mend-bolt-for-github[bot]
commented
1 year ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Adds CORS (Cross-Origin Resource Sharing) headers support in your Laravel application
Library home page: https://api.github.com/repos/fruitcake/laravel-cors/zipball/01de0fe5f71c70d1930ee9a80385f9cc28e0f63a
Found in HEAD commit: e2a748f412c65141d7c1fc218748013e65e7eb57
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2021-41267
### Vulnerable Library - symfony/http-kernel-v5.2.5Provides a structured process for converting a Request into a Response
Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/b8c63ef63c2364e174c3b3e0ba0bf83455f97f73
Dependency Hierarchy: - fruitcake/laravel-cors-v2.0.3 (Root Library) - :x: **symfony/http-kernel-v5.2.5** (Vulnerable Library)
Found in HEAD commit: e2a748f412c65141d7c1fc218748013e65e7eb57
Found in base branch: develop
### Vulnerability DetailsSymfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the `X-Forwarded-Prefix` header is not forwarded to subrequests when it is not trusted.
Publish Date: 2021-11-24
URL: CVE-2021-41267
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q
Release Date: 2021-11-24
Fix Resolution: v5.3.12
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2019-0425
### Vulnerable Library - fruitcake/laravel-cors-v2.0.3Adds CORS (Cross-Origin Resource Sharing) headers support in your Laravel application
Library home page: https://api.github.com/repos/fruitcake/laravel-cors/zipball/01de0fe5f71c70d1930ee9a80385f9cc28e0f63a
Dependency Hierarchy: - :x: **fruitcake/laravel-cors-v2.0.3** (Vulnerable Library)
Found in HEAD commit: e2a748f412c65141d7c1fc218748013e65e7eb57
Found in base branch: develop
### Vulnerability DetailsMocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.
Publish Date: 2019-01-24
URL: WS-2019-0425
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-01-24
Fix Resolution: v6.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)