angular-1.6.10.tgz: 9 vulnerabilities (highest severity is: 7.5)

[mend-for-github-com[bot]]

Vulnerable Library - angular-1.6.10.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.6.10.tgz

Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/package.json

Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/node_modules/angular/package.json

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (angular version)	Remediation Possible**	Reachability
CVE-2024-21490	High	7.5	Proof of concept	0.1%	angular-1.6.10.tgz	Direct	N/A	❌	Unreachable
CVE-2019-10768	High	7.5	Not Defined	0.1%	angular-1.6.10.tgz	Direct	1.7.9	✅	Unreachable
CVE-2020-7676	Medium	5.4	Not Defined	0.2%	angular-1.6.10.tgz	Direct	1.8.0	✅	Unreachable
CVE-2023-26118	Medium	5.3	Proof of concept	0.3%	angular-1.6.10.tgz	Direct	N/A	❌	Unreachable
CVE-2023-26117	Medium	5.3	Proof of concept	0.2%	angular-1.6.10.tgz	Direct	N/A	❌	Unreachable
CVE-2023-26116	Medium	5.3	Proof of concept	0.2%	angular-1.6.10.tgz	Direct	N/A	❌	Unreachable
CVE-2022-25869	Medium	4.2	Proof of concept	0.5%	angular-1.6.10.tgz	Direct	N/A	❌	Unreachable
CVE-2024-8373	Medium	4.8	Not Defined	0.0%	angular-1.6.10.tgz	Direct	N/A	❌
CVE-2024-8372	Medium	4.8	Not Defined	0.0%	angular-1.6.10.tgz	Direct	N/A	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-21490

### Vulnerable Library - angular-1.6.10.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.6.10.tgz

Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/package.json

Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/node_modules/angular/package.json

Dependency Hierarchy: - :x: **angular-1.6.10.tgz** (Vulnerable Library)

Found in base branch: hubspot-3.3

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).

Publish Date: 2024-02-10

URL: CVE-2024-21490

### Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 0.1%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2019-10768

### Vulnerable Library - angular-1.6.10.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.6.10.tgz

Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/package.json

Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/node_modules/angular/package.json

Dependency Hierarchy: - :x: **angular-1.6.10.tgz** (Vulnerable Library)

Found in base branch: hubspot-3.3

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload. Mend Note: After conducting further research, Mend has determined that versions 1.4.0-beta.6 before 1.7.9 of angular are vulnerable to CVE-2019-10768. Converted from WS-2019-0367, on 2021-07-21.

Publish Date: 2019-11-19

URL: CVE-2019-10768

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-11-19

Fix Resolution: 1.7.9

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2020-7676

### Vulnerable Library - angular-1.6.10.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.6.10.tgz

Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/package.json

Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/node_modules/angular/package.json

Dependency Hierarchy: - :x: **angular-1.6.10.tgz** (Vulnerable Library)

Found in base branch: hubspot-3.3

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "" elements in "" ones changes parsing behavior, leading to possibly unsanitizing code.

Publish Date: 2020-06-08

URL: CVE-2020-7676

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

### CVSS 3 Score Details (5.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7676

Release Date: 2020-06-08

Fix Resolution: 1.8.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2023-26118

### Vulnerable Library - angular-1.6.10.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.6.10.tgz

Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/package.json

Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/node_modules/angular/package.json

Dependency Hierarchy: - :x: **angular-1.6.10.tgz** (Vulnerable Library)

Found in base branch: hubspot-3.3

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the

element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

Publish Date: 2023-03-30

URL: CVE-2023-26118

### Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 0.3%

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

CVE-2023-26117

### Vulnerable Library - angular-1.6.10.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.6.10.tgz

Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/package.json

Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/node_modules/angular/package.json

Dependency Hierarchy: - :x: **angular-1.6.10.tgz** (Vulnerable Library)

Found in base branch: hubspot-3.3

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

Publish Date: 2023-03-30

URL: CVE-2023-26117

### Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 0.2%

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

CVE-2023-26116

### Vulnerable Library - angular-1.6.10.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.6.10.tgz

Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/package.json

Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/node_modules/angular/package.json

