search

DimaMend / juice-shop

MIT License
0 stars 0 forks source link

download-8.0.0.tgz: 3 vulnerabilities (highest severity is: 9.8) - autoclosed #8

Closed mend-for-github-com[bot] closed 4 months ago

mend-for-github-com[bot] commented 4 months ago
Vulnerable Library - download-8.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Found in HEAD commit: c93fae24360417eb6ff9e1859197b1c29d71ebe7

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (download version) Remediation Possible**
CVE-2020-12265 Critical 9.8 Not Defined 0.6% decompress-tar-4.1.1.tgz Transitive N/A*
CVE-2022-25881 High 7.5 Not Defined 0.1% http-cache-semantics-3.8.1.tgz Transitive N/A*
CVE-2022-33987 Medium 5.3 Not Defined 0.1% got-8.3.2.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-12265 ### Vulnerable Library - decompress-tar-4.1.1.tgz

decompress tar plugin

Library home page: https://registry.npmjs.org/decompress-tar/-/decompress-tar-4.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decompress-tar/package.json

Dependency Hierarchy: - download-8.0.0.tgz (Root Library) - decompress-4.2.1.tgz - :x: **decompress-tar-4.1.1.tgz** (Vulnerable Library)

Found in HEAD commit: c93fae24360417eb6ff9e1859197b1c29d71ebe7

Found in base branch: master

### Vulnerability Details

The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal. Mend Note: Decompress versions prior to 4.2.1 are vulnerable to CVE-2020-12265 which could lead to Path Traversal. decompress-tar is a tar plugin for decompress and is also vulnerable to CVE-2020-12265 and there is no fixed version for decompress-tar.

Publish Date: 2020-04-26

URL: CVE-2020-12265

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.6%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12265

Release Date: 2020-04-26

Fix Resolution: decompress - 4.2.1, decompress-tar - No fix version available

CVE-2022-25881 ### Vulnerable Library - http-cache-semantics-3.8.1.tgz

Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies

Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/http-cache-semantics/package.json

Dependency Hierarchy: - download-8.0.0.tgz (Root Library) - got-8.3.2.tgz - cacheable-request-2.1.4.tgz - :x: **http-cache-semantics-3.8.1.tgz** (Vulnerable Library)

Found in HEAD commit: c93fae24360417eb6ff9e1859197b1c29d71ebe7

Found in base branch: master

### Vulnerability Details

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Publish Date: 2023-01-31

URL: CVE-2022-25881

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-rc47-6667-2j5j

Release Date: 2023-01-31

Fix Resolution: http-cache-semantics - 4.1.1;org.webjars.npm:http-cache-semantics:4.1.1

CVE-2022-33987 ### Vulnerable Library - got-8.3.2.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-8.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy: - download-8.0.0.tgz (Root Library) - :x: **got-8.3.2.tgz** (Vulnerable Library)

Found in HEAD commit: c93fae24360417eb6ff9e1859197b1c29d71ebe7

Found in base branch: master

### Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

mend-for-github-com[bot] commented 4 months ago

:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #9

mend-for-github-com[bot] commented 4 months ago

:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #9