search

DEV-REPO-URIEL / TEST_AINAT_CHANGE

0 stars 1 forks source link

express-3.3.1.tgz: 8 vulnerabilities (highest severity is: 7.5) - autoclosed #14

Closed dev-mend-for-github-com[bot] closed 1 year ago

dev-mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - express-3.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/fresh/package.json

Found in HEAD commit: afbe7b3897712edd1ed0eeaeb49bf7a4ce0fdbdd

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (express version) Remediation Available
CVE-2017-16119 High 7.5 fresh-0.1.0.tgz Transitive N/A*
CVE-2014-6394 High 7.3 send-0.1.1.tgz Transitive N/A*
CVE-2018-3717 Medium 5.4 connect-2.8.1.tgz Transitive N/A*
CVE-2014-7191 Medium 5.3 qs-0.6.5.tgz Transitive N/A*
CVE-2017-1000048 Medium 5.0 qs-0.6.5.tgz Transitive N/A*
CVE-2017-16138 Medium 5.0 mime-1.2.11.tgz Transitive N/A*
CVE-2016-1000236 Medium 4.4 cookie-signature-1.0.1.tgz Transitive N/A*
CVE-2015-8859 Low 4.3 send-0.1.1.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2017-16119 ### Vulnerable Library - fresh-0.1.0.tgz

HTTP response freshness testing

Library home page: https://registry.npmjs.org/fresh/-/fresh-0.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/fresh/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - :x: **fresh-0.1.0.tgz** (Vulnerable Library)

Found in HEAD commit: afbe7b3897712edd1ed0eeaeb49bf7a4ce0fdbdd

Found in base branch: main

### Vulnerability Details

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16119

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/526

Release Date: 2018-06-07

Fix Resolution: fresh - 0.5.2

CVE-2014-6394 ### Vulnerable Library - send-0.1.1.tgz

Better streaming static file server with Range and conditional-GET support

Library home page: https://registry.npmjs.org/send/-/send-0.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/send/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - :x: **send-0.1.1.tgz** (Vulnerable Library)

Found in HEAD commit: afbe7b3897712edd1ed0eeaeb49bf7a4ce0fdbdd

Found in base branch: main

### Vulnerability Details

visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.

Publish Date: 2014-10-08

URL: CVE-2014-6394

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-6394

Release Date: 2014-10-08

Fix Resolution: 0.8.4

CVE-2018-3717 ### Vulnerable Library - connect-2.8.1.tgz

High performance middleware framework

Library home page: https://registry.npmjs.org/connect/-/connect-2.8.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/connect/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - :x: **connect-2.8.1.tgz** (Vulnerable Library)

Found in HEAD commit: afbe7b3897712edd1ed0eeaeb49bf7a4ce0fdbdd

Found in base branch: main

### Vulnerability Details

connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.

Publish Date: 2018-06-07

URL: CVE-2018-3717

### CVSS 3 Score Details (5.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3717

Release Date: 2018-06-07

Fix Resolution: 2.14.0

CVE-2014-7191 ### Vulnerable Library - qs-0.6.5.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - connect-2.8.1.tgz - :x: **qs-0.6.5.tgz** (Vulnerable Library)

Found in HEAD commit: afbe7b3897712edd1ed0eeaeb49bf7a4ce0fdbdd

Found in base branch: main

### Vulnerability Details

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.

Publish Date: 2014-10-19

URL: CVE-2014-7191

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191

Release Date: 2014-10-19

Fix Resolution: 1.0.0

CVE-2017-1000048 ### Vulnerable Library - qs-0.6.5.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - connect-2.8.1.tgz - :x: **qs-0.6.5.tgz** (Vulnerable Library)

Found in HEAD commit: afbe7b3897712edd1ed0eeaeb49bf7a4ce0fdbdd

Found in base branch: main

### Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

### CVSS 3 Score Details (5.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048

Release Date: 2017-07-17

Fix Resolution: qs - 6.0.4,6.1.2,6.2.3,6.3.2

CVE-2017-16138 ### Vulnerable Library - mime-1.2.11.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.2.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mime/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - send-0.1.1.tgz - :x: **mime-1.2.11.tgz** (Vulnerable Library)

Found in HEAD commit: afbe7b3897712edd1ed0eeaeb49bf7a4ce0fdbdd

Found in base branch: main

### Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

### CVSS 3 Score Details (5.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-06-07

Fix Resolution: 1.4.1,2.0.3

CVE-2016-1000236 ### Vulnerable Library - cookie-signature-1.0.1.tgz

Sign and unsign cookies

Library home page: https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cookie-signature/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - :x: **cookie-signature-1.0.1.tgz** (Vulnerable Library)

Found in HEAD commit: afbe7b3897712edd1ed0eeaeb49bf7a4ce0fdbdd

Found in base branch: main

### Vulnerability Details

Node-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used.

Publish Date: 2019-11-19

URL: CVE-2016-1000236

### CVSS 3 Score Details (4.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-11-19

Fix Resolution: cookie-signature - 1.0.6

CVE-2015-8859 ### Vulnerable Library - send-0.1.1.tgz

Better streaming static file server with Range and conditional-GET support

Library home page: https://registry.npmjs.org/send/-/send-0.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/send/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - :x: **send-0.1.1.tgz** (Vulnerable Library)

Found in HEAD commit: afbe7b3897712edd1ed0eeaeb49bf7a4ce0fdbdd

Found in base branch: main

### Vulnerability Details

The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.

Publish Date: 2017-01-23

URL: CVE-2015-8859

### CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8859

Release Date: 2017-01-23

Fix Resolution: 0.11.1

dev-mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.