diff --git a/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md new file mode 100644 index 00000000000..2b877b1b04c --- /dev/null +++ b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md @@ -0,0 +1,9 @@ +--- +title: "JFrog Xray On Demand Binary Scan" +toc_hide: true +--- +Import the JSON format for the \"JFrog Xray On Demand Binary Scan\" file. Use this importer for Xray version 3.X +-- + JFrog file documentation: + +https://jfrog.com/help/r/jfrog-cli/on-demand-binary-scan diff --git a/dojo/fixtures/defect_dojo_sample_data.json b/dojo/fixtures/defect_dojo_sample_data.json index 3db55c5d9d2..27e0e202136 100644 --- a/dojo/fixtures/defect_dojo_sample_data.json +++ b/dojo/fixtures/defect_dojo_sample_data.json @@ -8620,6 +8620,16 @@ } }, { + "model": "dojo.test_type", + "pk": 149, + "fields": { + "name": "JFrog Xray On Demand Binary Scan", + "static_tool": false, + "dynamic_tool": false, + "active": true + } + }, + { "model": "dojo.tagulous_product_tags", "pk": 1, "fields": { diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 5c059e370d2..8d656e96f6c 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1226,6 +1226,7 @@ def saml2_attrib_map_format(dict): 'GitLab Dependency Scanning Report': ['title', 'vulnerability_ids', 'file_path', 'component_name', 'component_version'], 'SpotBugs Scan': ['cwe', 'severity', 'file_path', 'line'], 'JFrog Xray Unified Scan': ['vulnerability_ids', 'file_path', 'component_name', 'component_version'], + 'JFrog Xray On Demand Binary Scan': ["title", "component_name", "component_version"], 'Scout Suite Scan': ['file_path', 'vuln_id_from_tool'], # for now we use file_path as there is no attribute for "service" 'AWS Security Hub Scan': ['unique_id_from_tool'], 'Meterian Scan': ['cwe', 'component_name', 'component_version', 'description', 'severity'], @@ -1423,6 +1424,7 @@ def saml2_attrib_map_format(dict): 'Checkov Scan': DEDUPE_ALGO_HASH_CODE, 'SpotBugs Scan': DEDUPE_ALGO_HASH_CODE, 'JFrog Xray Unified Scan': DEDUPE_ALGO_HASH_CODE, + 'JFrog Xray On Demand Binary Scan': DEDUPE_ALGO_HASH_CODE, 'Scout Suite Scan': DEDUPE_ALGO_HASH_CODE, 'AWS Security Hub Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, 'Meterian Scan': DEDUPE_ALGO_HASH_CODE, diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/__init__.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py new file mode 100644 index 00000000000..b6901c289c1 --- /dev/null +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -0,0 +1,190 @@ +import json +import re + +from cvss import CVSS3 + +from dojo.models import Finding + + +class JFrogXrayOnDemandBinaryScanParser(object): + """jfrog_xray_scan JSON reports""" + + def get_scan_types(self): + return ["JFrog Xray On Demand Binary Scan"] + + def get_label_for_scan_types(self, scan_type): + return scan_type + + def get_description_for_scan_types(self, scan_type): + return "Import Xray findings in JSON format." + + def get_findings(self, json_output, test): + tree = json.load(json_output) + return self.get_items(tree) + + def get_items(self, tree): + items = {} + for data in tree: + if "vulnerabilities" in data: + vulnerability_tree = data["vulnerabilities"] + + for node in vulnerability_tree: + item_set = get_item_set(node) + + for item in item_set: + unique_key = item.title + item.component_name + item.component_version + items[unique_key] = item + + return list(items.values()) + + +def get_component_name_version(name): + match = re.match(r"([a-z]+://[a-z\d\.:]+):([a-z\d\.\-]+)", name, re.IGNORECASE) + if match is None: + return name, "" + return match[1], match[2] + + +def get_severity(vulnerability): + if "severity" in vulnerability: + if vulnerability["severity"] == "Unknown": + severity = "Info" + else: + severity = vulnerability["severity"].title() + else: + severity = "Info" + return severity + + +def get_references(vulnerability): + if "references" in vulnerability: + ref = "" + references = vulnerability["references"] + for reference in references: + if reference[:2] == "- ": + ref += reference + "\n" + else: + ref += "- " + reference + "\n" + return ref + else: + return None + + +def get_remediation(extended_information): + remediation = "" + if "remediation" in extended_information: + remediation = "\n\n**Remediation**\n" + remediation += extended_information["remediation"] + "\n" + return remediation + + +def get_severity_justification(vulnerability): + severity_desc = "" + remediation = "" + extended_information = vulnerability.get("extended_information") + if extended_information: + remediation += get_remediation(extended_information) + if "short_description" in extended_information: + severity_desc += "**Short description**\n" + severity_desc += extended_information["short_description"] + "\n" + if "full_description" in extended_information: + severity_desc += "**Full description**\n" + severity_desc += extended_information["full_description"] + "\n" + if "jfrog_research_severity" in extended_information: + severity_desc += "**JFrog research severity**\n" + severity_desc += extended_information["jfrog_research_severity"] + "\n" + if "jfrog_research_severity_reasons" in extended_information: + severity_desc += "**JFrog research severity reasons**\n" + for item in extended_information["jfrog_research_severity_reasons"]: + severity_desc += item["name"] + "\n" if item.get("name") else "" + severity_desc += item["description"] + "\n" if item.get("description") else "" + severity_desc += "_Is positive:_ " + str(item["is_positive"]).lower() + "\n" if item.get("is_positive") else "" + return severity_desc, remediation + + +def process_component(component): + mitigation = "" + impact = "**Impact paths**\n\n- " + fixed_versions = component.get("fixed_versions") + if fixed_versions: + mitigation = "**Versions containing a fix:**\n\n- " + mitigation = mitigation + "\n- ".join(fixed_versions) + if "impact_paths" in component: + refs = [] + impact_paths_l1 = component["impact_paths"] + for impact_paths_l2 in impact_paths_l1: + for item in impact_paths_l2: + if "component_id" in item: + refs.append(item["component_id"]) + if "full_path" in item: + refs.append(item["full_path"]) + if refs: + impact += "\n- ".join(sorted(set(refs))) # deduplication + return mitigation, impact + + +def get_cve(vulnerability): + if "cves" in vulnerability: + cves = vulnerability["cves"] + return cves + return [] + + +def get_vuln_id_from_tool(vulnerability): + if "issue_id" in vulnerability: + return vulnerability["issue_id"] + return None + + +def clean_title(title): + if title.startswith("Issue summary: "): + title = title[len("Issue summary: "):] + if '\n' in title: + title = title[:title.index('\n')] + return title + + +def get_item_set(vulnerability): + item_set = [] + severity_justification, remediation = get_severity_justification(vulnerability) + severity = get_severity(vulnerability) + references = get_references(vulnerability) + vuln_id_from_tool = get_vuln_id_from_tool(vulnerability) + vulnerability_ids = list() + cvssv3 = None + cvss_v3 = "No CVSS v3 score." + # Some entries have no CVE entries, despite they exist. Example CVE-2017-1000502. + cves = get_cve(vulnerability) + if len(cves) > 0: + for item in cves: + if item.get("cve"): + vulnerability_ids.append(item.get("cve")) + if "cvss_v3_vector" in cves[0]: + cvss_v3 = cves[0]["cvss_v3_vector"] + cvssv3 = CVSS3(cvss_v3).clean_vector() + + for component_name, component in vulnerability.get("components", {}).items(): + component_name, component_version = get_component_name_version(component_name) + mitigation, impact = process_component(component) + + title = clean_title(vulnerability["summary"]) + # create the finding object + finding = Finding( + title=title, + severity_justification=severity_justification or None, + severity=severity, + description=(vulnerability["summary"]).strip(), + mitigation=(mitigation + remediation) or None, + component_name=component_name, + component_version=component_version, + impact=impact or None, + references=references or None, + static_finding=True, + dynamic_finding=False, + cvssv3=cvssv3, + vuln_id_from_tool=vuln_id_from_tool, + ) + if vulnerability_ids: + finding.unsaved_vulnerability_ids = vulnerability_ids + item_set.append(finding) + return item_set diff --git a/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json new file mode 100644 index 00000000000..be534784f7f --- /dev/null +++ b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json @@ -0,0 +1,111 @@ +[ + { + "scan_id": "dd8f-4927-5db6-fb188ae8d984", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2017-8923", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Summary of test", + "severity": "High", + "components": { + "gav://org.yaml:snakeyaml:1.16": { + "fixed_versions": [ + "[1.26]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.com" + }, + { + "component_id": "gav://co.com.test.com", + "full_path": "lib/snakeyaml-1.16.jar" + } + ] + ] + } + }, + "issue_id": "XRAY-92904", + "references": [ + "https://test.com.co" + ] + }, + { + "cves": [ + { + "cve": "CVE-2014-0114", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "summary": "Summary test", + "severity": "High", + "components": { + "gav://test": { + "fixed_versions": [ + "[1.9.4]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.test:core:1.0.0-test" + }, + { + "component_id": "gav://test", + "full_path": "lib/commons-beanutils-1.9.2.jar" + } + ] + ] + } + }, + "issue_id": "XRAY-55616", + "references": [ + "https://test.com.co" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "summary": "Summary test", + "severity": "High", + "components": { + "test_item": { + "fixed_versions": [ + "[1.2.8.RELEASE]", + "[1.3.1.RELEASE]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.test:core:1.0.0-test" + }, + { + "component_id": "gav://test.com.co", + "full_path": "lib/test/libtest" + } + ] + ] + } + }, + "issue_id": "XRAY-79870", + "references": [ + "https://test.com.co" + ] + } + ], + "component_id": "gav://co.com.test.test:core:1.0.0-test", + "package_type": "Maven", + "status": "completed" + } + ] diff --git a/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json new file mode 100644 index 00000000000..4af60fa95db --- /dev/null +++ b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json @@ -0,0 +1,129 @@ +[ + { + "scan_id": "2c4c3ae7-d57d-4bf0-5afa-f191b309a2e2", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2023-3446" + } + ], + "summary": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "severity": "Unknown", + "components": { + "alpine://3.18:libcrypto3:3.1.1-r1": { + "fixed_versions": [ + "[3.1.1-r3]" + ], + "impact_paths": [ + [ + { + "component_id": "docker://alpine:latest" + }, + { + "component_id": "generic://sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c/sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar", + "full_path": "sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar" + }, + { + "component_id": "alpine://3.18:libcrypto3:3.1.1-r1", + "full_path": "3.18:libcrypto3:3.1.1-r1" + } + ] + ] + }, + "alpine://3.18:libssl3:3.1.1-r1": { + "fixed_versions": [ + "[3.1.1-r3]" + ], + "impact_paths": [ + [ + { + "component_id": "docker://alpine:latest" + }, + { + "component_id": "generic://sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c/sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar", + "full_path": "sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar" + }, + { + "component_id": "alpine://3.18:libssl3:3.1.1-r1", + "full_path": "3.18:libssl3:3.1.1-r1" + } + ] + ] + } + }, + "issue_id": "XRAY-526273", + "references": [ + "http://www.openwall.com/lists/oss-security/2023/07/19/4", + "http://www.openwall.com/lists/oss-security/2023/07/19/5", + "http://www.openwall.com/lists/oss-security/2023/07/19/6", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23", + "https://www.openssl.org/news/secadv/20230719.txt" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-2975" + } + ], + "summary": "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.", + "severity": "Unknown", + "components": { + "alpine://3.18:libcrypto3:3.1.1-r1": { + "fixed_versions": [ + "[3.1.1-r2]" + ], + "impact_paths": [ + [ + { + "component_id": "docker://alpine:latest" + }, + { + "component_id": "generic://sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c/sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar", + "full_path": "sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar" + }, + { + "component_id": "alpine://3.18:libcrypto3:3.1.1-r1", + "full_path": "3.18:libcrypto3:3.1.1-r1" + } + ] + ] + }, + "alpine://3.18:libssl3:3.1.1-r1": { + "fixed_versions": [ + "[3.1.1-r2]" + ], + "impact_paths": [ + [ + { + "component_id": "docker://alpine:latest" + }, + { + "component_id": "generic://sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c/sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar", + "full_path": "sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar" + }, + { + "component_id": "alpine://3.18:libssl3:3.1.1-r1", + "full_path": "3.18:libssl3:3.1.1-r1" + } + ] + ] + } + }, + "issue_id": "XRAY-523321", + "references": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc", + "https://www.openssl.org/news/secadv/20230714.txt" + ] + } + ], + "component_id": "docker://alpine:latest", + "package_type": "Docker", + "status": "completed" + } +] diff --git a/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json new file mode 100644 index 00000000000..12a51deb52a --- /dev/null +++ b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json @@ -0,0 +1,9130 @@ +[ + { + "scan_id": "b89a2883-51d6-4276-6aeb-e16307acddd6", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2023-30608", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.