Open staging-whitesource-for-github-com[bot] opened 5 months ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Vulnerable Library - express-3.4.0.tgz
Sinatra inspired web development framework
Library home page: https://registry.npmjs.org/express/-/express-3.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express/package.json
Found in HEAD commit: 86f297abe2fa7839e044790b4cae70a40d9b2515
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2014-0005
### Vulnerable Library - qs-0.6.5.tgzquerystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/qs/package.json
Dependency Hierarchy: - express-3.4.0.tgz (Root Library) - connect-2.9.0.tgz - :x: **qs-0.6.5.tgz** (Vulnerable Library)
Found in HEAD commit: 86f297abe2fa7839e044790b4cae70a40d9b2515
Found in base branch: main
### Vulnerability DetailsDenial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time
Publish Date: 2014-07-31
URL: WS-2014-0005
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2014-0005
Release Date: 2014-07-31
Fix Resolution (qs): 1.0.0
Direct dependency fix Resolution (express): 3.16.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2017-16138
### Vulnerable Library - mime-1.2.11.tgzA comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.2.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mime/package.json
Dependency Hierarchy: - express-3.4.0.tgz (Root Library) - send-0.1.4.tgz - :x: **mime-1.2.11.tgz** (Vulnerable Library)
Found in HEAD commit: 86f297abe2fa7839e044790b4cae70a40d9b2515
Found in base branch: main
### Vulnerability DetailsThe mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input. Mend Note: Converted from WS-2017-0330, on 2022-11-08.
Publish Date: 2018-04-26
URL: CVE-2017-16138
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-04-26
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (express): 4.16.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2017-16119
### Vulnerable Library - fresh-0.2.0.tgzHTTP response freshness testing
Library home page: https://registry.npmjs.org/fresh/-/fresh-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fresh/package.json
Dependency Hierarchy: - express-3.4.0.tgz (Root Library) - :x: **fresh-0.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 86f297abe2fa7839e044790b4cae70a40d9b2515
Found in base branch: main
### Vulnerability DetailsFresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Publish Date: 2018-04-26
URL: CVE-2017-16119
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/526
Release Date: 2018-06-07
Fix Resolution (fresh): 0.5.2
Direct dependency fix Resolution (express): 4.15.5
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2017-1000048
### Vulnerable Library - qs-0.6.5.tgzquerystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/qs/package.json
Dependency Hierarchy: - express-3.4.0.tgz (Root Library) - connect-2.9.0.tgz - :x: **qs-0.6.5.tgz** (Vulnerable Library)
Found in HEAD commit: 86f297abe2fa7839e044790b4cae70a40d9b2515
Found in base branch: main
### Vulnerability Detailsthe web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-13
URL: CVE-2017-1000048
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048
Release Date: 2017-07-13
Fix Resolution (qs): 6.0.4
Direct dependency fix Resolution (express): 4.14.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2014-10064
### Vulnerable Library - qs-0.6.5.tgzquerystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/qs/package.json
Dependency Hierarchy: - express-3.4.0.tgz (Root Library) - connect-2.9.0.tgz - :x: **qs-0.6.5.tgz** (Vulnerable Library)
Found in HEAD commit: 86f297abe2fa7839e044790b4cae70a40d9b2515
Found in base branch: main
### Vulnerability DetailsThe qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
Publish Date: 2018-04-26
URL: CVE-2014-10064
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-10064
Release Date: 2018-04-26
Fix Resolution (qs): 1.0.0
Direct dependency fix Resolution (express): 3.16.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2014-6394
### Vulnerable Library - send-0.1.4.tgzBetter streaming static file server with Range and conditional-GET support
Library home page: https://registry.npmjs.org/send/-/send-0.1.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/send/package.json
Dependency Hierarchy: - express-3.4.0.tgz (Root Library) - :x: **send-0.1.4.tgz** (Vulnerable Library)
