHSA-2p57-rm9w-gvfp"},"1099516":{"findings":[{"version":"3.0.0","paths":["i18next-conv>node-gettext"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-21528\n- https://security.snyk.io/vuln/SNYK-JS-NODEGETTEXT-6100943\n- https://github.com/alexanderwallin/node-gettext/blob/65d9670f691c2eeca40dce129c95bcf8b613d344/lib/gettext.js#L113\n- https://github.com/advisories/GHSA-g974-hxvm-x689","created":"2024-09-10T06:30:48.000Z","id":1099516,"npm_advisory_id":null,"overview":"All versions of the package node-gettext are vulnerable to Prototype Pollution via the addTranslations() function in gettext.js due to improper user input sanitization.","reported_by":null,"title":"node-gettext vulnerable to Prototype Pollution","metadata":null,"cves":["CVE-2024-21528"],"access":"public","severity":"moderate","module_name":"node-gettext","vulnerable_versions":"<=3.0.0","github_advisory_id":"GHSA-g974-hxvm-x689","recommendation":"None","patched_versions":"<0.0.0","updated":"2024-09-10T15:52:57.000Z","cvss":{"score":5.9,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-g974-hxvm-x689"},"1099520":{"findings":[{"version":"1.20.2","paths":["body-parser","express>body-parser","@hmcts/info-provider>express>body-parser"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7\n- https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45590\n- https://github.com/advisories/GHSA-qwcr-r2fm-qrc7","created":"2024-09-10T15:52:39.000Z","id":1099520,"npm_advisory_id":null,"overview":"### Impact\n\nbody-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.\n\n### Patches\n\nthis issue is patched in 1.20.3\n\n### References\n","reported_by":null,"title":"body-parser vulnerable to denial of service when url encoding is enabled","metadata":null,"cves":["CVE-2024-45590"],"access":"public","severity":"high","module_name":"body-parser","vulnerable_versions":"<1.20.3","github_advisory_id":"GHSA-qwcr-r2fm-qrc7","recommendation":"Upgrade to version 1.20.3 or later","patched_versions":">=1.20.3","updated":"2024-09-10T19:01:11.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-405"],"url":"https://github.com/advisories/GHSA-qwcr-r2fm-qrc7"},"1099525":{"findings":[{"version":"0.18.0","paths":["express>send","@hmcts/info-provider>express>send","@hmcts/info-provider>express>serve-static>send"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43799\n- https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35\n- https://github.com/advisories/GHSA-m6fv-jmcg-4jfg","created":"2024-09-10T19:42:41.000Z","id":1099525,"npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in send 0.19.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"send vulnerable to template injection that can lead to XSS","metadata":null,"cves":["CVE-2024-43799"],"access":"public","severity":"moderate","module_name":"send","vulnerable_versions":"<0.19.0","github_advisory_id":"GHSA-m6fv-jmcg-4jfg","recommendation":"Upgrade to version 0.19.0 or later","patched_versions":">=0.19.0","updated":"2024-09-10T19:42:42.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-m6fv-jmcg-4jfg"},"1099527":{"findings":[{"version":"1.15.0","paths":["express>serve-static","@hmcts/info-provider>express>serve-static"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43800\n- https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b\n- https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa\n- https://github.com/advisories/GHSA-cm22-4g7w-348p","created":"2024-09-10T19:42:33.000Z","id":1099527,"npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in serve-static 1.16.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"serve-static vulnerable to template injection that can lead to XSS","metadata":null,"cves":["CVE-2024-43800"],"access":"public","severity":"moderate","module_name":"serve-static","vulnerable_versions":"<1.16.0","github_advisory_id":"GHSA-cm22-4g7w-348p","recommendation":"Upgrade to version 1.16.0 or later","patched_versions":">=1.16.0","updated":"2024-09-10T19:42:34.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-cm22-4g7w-348p"},"1099529":{"findings":[{"version":"4.19.2","paths":["express","@hmcts/info-provider>express"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43796\n- https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553\n- https://github.com/advisories/GHSA-qw6h-vgh9-j6wx","created":"2024-09-10T19:41:04.000Z","id":1099529,"npm_advisory_id":null,"overview":"### Impact\n\nIn express <4.20.0, passing untrusted user input - even after sanitizing it - to `response.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in express 4.20.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"express vulnerable to XSS via response.redirect()","metadata":null,"cves":["CVE-2024-43796"],"access":"public","severity":"moderate","module_name":"express","vulnerable_versions":"<4.20.0","github_advisory_id":"GHSA-qw6h-vgh9-j6wx","recommendation":"Upgrade to version 4.20.0 or later","patched_versions":">=4.20.0","updated":"2024-09-10T19:41:07.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-qw6h-vgh9-j6wx"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":13,"high":8,"critical":0},"dependencies":678,"devDependencies":0,"optionalDependencies":0,"totalDependencies":678}}