\n", + "severity": "High", + "components": { + "pypi://sqlparse:0.4.3": { + "fixed_versions": [ + "[0.4.4]" + ], + "impact_paths": [ + [ + { + "component_id": "pypi://" + }, + { + "component_id": "pypi://django:4.1.4" + }, + { + "component_id": "pypi://sqlparse:0.4.3" + } + ] + ] + } + }, + "issue_id": "XRAY-515353", + "references": [ + "https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb", + "https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a", + "https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2", + "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-24580", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.", + "severity": "High", + "components": { + "pypi://django:4.1.4": { + "fixed_versions": [ + "[3.2.19]", + "[4.1.9]", + "[4.2.1]" + ], + "impact_paths": [ + [ + { + "component_id": "pypi://" + }, + { + "component_id": "pypi://django:4.1.4" + } + ] + ] + } + }, + "issue_id": "XRAY-418183", + "references": [ + "http://www.openwall.com/lists/oss-security/2023/02/14/1", + "https://docs.djangoproject.com/en/4.1/releases/security/", + "https://groups.google.com/forum/#!forum/django-announce", + "https://www.djangoproject.com/weblog/2023/feb/14/security-releases/", + "https://lists.debian.org/debian-lts-announce/2023/02/msg00023.html" + ], + "extended_information": { + "short_description": "A design problem in Django may lead to denial of service when processing multipart forms.", + "full_description": "[Django](https://www.djangoproject.com/) is a popular Python web framework that provides functions, components, and tools for fast web development.\r\n\r\nA vulnerability has been discovered in the Multipart Request Parser in Django. By passing certain inputs (such as an excessive number of parts) to multipart forms, an attacker can trigger too many open files or memory exhaustion, which may lead to a denial-of-service attack. \r\n\r\nThe issue is only exploitable when the `MultiPartParser` class is used by the Django app/", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "An attacker must find a multipart form that receives files in order to trigger this issue, although this does not require intimate per-target research and can be automated.", + "is_positive": true + }, + { + "name": "The issue is trivial to exploit and does not require a published writeup or PoC", + "description": "Exploitation only requires sending a large amount of files to a multipart form" + }, + { + "name": "The issue results in a severe impact (such as remote code execution)", + "description": "The impact of the vulnerability is a remote denial of service that requires no user interaction or per-target specific research" + }, + { + "name": "The issue can be exploited by attackers over the network", + "description": "The vulnerability is exploitable via remote multipart form requests that contain a maliciously excessive amount of files." + } + ], + "remediation": "##### Development mitigations\n\nUse AJAX to submit the form data asynchronously and use the FormData API to create a multipart/form-data request. This method allows to handle file uploads without using `MultiPartParser` explicitly. The FormData API also provides a convenient way to append form data to the request, including file uploads.\r\n```\r\n// HTML form\r\n\u003cform id=\"myForm\"\u003e\r\n \u003cinput type=\"text\" name=\"title\"\u003e\r\n \u003cinput type=\"file\" name=\"file\"\u003e\r\n \u003cbutton type=\"submit\"\u003eSubmit\u003c/button\u003e\r\n\u003c/form\u003e\r\n\r\n// JavaScript\r\n\u003cscript\u003e\r\n const form = document.getElementById('myForm');\r\n form.addEventListener('submit', async (event) =\u003e {\r\n event.preventDefault();\r\n\r\n const formData = new FormData(form);\r\n\r\n try {\r\n const response = await fetch('/upload/', {\r\n method: 'POST',\r\n body: formData\r\n });\r\n const result = await response.json();\r\n console.log(result);\r\n } catch (error) {\r\n console.error(error);\r\n }\r\n });\r\n\u003c/script\u003e\r\n\r\n// Django view\r\nfrom django.http import JsonResponse\r\n\r\ndef upload_view(request):\r\n if request.method == 'POST':\r\n title = request.POST.get('title')\r\n file = request.FILES.get('file')\r\n # process the title and file data\r\n return JsonResponse({'success': True})\r\n else:\r\n # return a response for other HTTP methods\r\n```" + } + }, + { + "cves": [ + { + "cve": "CVE-2023-23969", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.", + "severity": "High", + "components": { + "pypi://django:4.1.4": { + "fixed_versions": [ + "[3.2.19]", + "[4.1.9]", + "[4.2.1]" + ], + "impact_paths": [ + [ + { + "component_id": "pypi://" + }, + { + "component_id": "pypi://django:4.1.4" + } + ] + ] + } + }, + "issue_id": "XRAY-416423", + "references": [ + "https://www.djangoproject.com/weblog/2023/feb/01/security-releases/", + "https://docs.djangoproject.com/en/4.1/releases/security/", + "https://groups.google.com/forum/#!forum/django-announce", + "https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html" + ], + "extended_information": { + "short_description": "An inefficient regular expression in Django may allow remote attackers to cause denial of service when using the LocaleMiddleware middleware.", + "full_description": "[Django](https://www.djangoproject.com/) is a popular Python web framework that provides functions, components, and tools for fast web development. \r\n\r\nIn Django, it is possible to localize and translate web pages via the `LocaleMiddleware` middleware. When using said middleware, the content of the `Accept-Language` header is parsed via a regex. In order to improve performance, a caching mechanism was implemented which would cache the 1000 most recent parse results of `Accept-Language` headers.\r\n\r\nIn the vulnerable versions of Django, it was discovered that while the regex used for parsing the `Accept-Language` header is not prone to ReDoS on its own (as the regex is mostly straight forward, with little to no nesting), when combined with the caching mechanism, very long input for regex, Django is prone to excessive memory usage. This excessive memory usage results in memory exhaustion which could lead to denial of service.\r\n\r\nThe vulnerability is not exploitable under Django's default configuration since -\r\n\r\n1. The `LocaleMiddleware` is not used by default\r\n\r\n2. The vulnerability is only exploitable if the Django server is deployed via an Apache HTTP Server configured with `LimitRequestFieldSize` set to 64KB. By default, Apache's request field size limit is 8KB. The vulnerability is not exploitable when deploying Django using Nginx with either Gunicorn or uWSGI in any configuration.", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "The issue results in a severe impact (such as remote code execution)", + "description": "The impact of the vulnerability is a remote denial of service that requires no user interaction or per-target specific research" + }, + { + "name": "The issue can be exploited by attackers over the network", + "description": "The vulnerability is exploitable via remote requests that contain a maliciously crafted `Accept-Language` header." + }, + { + "name": "The issue has an exploit published", + "description": "Test code contains a PoC for invalid `Accept-Language` header." + }, + { + "name": "The prerequisites for exploiting the issue are extremely unlikely", + "description": "It is very unlikely for attackers to be able to access Django servers that are not deployed using Apache or Nginx. And when Django is deployed using Apache, it is unlikely for the request field size limit to be higher than the default amount.", + "is_positive": true + } + ] + } + }, + { + "cves": [ + { + "cve": "CVE-2023-31047", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's \"Uploading multiple files\" documentation suggested otherwise.", + "severity": "Critical", + "components": { + "pypi://django:4.1.4": { + "fixed_versions": [ + "[3.2.19]", + "[4.1.9]", + "[4.2.1]" + ], + "impact_paths": [ + [ + { + "component_id": "pypi://" + }, + { + "component_id": "pypi://django:4.1.4" + } + ] + ] + } + }, + "issue_id": "XRAY-519232", + "references": [ + "https://www.djangoproject.com/weblog/2023/may/03/security-releases/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/", + "https://docs.djangoproject.com/en/4.2/releases/security/", + "https://groups.google.com/forum/#!forum/django-announce" + ] + } + ], + "component_id": "root", + "package_type": "Generic", + "status": "completed" + }, + { + "scan_id": "5971d1ef-b6ba-4d7d-6ba0-65d595208ee3", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2022-21803", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } + ], + "summary": "This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.", + "severity": "High", + "components": { + "npm://nconf:0.6.9": { + "fixed_versions": [ + "[0.11.4]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + } + ] + ] + } + }, + "issue_id": "XRAY-208869", + "references": [ + "https://github.com/indexzero/nconf/pull/397", + "https://github.com/indexzero/nconf/releases/tag/v0.11.4", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2632450", + "https://snyk.io/vuln/SNYK-JS-NCONF-2395478" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-16776", + "cvss_v2_score": "5.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N", + "cvss_v3_score": "8.1", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" + } + ], + "summary": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.", + "severity": "High", + "components": { + "npm://npm:3.10.10": { + "fixed_versions": [ + "[6.14.6]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + } + ] + ] + } + }, + "issue_id": "XRAY-92764", + "references": [ + "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/", + "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://access.redhat.com/errata/RHEA-2020:0330", + "https://access.redhat.com/errata/RHSA-2020:0573", + "https://access.redhat.com/errata/RHSA-2020:0579", + "https://access.redhat.com/errata/RHSA-2020:0597", + "https://access.redhat.com/errata/RHSA-2020:0602", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-16777", + "cvss_v2_score": "5.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:P", + "cvss_v3_score": "6.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "summary": "Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.", + "severity": "Medium", + "components": { + "npm://npm:3.10.10": { + "fixed_versions": [ + "[6.14.6]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + } + ] + ] + } + }, + "issue_id": "XRAY-92763", + "references": [ + "https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/", + "https://security.gentoo.org/glsa/202003-48", + "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://access.redhat.com/errata/RHEA-2020:0330", + "https://access.redhat.com/errata/RHSA-2020:0573", + "https://access.redhat.com/errata/RHSA-2020:0579", + "https://access.redhat.com/errata/RHSA-2020:0597", + "https://access.redhat.com/errata/RHSA-2020:0602", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-7408", + "cvss_v2_score": "4.6", + "cvss_v2_vector": "CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "7.8", + "cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as \"next: 5.7.0\" and therefore automatically installed by an \"npm upgrade -g npm\" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a \"correctMkdir\" issue.", + "severity": "High", + "components": { + "npm://npm:3.10.10": { + "fixed_versions": [ + "[6.14.6]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + } + ] + ] + } + }, + "issue_id": "XRAY-73410", + "references": [ + "http://blog.npmjs.org/post/171169301000/v571", + "https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0", + "https://github.com/npm/npm/issues/19883" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-16775", + "cvss_v2_score": "4.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N", + "cvss_v3_score": "6.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "summary": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.", + "severity": "Medium", + "components": { + "npm://npm:3.10.10": { + "fixed_versions": [ + "[6.14.6]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + } + ] + ] + } + }, + "issue_id": "XRAY-92765", + "references": [ + "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/", + "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://access.redhat.com/errata/RHEA-2020:0330", + "https://access.redhat.com/errata/RHSA-2020:0573", + "https://access.redhat.com/errata/RHSA-2020:0579", + "https://access.redhat.com/errata/RHSA-2020:0597", + "https://access.redhat.com/errata/RHSA-2020:0602", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html" + ] + }, + { + "cves": [ + { + "cve": "CVE-2020-15095", + "cvss_v2_score": "1.9", + "cvss_v2_vector": "CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:N/A:N", + "cvss_v3_score": "4.4", + "cvss_v3_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N" + } + ], + "summary": "Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like \"\u003cprotocol\u003e://[\u003cuser\u003e[:\u003cpassword\u003e]@]\u003chostname\u003e[:\u003cport\u003e][:][/]\u003cpath\u003e\". The password value is not redacted and is printed to stdout and also to any generated log files.", + "severity": "Medium", + "components": { + "npm://npm:3.10.10": { + "fixed_versions": [ + "[6.14.6]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + } + ] + ] + } + }, + "issue_id": "XRAY-105289", + "references": [ + "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/", + "https://security.gentoo.org/glsa/202101-07", + "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07", + "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "2.6", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:N", + "cvss_v3_score": "5.9", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "summary": "JavaScript Big Number (jsbn) index.js Multiple Functions Timing Side-channel Information Disclosure", + "severity": "Medium", + "components": { + "npm://jsbn:0.1.1": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://http-signature:1.1.1" + }, + { + "component_id": "npm://jsprim:1.4.2" + }, + { + "component_id": "npm://extsprintf:1.3.