Found in HEAD commit: 86f297abe2fa7839e044790b4cae70a40d9b2515
Found in base branch: main
### Vulnerability Detailsvisionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.
Publish Date: 2014-10-08
URL: CVE-2014-6394
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-6394
Release Date: 2014-10-08
Fix Resolution (send): 0.8.4
Direct dependency fix Resolution (express): 3.16.10
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2014-6393
### Vulnerable Library - express-3.4.0.tgzSinatra inspired web development framework
Library home page: https://registry.npmjs.org/express/-/express-3.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express/package.json
Dependency Hierarchy: - :x: **express-3.4.0.tgz** (Vulnerable Library)
Found in HEAD commit: 86f297abe2fa7839e044790b4cae70a40d9b2515
Found in base branch: main
### Vulnerability DetailsThe Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
Publish Date: 2017-08-09
URL: CVE-2014-6393
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6393
Release Date: 2017-08-09
Fix Resolution: 3.11.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2015-8859
### Vulnerable Library - send-0.1.4.tgzBetter streaming static file server with Range and conditional-GET support
Library home page: https://registry.npmjs.org/send/-/send-0.1.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/send/package.json
Dependency Hierarchy: - express-3.4.0.tgz (Root Library) - :x: **send-0.1.4.tgz** (Vulnerable Library)
Found in HEAD commit: 86f297abe2fa7839e044790b4cae70a40d9b2515
Found in base branch: main
### Vulnerability DetailsThe send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.
Publish Date: 2017-01-23
URL: CVE-2015-8859
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8859
Release Date: 2017-01-23
Fix Resolution (send): 0.11.1
Direct dependency fix Resolution (express): 3.19.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2014-7191
### Vulnerable Library - qs-0.6.5.tgzquerystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/node_modules/qs/package.json
Dependency Hierarchy: - express-3.4.0.tgz (Root Library) - connect-2.9.0.tgz - :x: **qs-0.6.5.tgz** (Vulnerable Library)
Found in HEAD commit: 86f297abe2fa7839e044790b4cae70a40d9b2515
Found in base branch: main
### Vulnerability DetailsThe qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Publish Date: 2014-10-19
URL: CVE-2014-7191
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191
Release Date: 2014-10-19
Fix Resolution (qs): 1.0.0
Direct dependency fix Resolution (express): 3.16.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2016-1000236
### Vulnerable Library - cookie-signature-1.0.1.tgzSign and unsign cookies
Library home page: https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/cookie-signature/package.json
Dependency Hierarchy: - express-3.4.0.tgz (Root Library) - :x: **cookie-signature-1.0.1.tgz** (Vulnerable Library)
Found in HEAD commit: 86f297abe2fa7839e044790b4cae70a40d9b2515
Found in base branch: main
### Vulnerability DetailsNode-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used. Mend Note: Converted from WS-2016-0056, on 2022-11-08.
Publish Date: 2019-11-19
URL: CVE-2016-1000236
### CVSS 3 Score Details (4.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-92vm-wfm5-mxvv
Release Date: 2019-11-19
Fix Resolution (cookie-signature): 1.0.4
Direct dependency fix Resolution (express): 3.12.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2018-3717
### Vulnerable Library - connect-2.9.0.tgzHigh performance middleware framework
Library home page: https://registry.npmjs.org/connect/-/connect-2.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/connect/package.json
Dependency Hierarchy: - express-3.4.0.tgz (Root Library) - :x: **connect-2.9.0.tgz** (Vulnerable Library)
Found in HEAD commit: 86f297abe2fa7839e044790b4cae70a40d9b2515
Found in base branch: main
### Vulnerability Detailsconnect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.
Publish Date: 2018-04-26
URL: CVE-2018-3717
### CVSS 2 Score Details (3.5)Base Score Metrics not available
### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3717
Release Date: 2018-06-07
Fix Resolution (connect): 2.14.0
Direct dependency fix Resolution (express): 3.5.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.