Open mend-for-github-com[bot] opened 1 year ago
mend-for-github-com[bot]
commented
1 year ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
1 year ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Port of Log4js to work with node.
Library home page: https://registry.npmjs.org/log4js/-/log4js-2.11.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/log4js/package.json
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-42282
### Vulnerable Libraries - ip-1.1.5.tgz, ip-1.1.8.tgz### ip-1.1.5.tgz
[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socks-proxy-agent/node_modules/ip/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - mailgun-js-0.18.1.tgz - proxy-agent-3.0.3.tgz - socks-proxy-agent-4.0.2.tgz - socks-2.3.3.tgz - :x: **ip-1.1.5.tgz** (Vulnerable Library) ### ip-1.1.8.tgz
[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ip/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - nodemailer-2.7.2.tgz - socks-1.1.9.tgz - :x: **ip-1.1.8.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsThe ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: 2024-02-08
URL: CVE-2023-42282
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-78xj-cgh5-2h22
Release Date: 2024-02-08
Fix Resolution (ip): 1.1.9
Direct dependency fix Resolution (log4js): 3.0.0
Fix Resolution (ip): 1.1.9
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-1000620
### Vulnerable Library - cryptiles-2.0.5.tgzGeneral purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/cryptiles/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - loggly-1.1.1.tgz - request-2.75.0.tgz - hawk-3.1.3.tgz - :x: **cryptiles-2.0.5.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsEran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620
Release Date: 2018-07-09
Fix Resolution (cryptiles): 4.1.2
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-29415
### Vulnerable Libraries - ip-1.1.8.tgz, ip-1.1.5.tgz### ip-1.1.8.tgz
[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ip/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - nodemailer-2.7.2.tgz - socks-1.1.9.tgz - :x: **ip-1.1.8.tgz** (Vulnerable Library) ### ip-1.1.5.tgz
[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socks-proxy-agent/node_modules/ip/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - mailgun-js-0.18.1.tgz - proxy-agent-3.0.3.tgz - socks-proxy-agent-4.0.2.tgz - socks-2.3.3.tgz - :x: **ip-1.1.5.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsThe ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Publish Date: 2024-05-27
URL: CVE-2024-29415
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.
CVE-2021-28918
### Vulnerable Library - netmask-1.0.6.tgzParse and lookup IP network blocks
Library home page: https://registry.npmjs.org/netmask/-/netmask-1.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/netmask/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - mailgun-js-0.18.1.tgz - proxy-agent-3.0.3.tgz - pac-proxy-agent-3.0.1.tgz - pac-resolver-3.0.0.tgz - :x: **netmask-1.0.6.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsImproper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
Publish Date: 2021-04-01
URL: CVE-2021-28918
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-pch5-whg9-qr2r
Release Date: 2021-04-01
Fix Resolution (netmask): 2.0.1
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-3728
### Vulnerable Library - hoek-2.16.3.tgzGeneral purpose node utilities
Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hoek/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - loggly-1.1.1.tgz - request-2.75.0.tgz - hawk-3.1.3.tgz - :x: **hoek-2.16.3.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability Detailshoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-03-30
URL: CVE-2018-3728
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082
Release Date: 2018-03-30
Fix Resolution (hoek): 4.2.0
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-7769
### Vulnerable Library - nodemailer-2.7.2.tgzEasy as cake e-mail sending from your Node.js applications
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-2.7.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nodemailer/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - :x: **nodemailer-2.7.2.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsThis affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
Publish Date: 2020-11-12
URL: CVE-2020-7769
### CVSS 3 Score Details (8.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2020-7769
Release Date: 2020-11-12
Fix Resolution (nodemailer): 6.4.16
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-23406
### Vulnerable Libraries - pac-resolver-3.0.0.tgz, degenerator-1.0.4.tgz### pac-resolver-3.0.0.tgz
Generates an asynchronous resolver function from a PAC file
Library home page: https://registry.npmjs.org/pac-resolver/-/pac-resolver-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pac-resolver/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - mailgun-js-0.18.1.tgz - proxy-agent-3.0.3.tgz - pac-proxy-agent-3.0.1.tgz - :x: **pac-resolver-3.0.0.tgz** (Vulnerable Library) ### degenerator-1.0.4.tgz
Turns sync functions into async generator functions
Library home page: https://registry.npmjs.org/degenerator/-/degenerator-1.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/degenerator/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - mailgun-js-0.18.1.tgz - proxy-agent-3.0.3.tgz - pac-proxy-agent-3.0.1.tgz - pac-resolver-3.0.0.tgz - :x: **degenerator-1.0.4.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsThis affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. **NOTE:** The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.
Publish Date: 2021-08-24
URL: CVE-2021-23406
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-9j49-mfvp-vmhm
Release Date: 2021-08-24
Fix Resolution (pac-resolver): 5.0.0
Direct dependency fix Resolution (log4js): 3.0.0
Fix Resolution (degenerator): 5.0.0
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2023-0439
### Vulnerable Library - axios-0.15.3.tgzPromise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - :x: **axios-0.15.3.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsAxios is vulnerable to Regular Expression Denial of Service (ReDoS). When a manipulated string is provided as input to the format method, the regular expression exhibits a time complexity of O(n^2). Server becomes unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions.
Publish Date: 2023-10-25
URL: WS-2023-0439
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2023-0439
Release Date: 2023-10-25
Fix Resolution (axios): 0.20.0
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-0654
### Vulnerable Library - requestretry-1.13.0.tgzrequest-retry wrap nodejs request to retry http(s) requests in case of error
Library home page: https://registry.npmjs.org/requestretry/-/requestretry-1.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/requestretry/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - slack-node-0.2.0.tgz - :x: **requestretry-1.13.0.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsExposure of Sensitive Information to an Unauthorized Actor in GitHub repository fgribreau/node-request-retry prior to 7.0.0.