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://http-signature:1.1.1" + }, + { + "component_id": "npm://jsprim:1.4.2" + }, + { + "component_id": "npm://extsprintf:1.3.0" + }, + { + "component_id": "npm://extsprintf:1.3.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://http-signature:1.1.1" + }, + { + "component_id": "npm://sshpk:1.17.0" + }, + { + "component_id": "npm://ecc-jsbn:0.1.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://http-signature:1.1.1" + }, + { + "component_id": "npm://sshpk:1.17.0" + }, + { + "component_id": "npm://ecc-jsbn:0.1.2" + }, + { + "component_id": "npm://jsbn:0.1.1" + } + ] + ] + } + }, + "issue_id": "XRAY-228919", + "references": [ + "https://github.com/andyperlitch/jsbn/issues/43", + "https://twitter.com/SoatokDhole/status/1536765180645974016", + "https://soatok.blog/2022/06/14/when-soatok-used-bugcrowd/" + ] + }, + { + "cves": [ + { + "cve": "CVE-2020-28469" + } + ], + "summary": "Regular expression denial of service", + "severity": "Medium", + "components": { + "npm://glob-parent:2.0.0": { + "fixed_versions": [ + "[5.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://glob-parent:2.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://anymatch:1.3.2" + }, + { + "component_id": "npm://micromatch:2.3.11" + }, + { + "component_id": "npm://parse-glob:3.0.4" + }, + { + "component_id": "npm://glob-base:0.3.0" + }, + { + "component_id": "npm://glob-parent:2.0.0" + } + ] + ] + }, + "npm://glob-parent:3.1.0": { + "fixed_versions": [ + "[5.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://glob-parent:3.1.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N14", + "references": [ + "https://npmjs.com/advisories/1751", + "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-28469)\n- [GitHub Advisory](https://github.com/advisories/GHSA-ww39-953v-wcq6)\n" + ] + }, + { + "cves": [ + { + "cve": "CVE-2020-28469", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.", + "severity": "High", + "components": { + "npm://glob-parent:2.0.0": { + "fixed_versions": [ + "[5.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://glob-parent:2.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://anymatch:1.3.2" + }, + { + "component_id": "npm://micromatch:2.3.11" + }, + { + "component_id": "npm://parse-glob:3.0.4" + }, + { + "component_id": "npm://glob-base:0.3.0" + }, + { + "component_id": "npm://glob-parent:2.0.0" + } + ] + ] + }, + "npm://glob-parent:3.1.0": { + "fixed_versions": [ + "[5.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://glob-parent:3.1.0" + } + ] + ] + } + }, + "issue_id": "XRAY-177872", + "references": [ + "https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9", + "https://github.com/gulpjs/glob-parent/pull/36", + "https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092", + "https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905", + "https://www.oracle.com/security-alerts/cpujan2022.html" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "0.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:N/A:N", + "cvss_v3_score": "0.0", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N" + } + ], + "summary": "Commander.js Package for Node.js index.js parse() Function Argument Parsing Arbitrary Code Execution Weakness", + "severity": "Unknown", + "components": { + "npm://commander:0.6.1": { + "fixed_versions": [ + "[3.0.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://jade:0.26.3" + }, + { + "component_id": "npm://commander:0.6.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://jade:0.26.3" + }, + { + "component_id": "npm://mkdirp:0.3.0" + } + ] + ] + }, + "npm://commander:2.3.0": { + "fixed_versions": [ + "[3.0.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://jade:0.26.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://commander:2.3.0" + } + ] + ] + }, + "npm://commander:2.5.1": { + "fixed_versions": [ + "[3.0.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ] + ] + } + }, + "issue_id": "XRAY-199126", + "references": [ + "https://advisory.checkmarx.net/advisory/CX-2019-4298", + "https://github.com/tj/commander.js/pull/1056", + "https://github.com/tj/commander.js/commit/2544df81b478a4afe15560f27b3575aa3a1581c4" + ] + }, + { + "cves": [ + { + "cve": "CVE-2020-7610", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.", + "severity": "Critical", + "components": { + "npm://bson:1.0.9": { + "fixed_versions": [ + "[1.1.4]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mongodb:2.2.36" + }, + { + "component_id": "npm://mongodb-core:2.1.20" + }, + { + "component_id": "npm://bson:1.0.9" + } + ] + ] + } + }, + "issue_id": "XRAY-95944", + "references": [ + "https://snyk.io/vuln/SNYK-JS-BSON-561052" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-2391", + "cvss_v2_score": "5.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N", + "cvss_v3_score": "5.4", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } + ], + "summary": "Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to.", + "severity": "Medium", + "components": { + "npm://bson:1.0.9": { + "fixed_versions": [ + "[1.1.4]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mongodb:2.2.36" + }, + { + "component_id": "npm://mongodb-core:2.1.20" + }, + { + "component_id": "npm://bson:1.0.9" + } + ] + ] + } + }, + "issue_id": "XRAY-95979", + "references": [ + "https://github.com/mongodb/js-bson/releases/tag/v1.1.4" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "4.3", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Mocha Package for Node.js lib/utils.js clean() Function Improper Regular Expression DoS", + "severity": "High", + "components": { + "npm://mocha:2.5.3": { + "fixed_versions": [ + "[10.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + } + ] + ] + } + }, + "issue_id": "XRAY-228815", + "references": [ + "https://github.com/mochajs/mocha/pull/4770", + "https://www.huntr.dev/bounties/1d8a3d95-d199-4129-a6ad-8eafe5e77b9e/" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-28155", + "cvss_v3_score": "6.1", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "summary": "** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "severity": "Medium", + "components": { + "npm://request:2.36.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + } + ] + ] + }, + "npm://request:2.67.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + } + ] + ] + } + }, + "issue_id": "XRAY-428016", + "references": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-16026", + "cvss_v2_score": "7.1", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:N/A:N", + "cvss_v3_score": "5.9", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "summary": "Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request \u003e=2.2.6 \u003c2.47.0 || \u003e2.51.0 \u003c=2.67.0.", + "severity": "Medium", + "components": { + "npm://request:2.36.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + } + ] + ] + }, + "npm://request:2.67.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + } + ] + ] + } + }, + "issue_id": "XRAY-72544", + "references": [ + "https://github.com/request/request/issues/1904", + "https://github.com/request/request/pull/2018", + "https://nodesecurity.io/advisories/309" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-28155" + } + ], + "summary": "Server-Side Request Forgery in Request", + "severity": "Medium", + "components": { + "npm://request:2.36.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + } + ] + ] + }, + "npm://request:2.67.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N133", + "references": [ + "https://github.com/advisories/GHSA-p8p7-x288-28g6", + "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/advisories/GHSA-p8p7-x288-28g6" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-28155" + } + ], + "summary": "Server-Side Request Forgery in Request", + "severity": "Medium", + "components": { + "npm://request:2.36.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + } + ] + ] + }, + "npm://request:2.67.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N134", + "references": [ + "https://github.com/advisories/GHSA-p8p7-x288-28g6", + "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/advisories/GHSA-p8p7-x288-28g6" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-28155" + } + ], + "summary": "Server-Side Request Forgery in Request", + "severity": "Medium", + "components": { + "npm://request:2.36.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + } + ] + ] + }, + "npm://request:2.67.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N135", + "references": [ + "https://github.com/advisories/GHSA-p8p7-x288-28g6", + "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/advisories/GHSA-p8p7-x288-28g6" + ] + }, + { + "cves": [ + { + "cve": "CVE-2015-8858", + "cvss_v2_score": "7.8", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a \"regular expression denial of service (ReDoS).\"", + "severity": "High", + "components": { + "npm://uglify-js:2.4.24": { + "fixed_versions": [ + "[2.6.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + }, + { + "component_id": "npm://uglify-js:2.4.24" + } + ] + ] + } + }, + "issue_id": "XRAY-72508", + "references": [ + "http://www.securityfocus.com/bid/96409", + "https://nodesecurity.io/advisories/48", + "http://www.openwall.com/lists/oss-security/2016/04/20/11" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-23358", + "cvss_v2_score": "6.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P", + "cvss_v3_score": "7.2", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.", + "severity": "High", + "components": { + "npm://underscore:1.8.3": { + "fixed_versions": [ + "[1.12.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ] + ] + } + }, + "issue_id": "XRAY-159876", + "references": [ + "https://www.tenable.com/security/tns-2021-14", + "https://www.debian.org/security/2021/dsa-4883", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/", + "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503", + "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984", + "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "4.3", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P" + } + ], + "summary": "utile Package for Node.js lib/base64.js base64.encode() Function Buffer Allocation Handling Memory Consumption DoS", + "severity": "Medium", + "components": { + "npm://utile:0.2.1": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://utile:0.2.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://utile:0.2.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://utile:0.2.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://prompt:0.2.14" + }, + { + "component_id": "npm://utile:0.2.1" + } + ] + ] + }, + "npm://utile:0.3.0": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + } + ] + ] + } + }, + "issue_id": "XRAY-78627", + "references": [ + "https://hackerone.com/reports/321701", + "https://www.npmjs.com/package/utile" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-3728", + "cvss_v2_score": "6.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P", + "cvss_v3_score": "8.8", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", + "severity": "High", + "components": { + "npm://hoek:0.9.1": { + "fixed_versions": [ + "[4.2.1]", + "[5.0.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://boom:0.4.2" + }, + { + "component_id": "npm://hoek:0.9.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://hoek:0.9.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://sntp:0.2.4" + }, + { + "component_id": "npm://hoek:0.9.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://cryptiles:0.2.2" + }, + { + "component_id": "npm://boom:0.4.2" + }, + { + "component_id": "npm://hoek:0.9.1" + } + ] + ] + }, + "npm://hoek:2.16.3": { + "fixed_versions": [ + "[4.2.1]", + "[5.0.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://sntp:1.0.9" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://sntp:1.0.9" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ] + ] + } + }, + "issue_id": "XRAY-73062", + "references": [ + "http://www.securityfocus.com/bid/103108", + "https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee", + "https://nodesecurity.io/advisories/566", + "https://hackerone.com/reports/310439", + "https://snyk.io/vuln/npm:hoek:20180212", + "https://access.redhat.com/errata/RHSA-2018:1263", + "https://access.redhat.com/errata/RHSA-2018:1264" + ] + }, + { + "cves": [ + { + "cve": "CVE-2016-10540", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter.", + "severity": "High", + "components": { + "npm://minimatch:0.3.0": { + "fixed_versions": [ + "[3.0.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ] + ] + } + }, + "issue_id": "XRAY-72610", + "references": [ + "https://nodesecurity.io/advisories/118" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-3517" + } + ], + "summary": "minimatch ReDoS vulnerability", + "severity": "High", + "components": { + "npm://minimatch:0.3.0": { + "fixed_versions": [ + "[3.0.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N91", + "references": [ + "https://github.com/advisories/GHSA-f8q6-p94x-37v3", + "- https://nvd.nist.gov/vuln/detail/CVE-2022-3517\n- https://github.com/grafana/grafana-image-renderer/issues/329\n- https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6\n- https://github.com/nodejs/node/issues/42510\n- https://github.com/advisories/GHSA-f8q6-p94x-37v3" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-3517", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", + "severity": "High", + "components": { + "npm://minimatch:0.3.0": { + "fixed_versions": [ + "[3.0.