search

crstian19 / astro-crstian.me

0 stars 0 forks source link

astro-4.13.3.tgz: 7 vulnerabilities (highest severity is: 8.2) #20

Open mend-bolt-for-github[bot] opened 1 month ago

mend-bolt-for-github[bot] commented 1 month ago
Vulnerable Library - astro-4.13.3.tgz

Library home page: https://registry.npmjs.org/astro/-/astro-4.13.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/astro/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (astro version) Remediation Possible**
CVE-2024-21529 High 8.2 dset-3.1.3.tgz Transitive N/A*
CVE-2024-45296 High 7.5 path-to-regexp-6.2.2.tgz Transitive N/A*
CVE-2024-45812 Medium 6.4 vite-5.4.0.tgz Transitive N/A*
CVE-2024-47068 Medium 6.1 rollup-4.20.0.tgz Transitive N/A*
CVE-2024-47885 Medium 5.9 astro-4.13.3.tgz Direct astro - 4.16.1
CVE-2024-47764 Medium 5.3 cookie-0.6.0.tgz Transitive N/A*
CVE-2024-45811 Medium 4.8 vite-5.4.0.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-21529 ### Vulnerable Library - dset-3.1.3.tgz

Library home page: https://registry.npmjs.org/dset/-/dset-3.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/dset/package.json

Dependency Hierarchy: - astro-4.13.3.tgz (Root Library) - :x: **dset-3.1.3.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.

Publish Date: 2024-09-11

URL: CVE-2024-21529

### CVSS 3 Score Details (8.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21529

Release Date: 2024-09-11

Fix Resolution: dset - 3.1.4

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-45296 ### Vulnerable Library - path-to-regexp-6.2.2.tgz

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-to-regexp/package.json

Dependency Hierarchy: - astro-4.13.3.tgz (Root Library) - :x: **path-to-regexp-6.2.2.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

Publish Date: 2024-09-09

URL: CVE-2024-45296

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j

Release Date: 2024-09-09

Fix Resolution: path-to-regexp - 0.1.10,8.0.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-45812 ### Vulnerable Library - vite-5.4.0.tgz

Library home page: https://registry.npmjs.org/vite/-/vite-5.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/vite/package.json

Dependency Hierarchy: - astro-4.13.3.tgz (Root Library) - :x: **vite-5.4.0.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`. However, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of `cjs`, `iife`, or `umd`) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-09-17

URL: CVE-2024-45812

### CVSS 3 Score Details (6.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3

Release Date: 2024-09-17

Fix Resolution: vite - 3.2.11,4.5.5,5.1.8,5.2.14,5.3.6,5.4.6

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-47068 ### Vulnerable Library - rollup-4.20.0.tgz

Library home page: https://registry.npmjs.org/rollup/-/rollup-4.20.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/rollup/package.json

Dependency Hierarchy: - astro-4.13.3.tgz (Root Library) - vite-5.4.0.tgz - :x: **rollup-4.20.0.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability.

Publish Date: 2024-09-23

URL: CVE-2024-47068

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm

Release Date: 2024-09-23

Fix Resolution: rollup - 3.29.5,4.22.4

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-47885 ### Vulnerable Library - astro-4.13.3.tgz

Library home page: https://registry.npmjs.org/astro/-/astro-4.13.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/astro/package.json

Dependency Hierarchy: - :x: **astro-4.13.3.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML elements (i.e., `iframe` tags with unsanitized `name` attributes) on the destination pages. This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with `ViewTransitions` and store the user-inserted scriptless HTML tags without properly sanitizing the `name` attributes on the page. Version 4.16.1 contains a patch for this issue.

Publish Date: 2024-10-14

URL: CVE-2024-47885

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-47885

Release Date: 2024-10-14

Fix Resolution: astro - 4.16.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-47764 ### Vulnerable Library - cookie-0.6.0.tgz

Library home page: https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cookie/package.json

Dependency Hierarchy: - astro-4.13.3.tgz (Root Library) - :x: **cookie-0.6.0.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Publish Date: 2024-10-04

URL: CVE-2024-47764

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x

Release Date: 2024-10-04

Fix Resolution: cookie - 0.7.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-45811 ### Vulnerable Library - vite-5.4.0.tgz

Library home page: https://registry.npmjs.org/vite/-/vite-5.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/vite/package.json

Dependency Hierarchy: - astro-4.13.3.tgz (Root Library) - :x: **vite-5.4.0.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-09-17

URL: CVE-2024-45811

### CVSS 3 Score Details (4.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx

Release Date: 2024-09-17

Fix Resolution: vite - 3.2.11,4.5.5,5.1.8,5.2.14,5.3.6,5.4.6

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
github-actions[bot] commented 2 weeks ago

This issue is stale because it has been open for 10 days with no activity.