Publish Date: 2022-02-22
URL: CVE-2022-0654
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0654
Release Date: 2022-02-23
Fix Resolution (requestretry): 7.0.0
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-3749
### Vulnerable Library - axios-0.15.3.tgzPromise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - :x: **axios-0.15.3.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability Detailsaxios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution (axios): 0.18.1
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-10742
### Vulnerable Library - axios-0.15.3.tgzPromise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - :x: **axios-0.15.3.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsAxios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.
Publish Date: 2019-05-07
URL: CVE-2019-10742
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-42xw-2xvc-qx8m
Release Date: 2019-05-07
Fix Resolution (axios): 0.18.1
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-16115
### Vulnerable Library - timespan-2.3.0.tgzA JavaScript TimeSpan library for node.js (and soon the browser)
Library home page: https://registry.npmjs.org/timespan/-/timespan-2.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/timespan/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - loggly-1.1.1.tgz - :x: **timespan-2.3.0.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsThe timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.
Publish Date: 2018-06-07
URL: CVE-2017-16115
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2022-29167
### Vulnerable Library - hawk-3.1.3.tgzHTTP Hawk Authentication Scheme
Library home page: https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hawk/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - loggly-1.1.1.tgz - request-2.75.0.tgz - :x: **hawk-3.1.3.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsHawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.
Publish Date: 2022-05-05
URL: CVE-2022-29167
### CVSS 3 Score Details (7.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq
Release Date: 2022-05-05
Fix Resolution (hawk): 9.0.1
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-26159
### Vulnerable Library - follow-redirects-1.0.0.tgzHTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - axios-0.15.3.tgz - :x: **follow-redirects-1.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsVersions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
Publish Date: 2024-01-02
URL: CVE-2023-26159
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159
Release Date: 2024-01-02
Fix Resolution (follow-redirects): 1.15.4
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-28849
### Vulnerable Library - follow-redirects-1.0.0.tgzHTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - axios-0.15.3.tgz - :x: **follow-redirects-1.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability Detailsfollow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-03-14
URL: CVE-2024-28849
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
Release Date: 2024-03-14
Fix Resolution: follow-redirects - 1.15.6
CVE-2023-45857
### Vulnerable Library - axios-0.15.3.tgzPromise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - :x: **axios-0.15.3.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsAn issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: 2023-11-08
URL: CVE-2023-45857
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-11-08
Fix Resolution (axios): 0.20.0
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-26136
### Vulnerable Library - tough-cookie-2.3.4.tgzRFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loggly/node_modules/tough-cookie/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - loggly-1.1.1.tgz - request-2.75.0.tgz - :x: **tough-cookie-2.3.4.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsVersions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-0155
### Vulnerable Library - follow-redirects-1.0.0.tgzHTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - axios-0.15.3.tgz - :x: **follow-redirects-1.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability Detailsfollow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-8244
### Vulnerable Library - bl-1.1.2.tgzBuffer List: collect buffers and access with a standard readable Buffer interface, streamable too!
Library home page: https://registry.npmjs.org/bl/-/bl-1.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bl/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - loggly-1.1.1.tgz - request-2.75.0.tgz - :x: **bl-1.1.2.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsA buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Publish Date: 2020-08-30
URL: CVE-2020-8244
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-pp7h-53gx-mx7r
Release Date: 2020-08-30
Fix Resolution (bl): 1.2.3
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-23400
### Vulnerable Library - nodemailer-2.7.2.tgzEasy as cake e-mail sending from your Node.js applications
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-2.7.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nodemailer/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - :x: **nodemailer-2.7.2.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsThe package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
Publish Date: 2021-06-29
URL: CVE-2021-23400
### CVSS 3 Score Details (6.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23400
Release Date: 2021-06-29
Fix Resolution (nodemailer): 6.6.1
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-28155
### Vulnerable Library - request-2.75.0.tgzSimplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.75.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loggly/node_modules/request/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - loggly-1.1.1.tgz - :x: **request-2.75.0.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsThe Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
CVE-2020-28168
### Vulnerable Library - axios-0.15.3.tgzPromise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - :x: **axios-0.15.3.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsAxios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-11-06
Fix Resolution (axios): 0.21.1
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-21704
### Vulnerable Library - log4js-2.11.0.tgzPort of Log4js to work with node.
Library home page: https://registry.npmjs.org/log4js/-/log4js-2.11.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/log4js/package.json
Dependency Hierarchy: - :x: **log4js-2.11.0.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability Detailslog4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.
Publish Date: 2022-01-19
URL: CVE-2022-21704
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
Release Date: 2022-01-19
Fix Resolution: 6.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-26115
### Vulnerable Library - word-wrap-1.2.3.tgzWrap words to a specified length.
Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/word-wrap/package.json
Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - mailgun-js-0.18.1.tgz - proxy-agent-3.0.3.tgz - pac-proxy-agent-3.0.1.tgz - pac-resolver-3.0.0.tgz - degenerator-1.0.4.tgz - escodegen-1.14.3.tgz - optionator-0.8.3.tgz - :x: **word-wrap-1.2.3.tgz** (Vulnerable Library)
Found in HEAD commit: 5781fac96ec7c7bdd424bfbbdfcce4199e53c092
Found in base branch: main
### Vulnerability DetailsAll versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
Publish Date: 2023-06-22
URL: CVE-2023-26115
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-j8xg-fqg3-53r7
Release Date: 2023-06-22
Fix Resolution (word-wrap): 1.2.4
Direct dependency fix Resolution (log4js): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.