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ] + ] + } + }, + "issue_id": "XRAY-257996", + "references": [ + "https://github.com/grafana/grafana-image-renderer/issues/329", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-20162", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.", + "severity": "Medium", + "components": { + "npm://ms:0.7.1": { + "fixed_versions": [ + "[2.0.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ] + ] + } + }, + "issue_id": "XRAY-413139", + "references": [ + "https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662", + "https://github.com/vercel/ms/pull/89", + "https://github.com/vercel/ms/releases/tag/2.0.0", + "https://vuldb.com/?ctiid.217451", + "https://vuldb.com/?id.217451" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P" + } + ], + "summary": "Platform.js HTTP User-Agent Header Parsing Regular Expression Handling Remote DoS", + "severity": "Medium", + "components": { + "npm://platform:1.3.1": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://helmet-csp:1.2.2" + }, + { + "component_id": "npm://lodash.reduce:4.5.0" + } + ] + ] + } + }, + "issue_id": "XRAY-78635", + "references": [ + "https://github.com/bestiejs/platform.js", + "https://github.com/bestiejs/platform.js/issues/139" + ] + }, + { + "cves": [ + { + "cve": "CVE-2014-10064", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.", + "severity": "High", + "components": { + "npm://qs:0.6.6": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + } + }, + "issue_id": "XRAY-72519", + "references": [ + "https://nodesecurity.io/advisories/28" + ] + }, + { + "cves": [ + { + "cve": "CVE-2014-7191", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P" + } + ], + "summary": "The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.", + "severity": "Medium", + "components": { + "npm://qs:0.6.6": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + } + }, + "issue_id": "XRAY-73097", + "references": [ + "http://www-01.ibm.com/support/docview.wss?uid=swg21685987", + "http://www-01.ibm.com/support/docview.wss?uid=swg21687263", + "http://www-01.ibm.com/support/docview.wss?uid=swg21687928", + "https://github.com/raymondfeng/node-querystring/commit/43a604b7847e56bba49d0ce3e222fe89569354d8", + "https://github.com/visionmedia/node-querystring/issues/104", + "https://nodesecurity.io/advisories/qs_dos_memory_exhaustion", + "https://access.redhat.com/errata/RHSA-2016:1380", + "http://secunia.com/advisories/60026", + "http://secunia.com/advisories/62170", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/96729" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-1000048", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.", + "severity": "High", + "components": { + "npm://qs:0.6.6": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + }, + "npm://qs:5.2.1": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://qs:5.2.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-94949", + "references": [ + "https://github.com/ljharb/qs/issues/200", + "https://access.redhat.com/errata/RHSA-2017:2672" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-24999", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b\u0026a[__proto__]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).", + "severity": "High", + "components": { + "npm://qs:0.6.6": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + }, + "npm://qs:5.2.1": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://qs:5.2.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-262099", + "references": [ + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999" + ], + "extended_information": { + "short_description": "Insufficient input validation in qs leads to prototype pollution when parsing attacker-controlled query strings.", + "full_description": "[qs](https://npmjs.org/package/qs) is an npm library that provides query string parsing to objects and stringifying.\r\n\r\n[Express.js](https://www.npmjs.com/package/express) is a trending web framework for Node.js and uses `qs` as one of its dependencies.\r\n\r\nIt was discovered that the `parseObject` function in `qs` did not guard against prototype pollution when parsing query strings, by allowing the use of `__proto__` keys instead of ignoring them. Therefore, any calls with untrusted user input would cause the injection of arbitrary values into the Object prototype and could lead to denial-of-service.\r\n\r\nBy default, the `qs` library doesn't allow prototypes when parsing, so only non-default parsing configurations are affected. An example: `qs.parse(payload, { allowPrototypes: true });`\r\n\r\nThe issue also affects `Express.js` web framework, which uses the `qs` package to parse user-supplied query strings (from `HTTP GET` requests). That is due to `Express.js` parsing the queries with the `qs` `allowPrototypes=true` option enabled by default.\r\nThe vulnerable function is called when processing a request and does not have to be invoked by the developer directly.\r\n\r\nWhen treating the resulting query object that is inside `req.query` as a string or as an array, it causes Node.js to hang. An example would be code that processes a string addition: `const newVar = req.query.testString + \"0\";`\r\nAnother example would be code that searches an element in an array: `req.query.testArray.indexOf(\"123\")`\r\n\r\nThe vulnerability doesn't affect the use of `qs` with default configuration (without the enabling of `allowPrototypes`).\r\n\r\nExample malicious query string payload -\r\n```\r\na[__proto__]\u0026a[__proto__]\u0026a[length]=100000000\r\n```", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "description": "A prototype pollution attack allows the attacker to inject new properties to all JavaScript objects (but not set existing properties).\r\nTherefore, the impact of a prototype pollution attack depends on the way the JavaScript code uses any object properties after the attack is triggered.\r\nUsually, a DoS attack is possible since invalid properties quickly lead to an exception being thrown. In more severe cases, RCE may be achievable.", + "is_positive": true + }, + { + "name": "The issue can be exploited by attackers over the network", + "description": "`express` is a Node.js web framework and is very likely to parse user-supplied query strings." + }, + { + "name": "The issue is trivial to exploit and does not require a published writeup or PoC", + "description": "Prototype pollution is well documented and the vulnerability is very trivial to exploit." + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "In `qs`, only applicable to `qs.parse` calls that have the `allowPrototypes=true` option, which is not enabled by default.\r\nIn `express`, the vulnerability is exploitable by default, but mostly for denial-of-service impact", + "is_positive": true + }, + { + "name": "The issue has a detailed technical explanation published, that can aid in exploit development", + "description": "Multiple public Proof-of-Concepts demonstrating exploitation of this issue are available, including a detailed writeup." + } + ], + "remediation": "##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.\n\n##### Development mitigations\n\nIn `qs`, don't use the `{ allowPrototypes: true}` parsing option.\r\nIn `express`, add the following line to switch from using the vulnerable `qs` to `query-string` npm library:\r\n```\r\napp.set('query parser', 'simple');\r\n```" + } + }, + { + "cves": [ + { + "cvss_v2_score": "7.1", + "cvss_v2_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "mongodb Package for Node.js (node-mongodb-native) lib/operations/db_ops.js createCollection() Function Collection Name Validation Improper Exception Handling DoS", + "severity": "High", + "components": { + "npm://mongodb:2.2.36": { + "fixed_versions": [ + "[3.1.13]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mongodb:2.2.36" + } + ] + ] + } + }, + "issue_id": "XRAY-90643", + "references": [ + "https://www.npmjs.com/advisories/1203", + "https://jira.mongodb.org/browse/NODE-1839", + "https://github.com/mongodb/node-mongodb-native/commit/210c71dccd8d8fdeadd9b4d1571e5fdb93e0f02f" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-0842", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "summary": "xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.", + "severity": "Medium", + "components": { + "npm://xml2js:0.4.4": { + "fixed_versions": [ + "[0.5.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://selenium-webdriver:2.53.3" + }, + { + "component_id": "npm://xml2js:0.4.4" + } + ] + ] + } + }, + "issue_id": "XRAY-513455", + "references": [ + "https://fluidattacks.com/advisories/myers/", + "https://github.com/Leonidas-from-XIV/node-xml2js/" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-29167", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.", + "severity": "High", + "components": { + "npm://hawk:1.0.0": { + "fixed_versions": [ + "[3.1.3]", + "[4.1.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + }, + "npm://hawk:3.1.3": { + "fixed_versions": [ + "[9.0.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-209780", + "references": [ + "https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq", + "https://github.com/mozilla/hawk/pull/286" + ] + }, + { + "cves": [ + { + "cve": "CVE-2016-1000232", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.", + "severity": "Medium", + "components": { + "npm://tough-cookie:2.2.2": { + "fixed_versions": [ + "[2.3.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://tough-cookie:2.2.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-73084", + "references": [ + "https://access.redhat.com/security/cve/cve-2016-1000232", + "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae", + "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534", + "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/", + "https://www.npmjs.com/advisories/130", + "https://access.redhat.com/errata/RHSA-2016:2101", + "https://access.redhat.com/errata/RHSA-2017:2912" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-15010", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.", + "severity": "High", + "components": { + "npm://tough-cookie:2.2.2": { + "fixed_versions": [ + "[2.3.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://tough-cookie:2.2.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-72482", + "references": [ + "http://www.securityfocus.com/bid/101185", + "https://github.com/salesforce/tough-cookie/issues/92", + "https://nodesecurity.io/advisories/525", + "https://snyk.io/vuln/npm:tough-cookie:20170905", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT/", + "https://access.redhat.com/errata/RHSA-2017:2912", + "https://access.redhat.com/errata/RHSA-2017:2913", + "https://access.redhat.com/errata/RHSA-2018:1263", + "https://access.redhat.com/errata/RHSA-2018:1264" + ] + }, + { + "summary": "Memory Exposure in tunnel-agent", + "severity": "Medium", + "components": { + "npm://tunnel-agent:0.4.3": { + "fixed_versions": [ + "[0.6.0,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://tunnel-agent:0.4.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-N78", + "references": [ + "https://github.com/advisories/GHSA-xc7v-wxcw-j472", + "- https://github.com/request/tunnel-agent/commit/9ca95ec7219daface8a6fc2674000653de0922c0\n- https://www.npmjs.com/advisories/598\n- https://gist.github.com/ChALkeR/fd6b2c445834244e7d440a043f9d2ff4\n- https://github.com/advisories/GHSA-xc7v-wxcw-j472" + ] + }, + { + "summary": "Withdrawn: ESLint dependencies are vulnerable (ReDoS and Prototype Pollution)", + "severity": "Medium", + "components": { + "npm://minimist:0.0.10": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ] + ] + }, + "npm://minimist:0.0.8": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ] + ] + } + }, + "issue_id": "XRAY-N39", + "references": [ + "https://github.com/advisories/GHSA-7fhm-mqm4-2wp7", + "- https://github.com/advisories/GHSA-6chw-6frg-f759\n- https://github.com/advisories/GHSA-7fhm-mqm4-2wp7" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "10.0", + "cvss_v2_vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "minimist Package for Node.js --__proto__.y=Polluted Argument Handling Prototype Pollution Remote Property Manipulation", + "severity": "Critical", + "components": { + "npm://minimist:0.0.10": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ] + ] + }, + "npm://minimist:0.0.8": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ] + ] + } + }, + "issue_id": "XRAY-95632", + "references": [ + "https://bdu.fstec.ru/vul/2020-01147", + "https://github.com/substack/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95", + "https://www.npmjs.com/advisories/1179", + "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-44906", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "Minimist \u003c=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "severity": "Critical", + "components": { + "npm://minimist:0.0.10": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ] + ] + }, + "npm://minimist:0.0.8": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ] + ] + } + }, + "issue_id": "XRAY-200203", + "references": [ + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" + ], + "extended_information": { + "short_description": "Insufficient input validation in Minimist npm package leads to prototype pollution of constructor functions which allows remote attacker with unspecified impact.", + "full_description": "[Minimist](https://github.com/substack/minimist) is a simple and very popular argument parser. It is used by more than 14 million by Mar 2022. This package developers stopped developing it since April 2020 and its community released a [newer version](https://github.com/meszaros-lajos-gyorgy/minimist-lite) supported by the community.