Dependency Hierarchy: - :x: **angular-1.6.10.tgz** (Vulnerable Library)

Found in base branch: hubspot-3.3

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

Publish Date: 2023-03-30

URL: CVE-2023-26116

### Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 0.2%

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

CVE-2022-25869

### Vulnerable Library - angular-1.6.10.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.6.10.tgz

Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/package.json

Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/node_modules/angular/package.json

Dependency Hierarchy: - :x: **angular-1.6.10.tgz** (Vulnerable Library)

Found in base branch: hubspot-3.3

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of elements. <p>Publish Date: 2022-07-15 <p>URL: <a href=https://www.mend.io/vulnerability-database/CVE-2022-25869>CVE-2022-25869</a></p> </p> <p></p> ### Threat Assessment <p> <p>Exploit Maturity: Proof of concept</p> <p>EPSS: 0.5%</p> </p> <p></p> ### CVSS 3 Score Details (<b>4.2</b>) <p> Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None </p> For more information on CVSS3 Scores, click <a rel="noreferrer nofollow" target="_blank" href="https://www.first.org/cvss/calculator/3.0">here</a>. </p> <p></p> </details><details> <summary><img src='https://whitesource-resources.whitesourcesoftware.com/medium_vul.png?' width=19 height=20> CVE-2024-8373</summary> ### Vulnerable Library - <b>angular-1.6.10.tgz</b></p> <p>HTML enhanced for web apps</p> <p>Library home page: <a rel="noreferrer nofollow" target="_blank" href="https://registry.npmjs.org/angular/-/angular-1.6.10.tgz">https://registry.npmjs.org/angular/-/angular-1.6.10.tgz</a></p> <p>Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/package.json</p> <p>Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/node_modules/angular/package.json</p> <p> Dependency Hierarchy: - :x: **angular-1.6.10.tgz** (Vulnerable Library) <p>Found in base branch: <b>hubspot-3.3</b></p> </p> <p></p> ### Vulnerability Details <p> Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . <p>Publish Date: 2024-09-09 <p>URL: <a href=https://www.mend.io/vulnerability-database/CVE-2024-8373>CVE-2024-8373</a></p> </p> <p></p> ### Threat Assessment <p> <p>Exploit Maturity: Not Defined</p> <p>EPSS: 0.0%</p> </p> <p></p> ### CVSS 3 Score Details (<b>4.8</b>) <p> Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low </p> For more information on CVSS3 Scores, click <a rel="noreferrer nofollow" target="_blank" href="https://www.first.org/cvss/calculator/3.0">here</a>. </p> <p></p> </details><details> <summary><img src='https://whitesource-resources.whitesourcesoftware.com/medium_vul.png?' width=19 height=20> CVE-2024-8372</summary> ### Vulnerable Library - <b>angular-1.6.10.tgz</b></p> <p>HTML enhanced for web apps</p> <p>Library home page: <a rel="noreferrer nofollow" target="_blank" href="https://registry.npmjs.org/angular/-/angular-1.6.10.tgz">https://registry.npmjs.org/angular/-/angular-1.6.10.tgz</a></p> <p>Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/package.json</p> <p>Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/node_modules/angular/package.json</p> <p> Dependency Hierarchy: - :x: **angular-1.6.10.tgz** (Vulnerable Library) <p>Found in base branch: <b>hubspot-3.3</b></p> </p> <p></p> ### Vulnerability Details <p> Improper sanitization of the value of the '[srcset]' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS versions 1.3.0-rc.4 and greater. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . <p>Publish Date: 2024-09-09 <p>URL: <a href=https://www.mend.io/vulnerability-database/CVE-2024-8372>CVE-2024-8372</a></p> </p> <p></p> ### Threat Assessment <p> <p>Exploit Maturity: Not Defined</p> <p>EPSS: 0.0%</p> </p> <p></p> ### CVSS 3 Score Details (<b>4.8</b>) <p> Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low </p> For more information on CVSS3 Scores, click <a rel="noreferrer nofollow" target="_blank" href="https://www.first.org/cvss/calculator/3.0">here</a>. </p> <p></p> </details> <hr /> <p>:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>