search

ZSBRybnik / backend

MIT License
2 stars 0 forks source link

graphql-config-4.3.1.tgz: 6 vulnerabilities (highest severity is: 9.8) - autoclosed #349

Closed mend-bolt-for-github[bot] closed 1 year ago

mend-bolt-for-github[bot] commented 2 years ago
Vulnerable Library - graphql-config-4.3.1.tgz

Found in HEAD commit: d6f11282ee9f4af0baad5df06570b6a9700994af

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (graphql-config version) Remediation Available
CVE-2022-35949 High 9.8 undici-5.5.1.tgz Transitive N/A*
CVE-2023-24807 High 7.5 undici-5.5.1.tgz Transitive 4.3.2
CVE-2022-31151 Medium 6.5 undici-5.5.1.tgz Transitive 4.3.2
CVE-2022-31150 Medium 6.5 undici-5.5.1.tgz Transitive 4.3.2
CVE-2023-23936 Medium 5.4 undici-5.5.1.tgz Transitive 4.3.2
CVE-2022-35948 Medium 5.3 undici-5.5.1.tgz Transitive 4.3.2

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-35949 ### Vulnerable Library - undici-5.5.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz

Dependency Hierarchy: - graphql-config-4.3.1.tgz (Root Library) - url-loader-7.13.0.tgz - fetch-0.0.2.tgz - :x: **undici-5.5.1.tgz** (Vulnerable Library)

Found in HEAD commit: d6f11282ee9f4af0baad5df06570b6a9700994af

Found in base branch: master

### Vulnerability Details

undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.

Publish Date: 2022-08-12

URL: CVE-2022-35949

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35949

Release Date: 2022-08-12

Fix Resolution: undici - 5.8.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-24807 ### Vulnerable Library - undici-5.5.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz

Dependency Hierarchy: - graphql-config-4.3.1.tgz (Root Library) - url-loader-7.13.0.tgz - fetch-0.0.2.tgz - :x: **undici-5.5.1.tgz** (Vulnerable Library)

Found in HEAD commit: d6f11282ee9f4af0baad5df06570b6a9700994af

Found in base branch: master

### Vulnerability Details

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

Publish Date: 2023-02-16

URL: CVE-2023-24807

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w

Release Date: 2023-02-16

Fix Resolution (undici): 5.19.1

Direct dependency fix Resolution (graphql-config): 4.3.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-31151 ### Vulnerable Library - undici-5.5.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz

Dependency Hierarchy: - graphql-config-4.3.1.tgz (Root Library) - url-loader-7.13.0.tgz - fetch-0.0.2.tgz - :x: **undici-5.5.1.tgz** (Vulnerable Library)

Found in HEAD commit: d6f11282ee9f4af0baad5df06570b6a9700994af

Found in base branch: master

### Vulnerability Details

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).

Publish Date: 2022-07-21

URL: CVE-2022-31151

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp

Release Date: 2022-07-21

Fix Resolution (undici): 5.8.0

Direct dependency fix Resolution (graphql-config): 4.3.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-31150 ### Vulnerable Library - undici-5.5.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz

Dependency Hierarchy: - graphql-config-4.3.1.tgz (Root Library) - url-loader-7.13.0.tgz - fetch-0.0.2.tgz - :x: **undici-5.5.1.tgz** (Vulnerable Library)

Found in HEAD commit: d6f11282ee9f4af0baad5df06570b6a9700994af

Found in base branch: master

### Vulnerability Details

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.

Publish Date: 2022-07-19

URL: CVE-2022-31150

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31150

Release Date: 2022-07-19

Fix Resolution (undici): 5.8.0

Direct dependency fix Resolution (graphql-config): 4.3.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-23936 ### Vulnerable Library - undici-5.5.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz

Dependency Hierarchy: - graphql-config-4.3.1.tgz (Root Library) - url-loader-7.13.0.tgz - fetch-0.0.2.tgz - :x: **undici-5.5.1.tgz** (Vulnerable Library)

Found in HEAD commit: d6f11282ee9f4af0baad5df06570b6a9700994af

Found in base branch: master

### Vulnerability Details

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.

Publish Date: 2023-02-16

URL: CVE-2023-23936

### CVSS 3 Score Details (5.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff

Release Date: 2023-02-16

Fix Resolution (undici): 5.19.1

Direct dependency fix Resolution (graphql-config): 4.3.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-35948 ### Vulnerable Library - undici-5.5.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz

Dependency Hierarchy: - graphql-config-4.3.1.tgz (Root Library) - url-loader-7.13.0.tgz - fetch-0.0.2.tgz - :x: **undici-5.5.1.tgz** (Vulnerable Library)

Found in HEAD commit: d6f11282ee9f4af0baad5df06570b6a9700994af

Found in base branch: master

### Vulnerability Details

undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.

Publish Date: 2022-08-15

URL: CVE-2022-35948

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35948

Release Date: 2022-08-15

Fix Resolution (undici): 5.8.2

Direct dependency fix Resolution (graphql-config): 4.3.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.