\r\n\r\n\r\nAn incomplete fix for [CVE-2020-7598](https://nvd.nist.gov/vuln/detail/CVE-2020-7598) partially blocked prototype pollution attacks. Researchers discovered that it does not check for constructor functions which means they can be overridden. This behavior can be triggered easily when using it insecurely (which is the common usage). For example:\r\n```\r\nvar argv = parse(['--_.concat.constructor.prototype.y', '123']);\r\nt.equal((function(){}).foo, undefined);\r\nt.equal(argv.y, undefined);\r\n```\r\nIn this example, `prototype.y` is assigned with `123` which will be derived to every newly created object. \r\n\r\nThis vulnerability can be triggered when the attacker-controlled input is parsed using Minimist without any validation. As always with prototype pollution, the impact depends on the code that follows the attack, but denial of service is almost always guaranteed.", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "description": "A prototype pollution attack allows the attacker to inject new properties to all JavaScript objects (but not set existing properties).\r\nTherefore, the impact of a prototype pollution attack depends on the way the JavaScript code uses any object properties after the attack is triggered.\r\nUsually, a DoS attack is possible since invalid properties quickly lead to an exception being thrown. In more severe cases, RCE may be achievable.", + "is_positive": true + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "An attacker must be able to control a command-line parameter that is passed to a Node.js program that uses Minimist to parse the arguments", + "is_positive": true + }, + { + "name": "The issue has an exploit published", + "description": "A public PoC demonstrated exploitation of this attack, with an unspecified impact" + } + ], + "remediation": "##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks." + } + }, + { + "cves": [ + { + "cve": "CVE-2020-7598", + "cvss_v2_score": "6.8", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "5.6", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "summary": "minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a \"constructor\" or \"__proto__\" payload.", + "severity": "Medium", + "components": { + "npm://minimist:0.0.10": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ] + ] + }, + "npm://minimist:0.0.8": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ] + ] + } + }, + "issue_id": "XRAY-95385", + "references": [ + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html" + ], + "extended_information": { + "short_description": "Missing sanitization in minimist can lead to prototype pollution when parsing command line arguments.", + "full_description": "Node-js based applications (command line tools) that use the [minimist]() package to parse command line arguments can be vulnerable to prototype pollution if an attacker can fully control the arguments provided to the command line tools. The security impact depends on the specific application, since this is a prototype pollution issue, and can range from no impact at all, to authentication bypass, DoS or even RCE.\r\n\r\nAs an demonstration of an application vulnerable to authentication bypass, the following application reads a configuration file and makes a decision based on it. However, it also uses `minimist` and is thus vulnerable to this vulnerability -\r\n\r\n```js\r\nconst minimist = require('minimist');\r\nconst fs = require('fs');\r\n\r\nconst argv = minimist(process.argv.slice(2));\r\n\r\nlet confdata = fs.readFileSync('conf.json');\r\nlet conf = JSON.parse(confdata);\r\n\r\nif (conf.role == 'admin') {\r\n // grant access\r\n} else {\r\n // deny access\r\n}\r\n```\r\n\r\nThis assumes the attacker is able to execute the vulnerable application and control the command line arguments (this usually would only be possible if the attacker has local privileges and shell access that will allow the execution of the application with arbitrary command line arguments). \r\n\r\nIn the example, the attacker would want to modify the value of the `role` property to `admin`, which can be achieved by executing the vulnerable application in this way -\r\n\r\n```bash\r\n./vulnerable_node_app --__proto__.role admin\r\n```\r\n\r\nThe vulnerable application is using the `role` property to decide whether to allow or deny application-specific actions. However, exploitation would require specific tailoring to the vulnerable application, as other applications might not have a similar property. The specific exploitation method would need to be researched by the attacker, which would also require the attacker having some access to the vulnerable application code).\r\n\r\nWhile an exploit was [published](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a), it is not generic and would need to be modified to the specific application under attack. Moreover, from the attacker perspective the crux of being able to even use this exploit is being able to control the command line arguments in the first place.", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "The prerequisites for exploiting the issue are extremely unlikely", + "description": "It is highly uncommon for applications to receive arguments directly from network input or unprivileged local users", + "is_positive": true + }, + { + "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", + "description": "Attacker vector, AV, was set to network even though this vulnerability cannot be necessarily triggered from the network, only in very specific environments that take network input and provide it as an argument to applications that use minimist", + "is_positive": true + } + ] + } + }, + { + "cves": [ + { + "cvss_v2_score": "9.3", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "unset-value Package for Node.js index.js unset() Function Prototype Pollution Arbitrary Code Execution", + "severity": "Critical", + "components": { + "npm://unset-value:1.0.0": { + "fixed_versions": [ + "[2.0.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://cache-base:1.0.1" + }, + { + "component_id": "npm://unset-value:1.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ] + ] + } + }, + "issue_id": "XRAY-198324", + "references": [ + "https://github.com/jonschlinkert/unset-value/issues/11", + "https://github.com/jonschlinkert/unset-value/pull/12", + "https://github.com/jonschlinkert/unset-value/commit/56fe0f2374c73f281a5b44909dcec3a4f9d6f9f4" + ], + "extended_information": { + "short_description": "Insufficient input validation in unset-value unset() leads to prototype pollution", + "full_description": "[unset-value](https://www.npmjs.com/package/unset-value) is small JavaScript utility package that provides an API to delete nested properties from an object using dot notation\n\nThe function `unset` was found to be vulnerable to prototype pollution, when accepting arbitrary properties from untrusted input\n\nExample of code vulnerable to this issue - \n```js\nconst unset = require('unset-value'); \nconst evilprop = '__proto__.toString';\nunset({}, evilprop);\n```\n\nSince this prototype pollution only allows to remove properties from the prototype (and not set them to arbitrary values), the pollution leads to denial of service only and won't lead to remote code execution in feasible scenarios.", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "Context-dependent exploitation", + "description": "An attacker must find remote input that propagates into the `unset` method (2nd arg)", + "is_positive": true + }, + { + "name": "Context-dependent impact", + "description": "A prototype pollution attack allows the attacker to inject new properties to all JavaScript objects (but not set existing properties).\nTherefore, the impact of a prototype pollution attack depends on the way the JavaScript code uses any object properties after the attack is triggered.\nIn this specific case, properties can only be deleted from the prototype. Therefore, the only feasible impact is a denial of service attack.", + "is_positive": true + }, + { + "name": "Has published exploit", + "description": "The package's test code contains a PoC that triggers the vulnerability " + } + ], + "remediation": "##### Development mitigation\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks." + } + }, + { + "summary": "Remote Memory Exposure", + "severity": "High", + "components": { + "npm://bl:1.0.3": { + "fixed_versions": [ + "[1.2.3]", + "[2.2.1]", + "[3.0.1]", + "[4.0.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://bl:1.0.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-N17", + "references": [ + "https://npmjs.com/advisories/1555", + "- https://github.com/advisories/GHSA-pp7h-53gx-mx7r\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8244\n- https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e\n- https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190\n- https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466\n- https://hackerone.com/reports/966347" + ] + }, + { + "cves": [ + { + "cve": "CVE-2020-8244", + "cvss_v2_score": "6.4", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:P", + "cvss_v3_score": "6.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" + } + ], + "summary": "A buffer over-read vulnerability exists in bl \u003c4.0.3, \u003c3.0.1, \u003c2.2.1, and \u003c1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", + "severity": "Medium", + "components": { + "npm://bl:1.0.3": { + "fixed_versions": [ + "[1.2.3]", + "[2.2.1]", + "[3.0.1]", + "[4.0.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://bl:1.0.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-122434", + "references": [ + "https://hackerone.com/reports/966347", + "https://lists.debian.org/debian-lts-announce/2021/06/msg00028.html" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-1109", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", + "severity": "Medium", + "components": { + "npm://braces:1.8.5": { + "fixed_versions": [ + "[2.3.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://anymatch:1.3.2" + }, + { + "component_id": "npm://micromatch:2.3.11" + }, + { + "component_id": "npm://array-unique:0.2.1" + } + ] + ] + } + }, + "issue_id": "XRAY-160030", + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1547272", + "https://snyk.io/vuln/npm:braces:20180219" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-1000620" + } + ], + "summary": "Insufficient Entropy", + "severity": "High", + "components": { + "npm://cryptiles:0.2.2": { + "fixed_versions": [ + "[4.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://cryptiles:0.2.2" + } + ] + ] + }, + "npm://cryptiles:2.0.5": { + "fixed_versions": [ + "[4.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ] + ] + } + }, + "issue_id": "XRAY-N10", + "references": [ + "https://npmjs.com/advisories/1464", + "- [GitHub PR](https://github.com/hapijs/cryptiles/issues/34)" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-1000620", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.", + "severity": "Critical", + "components": { + "npm://cryptiles:0.2.2": { + "fixed_versions": [ + "[4.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://cryptiles:0.2.2" + } + ] + ] + }, + "npm://cryptiles:2.0.5": { + "fixed_versions": [ + "[4.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ] + ] + } + }, + "issue_id": "XRAY-84448", + "references": [ + "https://github.com/hapijs/cryptiles/issues/34" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-20165" + } + ], + "summary": "debug Inefficient Regular Expression Complexity vulnerability", + "severity": "Low", + "components": { + "npm://debug:2.2.0": { + "fixed_versions": [ + "[2.6.9]", + "[3.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ] + ] + }, + "npm://debug:2.6.9": { + "fixed_versions": [ + "[3.1.0,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://express-session:1.17.3" + }, + { + "component_id": "npm://debug:2.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://express:4.18.2" + }, + { + "component_id": "npm://body-parser:1.20.1" + }, + { + "component_id": "npm://debug:2.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://body-parser:1.20.2" + }, + { + "component_id": "npm://debug:2.6.9" + } + ] + ] + } + }, + "issue_id": "XRAY-N115", + "references": [ + "https://github.com/advisories/GHSA-9vvw-cc9w-f27h", + "- https://nvd.nist.gov/vuln/detail/CVE-2017-20165\n- https://github.com/debug-js/debug/pull/504\n- https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685\n- https://github.com/debug-js/debug/releases/tag/3.1.0\n- https://vuldb.com/?ctiid.217665\n- https://vuldb.com/?id.217665\n- https://github.com/advisories/GHSA-9vvw-cc9w-f27h" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-20165" + } + ], + "summary": "debug Inefficient Regular Expression Complexity vulnerability", + "severity": "Low", + "components": { + "npm://debug:2.2.0": { + "fixed_versions": [ + "[2.6.9]", + "[3.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ] + ] + }, + "npm://debug:2.6.9": { + "fixed_versions": [ + "[3.1.0,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://express-session:1.17.3" + }, + { + "component_id": "npm://debug:2.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://express:4.18.2" + }, + { + "component_id": "npm://body-parser:1.20.1" + }, + { + "component_id": "npm://debug:2.