secure-code-warrior-for-github[bot]
commented
2 years ago Micro-Learning Topic: Uncontrolled Resource Consumption (CWE 400)
Matched on "CWE-400"
The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
Try this challenge in Secure Code Warrior
Micro-Learning Topic: OS command injection (Detected by phrase)
Matched on "Command Injection"
In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.
Try this challenge in Secure Code Warrior
Micro-Learning Topic: Vulnerable library (Detected by phrase)
Matched on "Vulnerable Library"
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
Try this challenge in Secure Code Warrior
Micro-Learning Topic: Denial of service (Detected by phrase)
Matched on "Denial of service"
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/archiver/node_modules/minimatch/package.json
Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722
Vulnerabilities
Details
CVE-2019-10744
### Vulnerable Library - lodash-2.4.2.tgzA utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/archiver/node_modules/lodash/package.json,/node_modules/zip-stream/node_modules/lodash/package.json
Dependency Hierarchy: - zip-folder-1.0.0.tgz (Root Library) - archiver-0.11.0.tgz - :x: **lodash-2.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722
Found in base branch: main
### Vulnerability DetailsVersions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-43138
### Vulnerable Library - async-0.9.2.tgzHigher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-0.9.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async/package.json
Dependency Hierarchy: - zip-folder-1.0.0.tgz (Root Library) - archiver-0.11.0.tgz - :x: **async-0.9.2.tgz** (Vulnerable Library)
Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722
Found in base branch: main
### Vulnerability DetailsIn Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution: async - 2.6.4,3.2.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-10540
### Vulnerable Library - minimatch-0.3.0.tgza glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/archiver/node_modules/minimatch/package.json
Dependency Hierarchy: - zip-folder-1.0.0.tgz (Root Library) - archiver-0.11.0.tgz - glob-3.2.11.tgz - :x: **minimatch-0.3.0.tgz** (Vulnerable Library)
Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722
Found in base branch: main
### Vulnerability DetailsMinimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540
Release Date: 2018-05-31
Fix Resolution: Pvc.Browserify - 0.0.1.1;JetBrains.Rider.Frontend4 - 203.0.20201014.202610-eap04;JetBrains.Rider.Frontend5 - 203.0.20201006.200056-eap03,213.0.20211008.154703-eap03;Bridge.AWS - 0.3.30.36;tslint - 3.11.0;MIDIator.WebClient - 1.0.105;BumperLane.Public.Service.Contracts - 0.23.35.214-prerelease;ng-grid - 2.0.4;minimatch - 3.0.2;Virteom.Tenant.Mobile.Bluetooth - 0.21.29.159-prerelease;ShowingVault.DotNet.Sdk - 0.13.41.190-prerelease;Triarc.Web.Build - 1.3.0;Virteom.Tenant.Mobile.Framework.UWP - 0.20.41.103-prerelease;Virteom.Tenant.Mobile.Framework.iOS - 0.20.41.103-prerelease;BumperLane.Public.Api.V2.ClientModule - 0.23.35.214-prerelease;Virteom.Tenant.Mobile.Bluetooth.iOS - 0.20.41.103-prerelease;Virteom.Public.Utilities - 0.23.37.212-prerelease;Mustache.Reports.Data - 1.2.2;Virteom.Tenant.Mobile.Framework - 0.21.29.159-prerelease;Virteom.Tenant.Mobile.Bluetooth.Android - 0.20.41.103-prerelease;z4a-dotnet-scaffold - 1.0.0.2;Raml.Parser - 2.0.0,1.0.2;AntData.ORM - 1.2.9;ApiExplorer.HelpPage - 1.0.0-alpha3;SitecoreMaster.TrueDynamicPlaceholders - 1.0.3;Virteom.Tenant.Mobile.Framework.Android - 0.20.41.103-prerelease;BumperLane.Public.Api.Client - 0.23.35.214-prerelease
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-8203
### Vulnerable Library - lodash-2.4.2.tgzA utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/archiver/node_modules/lodash/package.json,/node_modules/zip-stream/node_modules/lodash/package.json
Dependency Hierarchy: - zip-folder-1.0.0.tgz (Root Library) - archiver-0.11.0.tgz - :x: **lodash-2.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722
Found in base branch: main
### Vulnerability DetailsPrototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
### CVSS 3 Score Details (7.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution: lodash - 4.17.19
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23337
### Vulnerable Library - lodash-2.4.2.tgzA utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/archiver/node_modules/lodash/package.json,/node_modules/zip-stream/node_modules/lodash/package.json
Dependency Hierarchy: - zip-folder-1.0.0.tgz (Root Library) - archiver-0.11.0.tgz - :x: **lodash-2.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722
Found in base branch: main
### Vulnerability DetailsLodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
### CVSS 3 Score Details (7.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2019-1010266
### Vulnerable Library - lodash-2.4.2.tgzA utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/archiver/node_modules/lodash/package.json,/node_modules/zip-stream/node_modules/lodash/package.json
Dependency Hierarchy: - zip-folder-1.0.0.tgz (Root Library) - archiver-0.11.0.tgz - :x: **lodash-2.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722
Found in base branch: main
### Vulnerability Detailslodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Publish Date: 2019-07-17
URL: CVE-2019-1010266
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266
Release Date: 2020-09-30
Fix Resolution: 4.17.11
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2018-3721
### Vulnerable Library - lodash-2.4.2.tgzA utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/archiver/node_modules/lodash/package.json,/node_modules/zip-stream/node_modules/lodash/package.json
Dependency Hierarchy: - zip-folder-1.0.0.tgz (Root Library) - archiver-0.11.0.tgz - :x: **lodash-2.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722
Found in base branch: main
### Vulnerability Detailslodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3721
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721
Release Date: 2018-06-07
Fix Resolution: 4.17.5
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-8244
### Vulnerable Library - bl-0.9.5.tgzBuffer List: collect buffers and access with a standard readable Buffer interface, streamable too!
Library home page: https://registry.npmjs.org/bl/-/bl-0.9.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bl/package.json
Dependency Hierarchy: - zip-folder-1.0.0.tgz (Root Library) - archiver-0.11.0.tgz - tar-stream-0.4.7.tgz - :x: **bl-0.9.5.tgz** (Vulnerable Library)
Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722
Found in base branch: main
### Vulnerability DetailsA buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Publish Date: 2020-08-30
URL: CVE-2020-8244
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-pp7h-53gx-mx7r
Release Date: 2020-08-30
Fix Resolution: bl - 1.2.3,2.2.1,3.0.1,4.0.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2018-16487
### Vulnerable Library - lodash-2.4.2.tgzA utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/archiver/node_modules/lodash/package.json,/node_modules/zip-stream/node_modules/lodash/package.json
Dependency Hierarchy: - zip-folder-1.0.0.tgz (Root Library) - archiver-0.11.0.tgz - :x: **lodash-2.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722
Found in base branch: main
### Vulnerability DetailsA prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
### CVSS 3 Score Details (5.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487
Release Date: 2019-02-01
Fix Resolution: 4.17.11
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-28500
### Vulnerable Library - lodash-2.4.2.tgzA utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/archiver/node_modules/lodash/package.json,/node_modules/zip-stream/node_modules/lodash/package.json
Dependency Hierarchy: - zip-folder-1.0.0.tgz (Root Library) - archiver-0.11.0.tgz - :x: **lodash-2.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722
Found in base branch: main
### Vulnerability DetailsLodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)