dev-mend-for-github-com[bot]
commented
1 year ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2018-16492
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsA prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16492
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://hackerone.com/reports/381185
Release Date: 2019-02-01
Fix Resolution: extend - v3.0.2,v2.0.2
CVE-2018-1000620
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsEran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620
Release Date: 2018-07-09
Fix Resolution: v4.1.2
WS-2020-0344
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsArbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.
Publish Date: 2020-06-09
URL: WS-2020-0344
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-06-09
Fix Resolution: is-my-json-valid - 2.20.3
CVE-2019-20444
### Vulnerable Library - netty-3.10.6.Final.jarThe Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/io.netty/netty/bundles/netty-3.10.6.Final.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - jse_2.12-1.2.3.jar - akka-contrib_2.12-2.5.4.jar - akka-remote_2.12-2.5.4.jar - :x: **netty-3.10.6.Final.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsHttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Publish Date: 2020-01-29
URL: CVE-2019-20444
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
Release Date: 2020-01-29
Fix Resolution: io.netty:netty-all:4.1.44.Final
CVE-2018-16115
### Vulnerable Library - akka-actor_2.12-2.5.4.jarakka-actor
Library home page: http://akka.io/
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/com.typesafe.akka/akka-actor_2.12/jars/akka-actor_2.12-2.5.4.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **akka-actor_2.12-2.5.4.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsLightbend Akka 2.5.x before 2.5.16 allows message disclosure and modification because of an RNG error. A random number generator is used in Akka Remoting for TLS (both classic and Artery Remoting). Akka allows configuration of custom random number generators. For historical reasons, Akka included the AES128CounterSecureRNG and AES256CounterSecureRNG random number generators. The implementations had a bug that caused the generated numbers to be repeated after only a few bytes. The custom RNG implementations were not configured by default but examples in the documentation showed (and therefore implicitly recommended) using the custom ones. This can be used by an attacker to compromise the communication if these random number generators are enabled in configuration. It would be possible to eavesdrop, replay, or modify the messages sent with Akka Remoting/Cluster.
Publish Date: 2018-08-29
URL: CVE-2018-16115
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16115
Release Date: 2018-08-29
Fix Resolution: v2.5.16
CVE-2018-3728
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability Detailshoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-03-30
URL: CVE-2018-3728
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3728
Release Date: 2018-03-30
Fix Resolution: 4.2.1,5.0.3
WS-2018-0084
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsVersions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.
Publish Date: 2018-04-25
URL: WS-2018-0084
### CVSS 2 Score Details (8.0)Base Score Metrics not available
### Suggested FixType: Upgrade version
Origin: https://nodesecurity.io/advisories/606
Release Date: 2018-01-27
Fix Resolution: 1.14.1
CVE-2022-25858
### Vulnerable Library - uglify-js-2.8.14.jarWebJar for uglify-js
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars.npm/uglify-js/jars/uglify-js-2.8.14.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - :x: **uglify-js-2.8.14.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsThe package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;BlazorPolyfill.Build - 6.0.100.2;terser - 5.0.0-beta.0;Moxie - 1.0.4;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105;ng-grid - 2.0.4;Envisia.DotNet.Templates - 3.0.1;VueJS.NetCore - 1.1.1;PugViewEngine - 0.0.1.3;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;z4a-dotnet-scaffold - 1.0.0.2;Raml.Parser - 1.0.7;dotnetng.template - 1.0.0.4
CVE-2018-20834
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsA vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
Publish Date: 2019-04-30
URL: CVE-2018-20834
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20834
Release Date: 2019-04-30
Fix Resolution: tar - 2.2.2,4.4.2
CVE-2017-15010
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsA ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.
Publish Date: 2017-10-04
URL: CVE-2017-15010
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15010
Release Date: 2017-10-04
Fix Resolution: 2.3.3
WS-2020-0180
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsThe package npm-user-validate prior to version 1.0.1 is vulnerable to REDoS. The regex that validates a user's email took exponentially longer to process input strings that begin with the '@' character.