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://body-parser:1.20.2" + }, + { + "component_id": "npm://debug:2.6.9" + } + ] + ] + } + }, + "issue_id": "XRAY-N116", + "references": [ + "https://github.com/advisories/GHSA-9vvw-cc9w-f27h", + "- https://nvd.nist.gov/vuln/detail/CVE-2017-20165\n- https://github.com/debug-js/debug/pull/504\n- https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685\n- https://github.com/debug-js/debug/releases/tag/3.1.0\n- https://vuldb.com/?ctiid.217665\n- https://vuldb.com/?id.217665\n- https://github.com/advisories/GHSA-9vvw-cc9w-f27h" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-41720" + } + ], + "summary": "Arbitrary code execution in lodash", + "severity": "Critical", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + }, + "npm://lodash:4.17.21": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-watch:1.1.0" + }, + { + "component_id": "npm://async:2.6.4" + }, + { + "component_id": "npm://lodash:4.17.21" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-watch:1.1.0" + }, + { + "component_id": "npm://gaze:1.1.3" + }, + { + "component_id": "npm://globule:1.3.4" + }, + { + "component_id": "npm://lodash:4.17.21" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-jsbeautifier:0.2.13" + }, + { + "component_id": "npm://async:2.6.4" + }, + { + "component_id": "npm://lodash:4.17.21" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://async:2.6.4" + }, + { + "component_id": "npm://lodash:4.17.21" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-jshint:1.1.0" + }, + { + "component_id": "npm://jshint:2.9.7" + }, + { + "component_id": "npm://cli:1.0.1" + } + ] + ] + } + }, + "issue_id": "XRAY-N51", + "references": [ + "https://github.com/advisories/GHSA-8p5q-j9m2-g8wr", + "- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://nvd.nist.gov/vuln/detail/CVE-2021-41720\n- https://github.com/advisories/GHSA-8p5q-j9m2-g8wr" + ] + }, + { + "summary": "Regular Expression Denial of Service", + "severity": "High", + "components": { + "npm://diff:1.4.0": { + "fixed_versions": [ + "[3.5.0,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://jade:0.26.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://diff:1.4.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N21", + "references": [ + "https://npmjs.com/advisories/1631", + "- [WhiteSource Advisory](https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0590)\n- [Snyk Advisory](https://snyk.io/vuln/npm:diff:20180305)\n- [GitHub Advisory](https://github.com/advisories/GHSA-h6ch-v84p-w6p9)" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-16115", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.", + "severity": "High", + "components": { + "npm://timespan:2.3.0": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://timespan:2.3.0" + } + ] + ] + } + }, + "issue_id": "XRAY-73065", + "references": [ + "https://github.com/indexzero/TimeSpan.js/issues/10", + "https://nodesecurity.io/advisories/533" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "4.3", + "cvss_v2_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "cvss_v3_score": "6.1", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "summary": "helmet-csp Package for Node.js lib/transform-directives-for-browser.ts transformDirectivesForBrowser() Function Default Directive Handling Content Security Policy Bypass", + "severity": "Medium", + "components": { + "npm://helmet-csp:1.2.2": { + "fixed_versions": [ + "[2.9.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://helmet-csp:1.2.2" + } + ] + ] + } + }, + "issue_id": "XRAY-89144", + "references": [ + "https://www.npmjs.com/advisories/1176", + "https://www.npmjs.com/package/helmet-csp", + "https://github.com/helmetjs/csp/commit/67a69baafa8198a154f0505a0cf0875f76f6186a", + "https://github.com/helmetjs/csp/blob/v2.9.2/CHANGELOG.md" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-16137", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "severity": "Medium", + "components": { + "npm://debug:2.2.0": { + "fixed_versions": [ + "[2.6.9]", + "[3.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ] + ] + } + }, + "issue_id": "XRAY-72687", + "references": [ + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://nodesecurity.io/advisories/534", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-20165", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.", + "severity": "High", + "components": { + "npm://debug:2.2.0": { + "fixed_versions": [ + "[2.6.9]", + "[3.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ] + ] + } + }, + "issue_id": "XRAY-413253", + "references": [ + "https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685", + "https://github.com/debug-js/debug/pull/504", + "https://github.com/debug-js/debug/releases/tag/3.1.0", + "https://vuldb.com/?ctiid.217665", + "https://vuldb.com/?id.217665" + ], + "extended_information": { + "short_description": "Unbounded resource consumption in debug-js package could lead to denial of service when an attacker-controlled object is pretty-printed.", + "full_description": "[debug-js](https://npmjs.com/package/debug) is a tiny JavaScript debugging utility modeled after Node.js core's debugging technique. `debug-js` targets both Node.js and web browsers, and uses printf-style formatting.\r\n\r\nCode that uses debug-js is prone to denial of service when trying to pretty-print an attacker-controlled object, for example - `debug('Object: %o', obj);`\r\n\r\nIt was discovered that the `o` formatter, used to pretty-print an `Object` in a single line, had an unbounded memory footprint, which may lead to denial-of-service.\r\n\r\nTo pretty-print an object, the `o` formatter joins all the formatted object text to a single line and sends it to the built-in Node.js function `util.inspect()`. After that, it trims any whitespace. The issue was using an inefficient regular expression for this trimming operation.\r\n\r\nThe issue only occurs when the formatted JS object has a malicious `toStringTag`.\r\n\r\nThe issue has been resolved in versions 3.0.0 and 2.6.9, but was re-introduced by regression refactor from version 3.2.0.", + "jfrog_research_severity": "Low", + "jfrog_research_severity_reasons": [ + { + "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", + "description": "Although Regular Expression Denial-of-Service is thoroughly researched, exploiting this particular issue is quite complex and no PoC was published.", + "is_positive": true + }, + { + "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", + "description": "The CVSS does not reflect the contextual prerequisites required to exploit the vulnerability properly.", + "is_positive": true + }, + { + "name": "The prerequisites for exploiting the issue are extremely unlikely", + "description": "To exploit this issue:\r\n1. The attacker must find a way to pass input to 'debug-js' logger.\r\n2. The log message must have a specific vulnerable formatter `%o`\r\n3. The attacker input must propagate into a JS Object that has a `toStringTag`, as normal objects with a simple key and value aren't vulnerable.", + "is_positive": true + } + ] + } + }, + { + "cves": [ + { + "cve": "CVE-2020-28500", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", + "severity": "Medium", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-140562", + "references": [ + "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + "https://github.com/lodash/lodash/pull/5065", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "extended_information": { + "short_description": "ReDoS in lodash could lead to a denial of service when handling untrusted strings.", + "full_description": "JavaScript-based applications that use [lodash](https://github.com/lodash/lodash) and specifically the [_.toNumber](https://lodash.com/docs/4.17.15#toNumber), [_.trim](https://lodash.com/docs/4.17.15#trim) and [_.trimEnd](https://lodash.com/docs/4.17.15#trimEnd) functions, could be vulnerable to DoS (Denial of Service) through a faulty regular expression that introduces a ReDoS (Regular Expression DoS) vulnerability. This vulnerability is only triggered if untrusted user input flows into these vulnerable functions and the attacker can supply arbitrary long strings (over 50kB) that contain whitespaces. \r\n\r\nOn a modern Core i7-based system, calling the vulnerable functions with a 50kB string could take between 2 to 3 seconds to execute and 4.5 minutes for a longer 500kB string. The fix improved the regular expression performance so it took only a few milliseconds on the same Core i7-based system. This vulnerability is easily exploitable as all is required is to build a string that triggers it as can be seen in this PoC reproducing code - \r\n\r\n```js\r\nvar untrusted_user_input_50k = \"a\" + ' '.repeat(50000) + \"z\"; // assume this is provided over the network\r\nlo.trimEnd(untrusted_user_input_50k); // should take a few seconds to run\r\nvar untrusted_user_input_500k = \"a\" + ' '.repeat(500000) + \"z\"; // assume this is provided over the network\r\nlo.trimEnd(untrusted_user_input_500k); // should take a few minutes to run\r\n```", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "The issue has an exploit published", + "description": "Public exploit demonstrated ReDoS" + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "Exploitation depends on parsing user input by the `.toNumber`, `.trim` or `.trimEnd` `lodash` functions, and requires the input to contain whitespaces and be very long (over 50KB)", + "is_positive": true + } + ], + "remediation": "##### Deployment mitigations\n\nTrim untrusted strings based on size before providing it to the vulnerable functions by using the `substring` function to with a fixed maximum size like so - ```js untrusted_user_input.substring(0, max_string_size_less_than_50kB); ```" + } + }, + { + "cves": [ + { + "cve": "CVE-2018-3721", + "cvss_v2_score": "4.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N", + "cvss_v3_score": "6.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "summary": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", + "severity": "Medium", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-72918", + "references": [ + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", + "https://hackerone.com/reports/310443" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-1010266", + "cvss_v2_score": "4.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P", + "cvss_v3_score": "6.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", + "severity": "Medium", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-85049", + "references": [ + "https://github.com/lodash/lodash/wiki/Changelog", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://github.com/lodash/lodash/issues/3359", + "https://snyk.io/vuln/SNYK-JS-LODASH-73639" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-10744", + "cvss_v2_score": "6.4", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:P", + "cvss_v3_score": "9.1", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" + } + ], + "summary": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", + "severity": "Critical", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-85679", + "references": [ + "https://security.netapp.com/advisory/ntap-20191004-0005/", + "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://access.redhat.com/errata/RHSA-2019:3024" + ], + "extended_information": { + "short_description": "Insufficient input validation in lodash defaultsDeep() leads to prototype pollution.", + "full_description": "[lodash](https://www.npmjs.com/package/lodash) is a modern JavaScript utility library delivering modularity, performance, \u0026 extras.\r\n\r\nThe function `defaultsDeep` was found to be vulnerable to prototype pollution, when accepting arbitrary source objects from untrusted input\r\n\r\nExample of code vulnerable to this issue - \r\n```js\r\nconst lodash = require('lodash'); \r\nconst evilsrc = {constructor: {prototype: {evilkey: \"evilvalue\"}}};\r\nlodash.defaultsDeep({}, evilsrc)\r\n```", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "The issue has an exploit published", + "description": "A public PoC demonstrates exploitation of this issue" + }, + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "description": "A prototype pollution attack allows the attacker to inject new properties to all JavaScript objects (but not set existing properties).\r\nTherefore, the impact of a prototype pollution attack depends on the way the JavaScript code uses any object properties after the attack is triggered.\r\nUsually, a DoS attack is possible since invalid properties quickly lead to an exception being thrown. In more severe cases, RCE may be achievable.", + "is_positive": true + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "An attacker must find remote input that propagates into the `defaultsDeep` method (2nd arg)", + "is_positive": true + } + ], + "remediation": "##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks." + } + }, + { + "cves": [ + { + "cve": "CVE-2018-16487", + "cvss_v2_score": "6.8", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "5.6", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "summary": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", + "severity": "Medium", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-75300", + "references": [ + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://hackerone.com/reports/380873" + ], + "extended_information": { + "short_description": "Insufficient input validation in the Lodash library leads to prototype pollution.", + "full_description": "The [Lodash](https://lodash.com/) library is an open-source JavaScript project that simplifies operations on string, arrays, numbers, and other objects. It is widely used in connected devices. \r\n\r\nThe `merge`, `mergeWith`, and `defaultsDeep` methods in Lodash are vulnerable to [prototype pollution](https://shieldfy.io/security-wiki/prototype-pollution/introduction-to-prototype-pollution/). Attackers can exploit this vulnerability by specifying a crafted `sources` parameter to any of these methods, which can modify the prototype properties of the `Object`, `Function`, `Array`, `String`, `Number`, and `Boolean` objects. A public [exploit](https://hackerone.com/reports/380873) exists which performs the prototype pollution with an arbitrary key and value.