search

Recidiviz / covid19-dashboard

[Decommissioned] Dashboard for projecting Covid-19 spread in prisons and modeling hypothetical scenarios
https://model.recidiviz.org
GNU General Public License v3.0
16 stars 11 forks source link

Security Alert - Package: axios; Severity: HIGH #787

Open phenggeler opened 2 years ago

phenggeler commented 2 years ago 
    Affected package: axios
    Ecosystem: NPM
    Affected version range: < 0.21.1

    Summary: Server-Side Request Forgery in Axios
    Description: Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
    identifiers: [{'type': 'GHSA', 'value': 'GHSA-4w2v-q235-vp99'}, {'type': 'CVE', 'value': 'CVE-2020-28168'}]

    Fixed Version: 0.21.1
    Created Date = January 25, 2022

    ---

    Affected package: axios
    Ecosystem: NPM
    Affected version range: <= 0.21.1

    Summary: Incorrect Comparison in axios
    Description: axios is vulnerable to Inefficient Regular Expression Complexity
    identifiers: [{'type': 'GHSA', 'value': 'GHSA-cph5-m8f7-6c5x'}, {'type': 'CVE', 'value': 'CVE-2021-3749'}]

    Fixed Version: 0.21.2
    Created Date = January 25, 2022

    ---
phenggeler commented 2 years ago

@phenggeler - label applied: Due this month.