Publish Date: 2020-10-16
URL: WS-2020-0180
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-xgh6-85xh-479p
Release Date: 2020-10-16
Fix Resolution: 1.0.1
WS-2018-0069
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsVersion of is-my-json-valid before 1.4.1 or 2.17.2 are vulnerable to regular expression denial of service (ReDoS) via the email validation function.
Publish Date: 2018-02-14
URL: WS-2018-0069
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nodesecurity.io/advisories/572
Release Date: 2018-02-14
Fix Resolution: 1.4.1
CVE-2018-3737
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability Detailssshpk is vulnerable to ReDoS when parsing crafted invalid public keys.
Publish Date: 2018-06-07
URL: CVE-2018-3737
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://hackerone.com/reports/319593
Release Date: 2018-06-07
Fix Resolution: 1.13.2
CVE-2017-18077
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability Detailsindex.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.
Publish Date: 2018-01-27
URL: CVE-2017-18077
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-18077
Release Date: 2018-01-27
Fix Resolution: 1.1.7
CVE-2019-13173
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability Detailsfstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.
Publish Date: 2019-07-02
URL: CVE-2019-13173
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173
Release Date: 2020-08-24
Fix Resolution: 1.0.12
CVE-2018-18854
### Vulnerable Library - spray-json_2.12-1.3.3.jarA Scala library for easy and idiomatic JSON (de)serialization
Library home page: https://github.com/spray/spray-json
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/io.spray/spray-json_2.12/bundles/spray-json_2.12-1.3.3.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - jse_2.12-1.2.3.jar - :x: **spray-json_2.12-1.3.3.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsLightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of many JSON object fields (with keys that have the same hash code).
Publish Date: 2018-10-31
URL: CVE-2018-18854
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-10-31
Fix Resolution: io.spray:spray-json_2.10 - 1.3.5
CVE-2018-18853
### Vulnerable Library - spray-json_2.12-1.3.3.jarA Scala library for easy and idiomatic JSON (de)serialization
Library home page: https://github.com/spray/spray-json
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/io.spray/spray-json_2.12/bundles/spray-json_2.12-1.3.3.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - jse_2.12-1.2.3.jar - :x: **spray-json_2.12-1.3.3.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsLightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of a field composed of many decimal digits.
Publish Date: 2018-10-31
URL: CVE-2018-18853
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-10-31
Fix Resolution: io.spray:spray-json_2.10 - 1.3.5
CVE-2018-21270
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsVersions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
Publish Date: 2020-12-03
URL: CVE-2018-21270
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21270
Release Date: 2020-12-03
Fix Resolution: 0.0.6
CVE-2019-16777
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsVersions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Publish Date: 2019-12-13
URL: CVE-2019-16777
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Release Date: 2019-12-13
Fix Resolution: npm - 6.13.4
CVE-2020-7598
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability Detailsminimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
### CVSS 3 Score Details (5.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7598
Release Date: 2020-03-11
Fix Resolution: Virteom.Tenant.Mobile.Bluetooth.iOS - 0.20.41.103-prerelease;Virteom.Public.Utilities - 0.23.37.212-prerelease;org.webjars:npm - 5.0.0-1;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;Virteom.Tenant.Mobile.Framework - 0.21.29.159-prerelease;Virteom.Tenant.Mobile.Bluetooth.Android - 0.20.41.103-prerelease;z4a-dotnet-scaffold - 1.0.0.2;Raml.Parser - 2.0.0;ApiExplorer.HelpPage - 1.0.0-alpha3;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;SitecoreMaster.TrueDynamicPlaceholders - 1.0.3;Virteom.Tenant.Mobile.Framework.Android - 0.20.41.103-prerelease;Fable.Template.Elmish.React - 0.1.6;BumperLane.Public.Api.Client - 0.23.35.214-prerelease;Yarn.MSBuild - 0.24.6,0.22.0;Bridge.AWS - 0.3.30.36;Nodejs.Redist.x64 - 7.7.3.1,10.3.0;tslint - 5.6.0,6.1.1;org.webjars.npm:bourbon-neat - 2.0.0-beta.2;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105;EntityFramework.LookupTables - 1.1.14.119;BumperLane.Public.Service.Contracts - 0.23.35.214-prerelease;org.webjars.npm:minimist - 1.2.4;minimist - 1.2.3,0.2.1;Virteom.Tenant.Mobile.Bluetooth - 0.21.29.159-prerelease;ShowingVault.DotNet.Sdk - 0.13.41.190-prerelease;Romano.Vue - 1.0.1;Yarnpkg.Yarn - 0.26.1;Virteom.Tenant.Mobile.Framework.UWP - 0.20.41.103-prerelease;Virteom.Tenant.Mobile.Framework.iOS - 0.20.41.103-prerelease;Chutzpah - 4.4.10;BumperLane.Public.Api.V2.ClientModule - 0.23.35.214-prerelease;VueJS.NetCore - 1.1.1;Dianoga - 5.0.0-beta.1
CVE-2017-16032
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability Detailsbrace-expansion before 1.1.7 are vulnerable to a regular expression denial of service.
