search

itay-gh-dev / demo-3975

0 stars 0 forks source link

express-3.3.1.tgz: 9 vulnerabilities (highest severity is: 8.7) - autoclosed #4

Closed dev-mend-for-github-com[bot] closed 3 months ago

dev-mend-for-github-com[bot] commented 4 months ago
Vulnerable Library - express-3.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/connect/package.json

Found in HEAD commit: 5c22de457b2afaf22ae4e00f02f51c7a50f4ceaf

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (express version) Remediation Possible**
CVE-2017-16138 High 8.7 mime-1.2.11.tgz Transitive 4.16.0
CVE-2017-16119 High 8.7 fresh-0.1.0.tgz Transitive 4.15.5
CVE-2017-1000048 High 8.7 qs-0.6.5.tgz Transitive 4.14.0
CVE-2014-10064 High 7.5 qs-0.6.5.tgz Transitive 3.16.0
CVE-2015-8859 Medium 6.9 send-0.1.1.tgz Transitive 3.19.1
CVE-2014-7191 Medium 6.9 qs-0.6.5.tgz Transitive 3.16.0
CVE-2014-6394 Medium 6.9 send-0.1.1.tgz Transitive 3.16.10
CVE-2016-1000236 Medium 5.9 cookie-signature-1.0.1.tgz Transitive 3.12.1
CVE-2018-3717 Medium 5.1 connect-2.8.1.tgz Transitive 3.5.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2017-16138 ### Vulnerable Library - mime-1.2.11.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.2.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mime/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - send-0.1.1.tgz - :x: **mime-1.2.11.tgz** (Vulnerable Library)

Found in HEAD commit: 5c22de457b2afaf22ae4e00f02f51c7a50f4ceaf

Found in base branch: main

### Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

### CVSS 4 Score Details (8.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-04-26

Fix Resolution (mime): 1.4.1

Direct dependency fix Resolution (express): 4.16.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-16119 ### Vulnerable Library - fresh-0.1.0.tgz

HTTP response freshness testing

Library home page: https://registry.npmjs.org/fresh/-/fresh-0.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/fresh/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - :x: **fresh-0.1.0.tgz** (Vulnerable Library)

Found in HEAD commit: 5c22de457b2afaf22ae4e00f02f51c7a50f4ceaf

Found in base branch: main

### Vulnerability Details

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16119

### CVSS 4 Score Details (8.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/526

Release Date: 2018-04-26

Fix Resolution (fresh): 0.5.2

Direct dependency fix Resolution (express): 4.15.5

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-1000048 ### Vulnerable Library - qs-0.6.5.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/connect/node_modules/qs/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - connect-2.8.1.tgz - :x: **qs-0.6.5.tgz** (Vulnerable Library)

Found in HEAD commit: 5c22de457b2afaf22ae4e00f02f51c7a50f4ceaf

Found in base branch: main

### Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

### CVSS 4 Score Details (8.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048

Release Date: 2017-07-13

Fix Resolution (qs): 6.0.4

Direct dependency fix Resolution (express): 4.14.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-10064 ### Vulnerable Library - qs-0.6.5.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/connect/node_modules/qs/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - connect-2.8.1.tgz - :x: **qs-0.6.5.tgz** (Vulnerable Library)

Found in HEAD commit: 5c22de457b2afaf22ae4e00f02f51c7a50f4ceaf

Found in base branch: main

### Vulnerability Details

The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

Publish Date: 2018-05-31

URL: CVE-2014-10064

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-10064

Release Date: 2018-04-26

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (express): 3.16.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2015-8859 ### Vulnerable Library - send-0.1.1.tgz

Better streaming static file server with Range and conditional-GET support

Library home page: https://registry.npmjs.org/send/-/send-0.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/send/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - :x: **send-0.1.1.tgz** (Vulnerable Library)

Found in HEAD commit: 5c22de457b2afaf22ae4e00f02f51c7a50f4ceaf

Found in base branch: main

### Vulnerability Details

The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.

Publish Date: 2017-01-23

URL: CVE-2015-8859

### CVSS 4 Score Details (6.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8859

Release Date: 2017-01-23

Fix Resolution (send): 0.11.1

Direct dependency fix Resolution (express): 3.19.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-7191 ### Vulnerable Library - qs-0.6.5.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/connect/node_modules/qs/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - connect-2.8.1.tgz - :x: **qs-0.6.5.tgz** (Vulnerable Library)

Found in HEAD commit: 5c22de457b2afaf22ae4e00f02f51c7a50f4ceaf

Found in base branch: main

### Vulnerability Details

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.

Publish Date: 2014-10-19

URL: CVE-2014-7191

### CVSS 4 Score Details (6.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191

Release Date: 2014-10-19

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (express): 3.16.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-6394 ### Vulnerable Library - send-0.1.1.tgz

Better streaming static file server with Range and conditional-GET support

Library home page: https://registry.npmjs.org/send/-/send-0.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/send/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - :x: **send-0.1.1.tgz** (Vulnerable Library)

Found in HEAD commit: 5c22de457b2afaf22ae4e00f02f51c7a50f4ceaf

Found in base branch: main

### Vulnerability Details

visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.

Publish Date: 2014-10-08

URL: CVE-2014-6394

### CVSS 4 Score Details (6.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-6394

Release Date: 2014-10-08

Fix Resolution (send): 0.8.4

Direct dependency fix Resolution (express): 3.16.10

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2016-1000236 ### Vulnerable Library - cookie-signature-1.0.1.tgz

Sign and unsign cookies

Library home page: https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cookie-signature/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - :x: **cookie-signature-1.0.1.tgz** (Vulnerable Library)

Found in HEAD commit: 5c22de457b2afaf22ae4e00f02f51c7a50f4ceaf

Found in base branch: main

### Vulnerability Details

Node-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used.

Publish Date: 2019-11-19

URL: CVE-2016-1000236

### CVSS 4 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-92vm-wfm5-mxvv

Release Date: 2019-11-19

Fix Resolution (cookie-signature): 1.0.4

Direct dependency fix Resolution (express): 3.12.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-3717 ### Vulnerable Library - connect-2.8.1.tgz

High performance middleware framework

Library home page: https://registry.npmjs.org/connect/-/connect-2.8.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/connect/package.json

Dependency Hierarchy: - express-3.3.1.tgz (Root Library) - :x: **connect-2.8.1.tgz** (Vulnerable Library)

Found in HEAD commit: 5c22de457b2afaf22ae4e00f02f51c7a50f4ceaf

Found in base branch: main

### Vulnerability Details

connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.

Publish Date: 2018-06-07

URL: CVE-2018-3717

### CVSS 4 Score Details (5.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3717

Release Date: 2018-06-07

Fix Resolution (connect): 2.14.0

Direct dependency fix Resolution (express): 3.5.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

dev-mend-for-github-com[bot] commented 3 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.