\r\n\r\nThe library implementation has a bug in the `safeGet()` function in the `lodash.js` module that allows for adding or modifying `prototype` properties of various objects. The official [solution](https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad) fixes the bug by explicitly forbidding the addition or modification of `prototype` properties.\r\n\r\nA related CVE (CVE-2018-3721) covers the same issue prior to Lodash version 4.17.5, but the fix for that was incomplete.", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "An attacker must find remote input that propagates into one of the following methods - \r\n* `merge` - 2nd argument\r\n* `mergeWith` - 2nd argument\r\n* `defaultsDeep` - 2nd argument", + "is_positive": true + }, + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "description": "A prototype pollution attack allows the attacker to inject new properties to all JavaScript objects (but not set existing properties).\r\nTherefore, the impact of a prototype pollution attack depends on the way the JavaScript code uses any object properties after the attack is triggered.\r\nUsually, a DoS attack is possible since invalid properties quickly lead to an exception being thrown. In more severe cases, RCE may be achievable.", + "is_positive": true + }, + { + "name": "The issue has an exploit published", + "description": "A public PoC demonstrated exploitation by injecting an attacker controlled key and value into the prototype" + } + ], + "remediation": "##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks." + } + }, + { + "cves": [ + { + "cve": "CVE-2020-8203", + "cvss_v2_score": "5.8", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:P", + "cvss_v3_score": "7.4", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" + } + ], + "summary": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "severity": "High", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-114089", + "references": [ + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://github.com/lodash/lodash/issues/4874", + "https://hackerone.com/reports/712065", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.oracle.com//security-alerts/cpujul2021.html" + ], + "extended_information": { + "short_description": "Prototype pollution in lodash object merging and zipping functions leads to code injection.", + "full_description": "[lodash](https://lodash.com/) is a JavaScript library which provides utility functions for common programming tasks.\r\n\r\nJavaScript frontend and Node.js-based backend applications that merge or zip objects using the lodash functions `mergeWith`, `merge` and `zipObjectDeep` are vulnerable to [prototype pollution](https://medium.com/node-modules/what-is-prototype-pollution-and-why-is-it-such-a-big-deal-2dd8d89a93c) if one or more of the objects it receives as arguments are obtained from user input. \r\nAn attacker controlling this input given to the vulnerable functions can inject properties to JavaScript special objects such as [Object.prototype](https://developer.mozilla.org/en-US/docs/Learn/JavaScript/Objects/Object_prototypes) from which all JavaScript objects inherit properties and methods. Any change on `Object.prototype` properties will then propagate through the prototype chain inheritance to all of the objects in a JavaScript application. This in turn would allow an attacker to add new properties or modify existing properties which will have application specific implications that could lead to DoS (denial of service), authentication bypass, privilege escalation and even RCE (remote code execution) in [some cases](https://youtu.be/LUsiFV3dsK8?t=1152). \r\nAs an example for privilege escalation, consider a JavaScript application that has a `user` object which has a Boolean property of `user.isAdmin` which is used to decide which actions the user may take. If an attacker can modify or add the `isAdmin` property through prototype pollution, it can escalate the privileges of its own user to those of an admin. \r\nAs exploitation is usually application specific, successful exploitation is much more likely if an attacker have access to the JavaScript application code. As such, frontend applications are more vulnerable to this vulnerability than Node.js backend applications.", + "jfrog_research_severity": "Critical", + "jfrog_research_severity_reasons": [ + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "is_positive": true + }, + { + "name": "The issue can be exploited by attackers over the network" + }, + { + "name": "The issue is trivial to exploit and does not require a published writeup or PoC" + } + ], + "remediation": "##### Deployment mitigations\n\nAs general guidelines against prototype pollution, first consider not merging objects originating from user input or using a Map structure instead of an object. If merging objects is needed, look into creating objects without a prototype with `Object.create(null)` or into freezing `Object.prototype` with `Object.freeze()`. Finally, it is always best to perform input validation with a a [JSON schema validator](https://github.com/ajv-validator/ajv), which could mitigate this issue entirely in many cases." + } + }, + { + "cves": [ + { + "cve": "CVE-2021-23337", + "cvss_v2_score": "6.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P", + "cvss_v3_score": "7.2", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "severity": "High", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-140575", + "references": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "extended_information": { + "short_description": "Improper sanitization in the lodash template function leads to JavaScript code injection through the options argument.", + "full_description": "JavaScript-based applications (both frontend and backend) that use the [template function](https://lodash.com/docs/4.17.15#template) -`_.template([string=''], [options={}])` from the [lodash](https://lodash.com/) utility library and provide the `options` argument (specifically the `variable` option) from untrusted user input, are vulnerable to JavaScript code injection. This issue can be easily exploited, and an exploitation example is [publicly available](https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c#diff-a561630bb56b82342bc66697aee2ad96efddcbc9d150665abd6fb7ecb7c0ab2fR22303) in the fix tests that was introduced in version 4.17.21 - \r\n```js\r\nlodash.template('', { variable: '){console.log(process.env)}; with(obj' })()\r\n```", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "The prerequisites for exploiting the issue are extremely unlikely", + "description": "It is highly unlikely that a JS program will accept arbitrary remote input into the template's `options` argument", + "is_positive": true + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "The attacker must find remote input that propagates into the `options` argument of a `template` call", + "is_positive": true + }, + { + "name": "The issue results in a severe impact (such as remote code execution)", + "description": "Leads to remote code execution through JS code injection" + }, + { + "name": "The issue has an exploit published", + "description": "Published exploit demonstrates arbitrary JS code execution" + } + ] + } + }, + { + "cves": [ + { + "cve": "CVE-2022-33987", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "summary": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", + "severity": "Medium", + "components": { + "npm://got:6.7.1": { + "fixed_versions": [ + "[11.8.5]", + "[12.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://update-notifier:2.5.0" + }, + { + "component_id": "npm://latest-version:3.1.0" + }, + { + "component_id": "npm://package-json:4.0.1" + }, + { + "component_id": "npm://got:6.7.1" + } + ] + ] + } + }, + "issue_id": "XRAY-229041", + "references": [ + "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + "https://github.com/sindresorhus/got/pull/2047", + "https://github.com/sindresorhus/got/releases/tag/v11.8.5" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-16042", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.", + "severity": "Critical", + "components": { + "npm://growl:1.9.2": { + "fixed_versions": [ + "[1.10.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://jade:0.26.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://growl:1.9.2" + } + ] + ] + } + }, + "issue_id": "XRAY-72713", + "references": [ + "https://github.com/tj/node-growl/issues/60", + "https://github.com/tj/node-growl/pull/61", + "https://nodesecurity.io/advisories/146" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-33623", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.", + "severity": "High", + "components": { + "npm://trim-newlines:1.0.0": { + "fixed_versions": [ + "[3.0.1]", + "[4.0.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-concurrent:2.3.1" + }, + { + "component_id": "npm://pad-stream:1.2.0" + }, + { + "component_id": "npm://meow:3.7.0" + }, + { + "component_id": "npm://trim-newlines:1.0.0" + } + ] + ] + } + }, + "issue_id": "XRAY-176887", + "references": [ + "https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1", + "https://security.netapp.com/advisory/ntap-20210702-0007/", + "https://www.npmjs.com/package/trim-newlines", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00033.html" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-25345", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "summary": "Directory traversal vulnerability in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to read arbitrary files via the include or extends tags.", + "severity": "High", + "components": { + "npm://swig:1.4.2": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-427909", + "references": [ + "https://github.com/node-swig/swig-templates/issues/88" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-21681" + } + ], + "summary": "Inefficient Regular Expression Complexity in marked", + "severity": "High", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-N57", + "references": [ + "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj", + "- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "4.3", + "cvss_v2_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "marked Package for Node.js lib/marked.js heading Regular Expression Handling CPU Consumption DoS", + "severity": "Medium", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-84782", + "references": [ + "https://github.com/markedjs/marked/commit/09afabf69c6d0c919c03443f47bdfe476566105d", + "https://github.com/markedjs/marked/pull/1224" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-21680", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.", + "severity": "High", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-194626", + "references": [ + "https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/", + "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0", + "https://github.com/markedjs/marked/releases/tag/v4.0.10" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-21680" + } + ], + "summary": "Inefficient Regular Expression Complexity in marked", + "severity": "High", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-N58", + "references": [ + "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf", + "- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-21681", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.", + "severity": "High", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-194711", + "references": [ + "https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/", + "https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "7.1", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:C" + } + ], + "summary": "marked lib/marked.js inline() Function Regular Expresssion Handling DoS", + "severity": "High", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-78213", + "references": [ + "https://github.com/markedjs/marked/issues/1058", + "https://github.com/markedjs/marked/files/1735164/example.txt", + "https://github.com/Feder1co5oave/marktex/commit/d30c6cef0ae7645390bccb00a01a428693073b60", + "https://github.com/markedjs/marked/pull/1083", + "https://github.com/markedjs/marked/issues/1070", + "https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd485", + "https://github.com/markedjs/marked/releases/tag/v0.3.17", + "https://snyk.io/vuln/npm:marked:20180225" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-23440" + } + ], + "summary": "Prototype Pollution in set-value", + "severity": "High", + "components": { + "npm://set-value:2.0.1": { + "fixed_versions": [ + "[4.0.1,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://cache-base:1.0.1" + }, + { + "component_id": "npm://union-value:1.0.1" + }, + { + "component_id": "npm://get-value:2.0.6" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://cache-base:1.0.1" + }, + { + "component_id": "npm://set-value:2.0.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ] + ] + } + }, + "issue_id": "XRAY-N36", + "references": [ + "https://github.com/advisories/GHSA-4jqc-8m5r-9rpr", + "- https://nvd.nist.gov/vuln/detail/CVE-2021-23440\n- https://github.com/advisories/GHSA-4jqc-8m5r-9rpr" + ] + }, + { + "cves": [ + { + "cve": "CVE-2016-2515", + "cvss_v2_score": "7.8", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.", + "severity": "High", + "components": { + "npm://hawk:1.0.0": { + "fixed_versions": [ + "[3.1.3]", + "[4.1.