Publish Date: 2020-07-21
URL: CVE-2017-16032
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/338
Release Date: 2020-07-21
Fix Resolution: v1.1.7
WS-2018-0125
### Vulnerable Library - jackson-core-2.7.3.jarCore Jackson abstractions, basic JSON streaming API implementation
Library home page: https://github.com/FasterXML/jackson-core
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/com.fasterxml.jackson.core/jackson-core/bundles/jackson-core-2.7.3.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - webjars-locator-core-0.32.jar - :x: **jackson-core-2.7.3.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsOutOfMemoryError when writing BigDecimal In Jackson Core before version 2.7.7. When enabled the WRITE_BIGDECIMAL_AS_PLAIN setting, Jackson will attempt to write out the whole number, no matter how large the exponent.
Publish Date: 2016-08-25
URL: WS-2018-0125
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2016-08-25
Fix Resolution: com.fasterxml.jackson.core:jackson-core:2.7.7
WS-2018-0124
### Vulnerable Library - jackson-core-2.7.3.jarCore Jackson abstractions, basic JSON streaming API implementation
Library home page: https://github.com/FasterXML/jackson-core
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/com.fasterxml.jackson.core/jackson-core/bundles/jackson-core-2.7.3.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - webjars-locator-core-0.32.jar - :x: **jackson-core-2.7.3.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsIn Jackson Core before version 2.8.6 if the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log. If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.
Publish Date: 2018-06-24
URL: WS-2018-0124
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=WS-2018-0124
Release Date: 2018-01-24
Fix Resolution: 2.8.6
WS-2020-0342
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsRegular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.
Publish Date: 2020-06-27
URL: WS-2020-0342
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-06-27
Fix Resolution: is-my-json-valid - 2.20.2
CVE-2021-23362
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsThe package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution: hosted-git-info - 2.8.9,3.0.8
CVE-2018-1107
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsIt was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated.
Publish Date: 2021-03-30
URL: CVE-2018-1107
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1546357
Release Date: 2021-03-30
Fix Resolution: 1.4.2,2.17.2
WS-2018-0076
### Vulnerable Library - npm-4.2.0.jarWebJar for npm
Library home page: http://webjars.org
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.webjars/npm/jars/npm-4.2.0.jar
Dependency Hierarchy: - sbt-uglify-2.0.1-SNAPSHOT (Root Library) - sbt-js-engine-1.2.2.jar - npm_2.12-1.2.1.jar - :x: **npm-4.2.0.jar** (Vulnerable Library)
Found in HEAD commit: d4a3f852ac7ea5cb51f8a928c57c2cc3f2a3ee69
Found in base branch: main
### Vulnerability DetailsVersions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.
Publish Date: 2017-03-05
URL: WS-2018-0076
### CVSS 3 Score Details (5.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nodesecurity.io/advisories/598
Release Date: 2017-03-05
Fix Resolution: 0.6.0