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + } + }, + "issue_id": "XRAY-73076", + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1309721", + "https://github.com/hueniverse/hawk/commit/0833f99ba64558525995a7e21d4093da1f3e15fa", + "https://github.com/hueniverse/hawk/issues/168", + "https://nodesecurity.io/advisories/77", + "http://www.openwall.com/lists/oss-security/2016/02/20/1", + "http://www.openwall.com/lists/oss-security/2016/02/20/2" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-16138", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "The mime module \u003c 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.", + "severity": "High", + "components": { + "npm://mime:1.2.11": { + "fixed_versions": [ + "[1.4.1]", + "[2.0.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://form-data:0.1.4" + }, + { + "component_id": "npm://mime:1.2.11" + } + ] + ] + } + }, + "issue_id": "XRAY-72686", + "references": [ + "https://github.com/broofa/node-mime/issues/167", + "https://nodesecurity.io/advisories/535" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-3807" + } + ], + "summary": " Inefficient Regular Expression Complexity in chalk/ansi-regex", + "severity": "Medium", + "components": { + "npm://ansi-regex:3.0.1": { + "fixed_versions": [ + "[5.0.1,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://update-notifier:2.5.0" + }, + { + "component_id": "npm://boxen:1.3.0" + }, + { + "component_id": "npm://ansi-align:2.0.0" + }, + { + "component_id": "npm://string-width:2.1.1" + }, + { + "component_id": "npm://strip-ansi:4.0.0" + }, + { + "component_id": "npm://ansi-regex:3.0.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://update-notifier:2.5.0" + }, + { + "component_id": "npm://boxen:1.3.0" + }, + { + "component_id": "npm://cli-boxes:1.0.0" + }, + { + "component_id": "npm://execa:0.7.0" + }, + { + "component_id": "npm://get-stream:3.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://update-notifier:2.5.0" + }, + { + "component_id": "npm://boxen:1.3.0" + }, + { + "component_id": "npm://widest-line:2.0.1" + }, + { + "component_id": "npm://string-width:2.1.1" + }, + { + "component_id": "npm://strip-ansi:4.0.0" + }, + { + "component_id": "npm://ansi-regex:3.0.1" + } + ] + ] + } + }, + "issue_id": "XRAY-N33", + "references": [ + "https://github.com/advisories/GHSA-93q8-gq69-wqmw", + "- https://nvd.nist.gov/vuln/detail/CVE-2021-3807\n- https://github.com/advisories/GHSA-93q8-gq69-wqmw" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-1002204", + "cvss_v2_score": "4.3", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N", + "cvss_v3_score": "5.5", + "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "summary": "adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.", + "severity": "Medium", + "components": { + "npm://adm-zip:0.4.4": { + "fixed_versions": [ + "[0.4.11]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://selenium-webdriver:2.53.3" + }, + { + "component_id": "npm://adm-zip:0.4.4" + } + ] + ] + } + }, + "issue_id": "XRAY-73112", + "references": [ + "http://www.securityfocus.com/bid/107001", + "https://github.com/cthackers/adm-zip/commit/62f64004fefb894c523a7143e8a88ebe6c84df25", + "https://github.com/cthackers/adm-zip/pull/212", + "https://github.com/snyk/zip-slip-vulnerability", + "https://snyk.io/research/zip-slip-vulnerability", + "https://snyk.io/vuln/npm:adm-zip:20180415" + ] + }, + { + "summary": "Improper Privilege Management in shelljs", + "severity": "Medium", + "components": { + "npm://shelljs:0.3.0": { + "fixed_versions": [ + "[0.8.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-jshint:1.1.0" + }, + { + "component_id": "npm://jshint:2.9.7" + }, + { + "component_id": "npm://cli:1.0.1" + } + ] + ] + } + }, + "issue_id": "XRAY-N59", + "references": [ + "https://github.com/advisories/GHSA-64g7-mvw6-v9qj", + "- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj" + ] + }, + { + "summary": "Improper Privilege Management in shelljs", + "severity": "Medium", + "components": { + "npm://shelljs:0.3.0": { + "fixed_versions": [ + "[0.8.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-jshint:1.1.0" + }, + { + "component_id": "npm://jshint:2.9.7" + }, + { + "component_id": "npm://cli:1.0.1" + } + ] + ] + } + }, + "issue_id": "XRAY-N60", + "references": [ + "https://github.com/advisories/GHSA-64g7-mvw6-v9qj", + "- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-0144", + "cvss_v2_score": "3.6", + "cvss_v2_vector": "CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:P", + "cvss_v3_score": "7.1", + "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" + } + ], + "summary": "shelljs is vulnerable to Improper Privilege Management", + "severity": "High", + "components": { + "npm://shelljs:0.3.0": { + "fixed_versions": [ + "[0.8.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-jshint:1.1.0" + }, + { + "component_id": "npm://jshint:2.9.7" + }, + { + "component_id": "npm://cli:1.0.1" + } + ] + ] + } + }, + "issue_id": "XRAY-194227", + "references": [ + "https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c", + "https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c" + ], + "extended_information": { + "short_description": "Permissive file permissions in shelljs may lead to sensitive data leakage by local attackers.", + "full_description": "[ShellJS](https://www.npmjs.com/package/shelljs) is a portable (Windows/Linux/OS X) implementation of Unix shell commands on top of the Node.js API.\r\n\r\nArbitrary shell commands can be run with ShellJS's `shell.exec` API.\r\nShellJS creates temporary files for the executed command's outputs (stdout and stderr).\r\nSince the permissions for the generated stdout and stderr files is **world-readable**, local attackers may be able to read the outputs of commands run by other users, and leak sensitive data.\r\n\r\nFor example, if a user uses `shell.exec` to generate a secret key -\r\n```js\r\nvar shell = require('shelljs');\r\nvar secret = shell.exec(\"openssl rand -base64 32\").stdout;\r\n```\r\nA local attacker could read the temporary stdout file to get the user's secret key -\r\n```js\r\nwhile true; do cat /tmp/*; done\r\n```", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "The issue is trivial to exploit and does not require a published writeup or PoC", + "description": "The vulnerability simply requires attackers to read the `/tmp` directory" + }, + { + "name": "The issue can only be exploited by an attacker that can execute code on the vulnerable machine (excluding exceedingly rare circumstances)", + "description": "The attacker must be running code on the system, to read the `/tmp` directory", + "is_positive": true + }, + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "description": "The security impact of this issue depends on what kind of data gets leaked by the local attacker. In the worst case, the leaked data would allow privilege escalation or remote code execution on other machines.", + "is_positive": true + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "One of the system's user must run a command with a sensitive data output, for example - `var secret = shell.exec(\"openssl rand -base64 32\");`", + "is_positive": true + }, + { + "name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)", + "description": "`shell.exec` is highly likely to be called when the `ShellJS` package is in use" + } + ] + } + } + ], + "component_id": "root", + "package_type": "Generic", + "status": "completed" + } +] diff --git a/unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json b/unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json new file mode 100644 index 00000000000..b99746759fd --- /dev/null +++ b/unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json @@ -0,0 +1,44 @@ +[ + { + "scan_id": "dd8f-4927-5db6-fb188ae8d984", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2014-0114", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "summary": "Summary test", + "severity": "High", + "components": { + "gav://test": { + "fixed_versions": [ + "[1.9.4]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.test:core:1.0.0-test" + }, + { + "component_id": "gav://test", + "full_path": "lib/commons-beanutils-1.9.2.jar" + } + ] + ] + } + }, + "issue_id": "XRAY-55616", + "references": [ + "https://test.com.co" + ] + } + ], + "component_id": "gav://co.com.test.test:core:1.0.0-test", + "package_type": "Maven", + "status": "completed" + } + ] + diff --git a/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py new file mode 100644 index 00000000000..0fd6712f07d --- /dev/null +++ b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py @@ -0,0 +1,85 @@ +from ..dojo_test_case import DojoTestCase +from dojo.models import Test, Finding +from dojo.tools.jfrog_xray_on_demand_binary_scan.parser import \ + JFrogXrayOnDemandBinaryScanParser, get_component_name_version, clean_title + + +class TestJFrogXrayOnDemandBinaryScanParser(DojoTestCase): + + def test_parse_file_with_one_vuln(self): + testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json") + parser = JFrogXrayOnDemandBinaryScanParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(1, len(findings)) + item: Finding = findings[0] + self.assertEqual("gav://test", item.component_name) + self.assertEqual("CVE-2014-0114", item.unsaved_vulnerability_ids[0]) + self.assertEqual("High", item.severity) + + def test_parse_file_with_many_vulns(self): + testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json") + parser = JFrogXrayOnDemandBinaryScanParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(3, len(findings)) + + def test_component_name_version(self): + with self.subTest(""): + self.assertEqual(("", ""), get_component_name_version("")) + with self.subTest("gav://org.yaml:snakeyaml:1.16"): + self.assertEqual(("gav://org.yaml:snakeyaml", "1.16"), get_component_name_version("gav://org.yaml:snakeyaml:1.16")) + with self.subTest("npm://desopmo:1.33.7"): + self.assertEqual(("npm://desopmo", "1.33.7"), get_component_name_version("npm://desopmo:1.33.7")) + with self.subTest("pypi://django:4.1.4"): + self.assertEqual(("pypi://django", "4.1.4"), get_component_name_version("pypi://django:4.1.4")) + with self.subTest("alpine://3.18:libcrypto3:3.1.1-r1"): + self.assertEqual(("alpine://3.18:libcrypto3", "3.1.1-r1"), get_component_name_version("alpine://3.18:libcrypto3:3.1.1-r1")) + with self.subTest("npm://desopmo"): + self.assertEqual(("npm://desopmo", ""), get_component_name_version("npm://desopmo")) + + def test_clean_title(self): + with self.subTest(""): + self.assertEqual("", clean_title("")) + with self.subTest("ABC"): + self.assertEqual("ABC", clean_title("ABC")) + with self.subTest("Garbage"): + self.assertEqual("Processing some specially crafted ASN.1 object identifiers or", clean_title("Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.")) + + def test_parse_file_with_many_vulns_docker(self): + testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json") + parser = JFrogXrayOnDemandBinaryScanParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(4, len(findings)) + + def test_parse_file_with_many_vulns_pypi(self): + testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json") + parser = JFrogXrayOnDemandBinaryScanParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(99, len(findings)) + + with self.subTest(finding=0): + self.assertIn("sqlparse is a non-validating SQL parser module for Python", findings[0].title) + self.assertIsNone(findings[0].severity_justification) + self.assertEqual("High", findings[0].severity) + self.assertIn("sqlparse is a non-validating SQL parser module for Python", findings[0].description) + self.assertIn("- [0.4.4]", findings[0].mitigation) + self.assertEqual("pypi://sqlparse", findings[0].component_name) + self.assertEqual("0.4.3", findings[0].component_version) + self.assertIn("pypi://django:4.1.4", findings[0].impact) + self.assertIn("https://github.com/andialbrecht/sqlparse/commit/", findings[0].references) + self.assertTrue(findings[0].static_finding) + self.assertFalse(findings[0].dynamic_finding) + self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", findings[0].cvssv3) + self.assertEqual("XRAY-515353", findings[0].vuln_id_from_tool) + self.assertEqual(['CVE-2023-30608'], findings[0].unsaved_vulnerability_ids) + + with self.subTest(finding=1): + self.assertIn("**Short description**\nA design problem in Django may lead to denial of service when processing multipart forms.\n", findings[1].severity_justification) + self.assertIn("**Full description**\n[Django](https://www.djangoproject.com/) is a popular Python web framework that provides functions, components, and tools for fast web development.\r\n\r\nA vulnerability has been discovered in the Multipart Request Parser in Django. By passing certain inputs (such as an excessive number of parts) to multipart forms, an attacker can trigger too many open files or memory exhaustion, which may lead to a denial-of-service attack. \r\n\r\nThe issue is only exploitable when the `MultiPartParser` class is used by the Django app/\n", findings[1].severity_justification) + self.assertIn("**JFrog research severity**\nHigh\n", findings[1].severity_justification) + self.assertIn("**JFrog research severity reasons**\nExploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector\n", findings[1].severity_justification) + self.assertIn("An attacker must find a multipart form that receives files in order to trigger this issue, although this does not require intimate per-target research and can be automated.\n", findings[1].severity_justification) + self.assertIn("_Is positive:_ true\n", findings[1].severity_justification)