angular-1.5.0.js: 7 vulnerabilities (highest severity is: 8.6) - autoclosed

Vulnerable Library - angular-1.5.0.js

AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.5.0/angular.js

Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html

Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html

Found in HEAD commit: 470f1f88c503c0d5abfd3273f348b226d6b3cfbc

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (angular version)	Remediation Possible**
WS-2017-0113	High	8.6	angular-1.5.0.js	Direct	angular - 1.6.0	❌
CVE-2019-10768	High	7.5	angular-1.5.0.js	Direct	angularjs - 1.7.9	❌
CVE-2022-25869	Medium	6.1	angular-1.5.0.js	Direct	N/A	❌
CVE-2020-7676	Medium	5.4	angular-1.5.0.js	Direct	1.8.0	❌
CVE-2023-26118	Medium	5.3	angular-1.5.0.js	Direct	N/A	❌
CVE-2023-26117	Medium	5.3	angular-1.5.0.js	Direct	N/A	❌
CVE-2023-26116	Medium	5.3	angular-1.5.0.js	Direct	N/A	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2017-0113

### Vulnerable Library - angular-1.5.0.js

Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.5.0/angular.js

Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html

Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html

Dependency Hierarchy: - :x: **angular-1.5.0.js** (Vulnerable Library)

Found in HEAD commit: 470f1f88c503c0d5abfd3273f348b226d6b3cfbc

Found in base branch: hubspot-3.3

### Vulnerability Details

angular.js is vulnerable to XSS. This happens since an attacker can load Angular from the extension, and Angular's auto-bootstrapping can be used to bypass the victim site's CSP protection.

Publish Date: 2016-11-02

URL: WS-2017-0113

### CVSS 3 Score Details (8.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2016-11-02

Fix Resolution: angular - 1.6.0

CVE-2019-10768

### Vulnerable Library - angular-1.5.0.js

Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.5.0/angular.js

Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html

Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html

Dependency Hierarchy: - :x: **angular-1.5.0.js** (Vulnerable Library)

Found in HEAD commit: 470f1f88c503c0d5abfd3273f348b226d6b3cfbc

Found in base branch: hubspot-3.3

### Vulnerability Details

In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload.

Publish Date: 2019-11-19

URL: CVE-2019-10768

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-11-19

Fix Resolution: angularjs - 1.7.9

CVE-2022-25869

### Vulnerable Library - angular-1.5.0.js

Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.5.0/angular.js

Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html

Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html

Dependency Hierarchy: - :x: **angular-1.5.0.js** (Vulnerable Library)

Found in HEAD commit: 470f1f88c503c0d5abfd3273f348b226d6b3cfbc

Found in base branch: hubspot-3.3

### Vulnerability Details

All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of elements. Publish Date: 2022-07-15 URL: <a href=https://www.mend.io/vulnerability-database/CVE-2022-25869>CVE-2022-25869</a> ### CVSS 3 Score Details (6.1) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None For more information on CVSS3 Scores, click <a rel="noreferrer nofollow" target="_blank" href="https://www.first.org/cvss/calculator/3.0">here</a>. </details><details> <summary><img src='https://whitesource-resources.whitesourcesoftware.com/medium_vul.png?' width=19 height=20> CVE-2020-7676</summary> ### Vulnerable Library - angular-1.5.0.js AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction. Library home page: <a rel="noreferrer nofollow" target="_blank" href="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.5.0/angular.js">https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.5.0/angular.js</a> Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html Dependency Hierarchy: - :x: **angular-1.5.0.js** (Vulnerable Library) Found in HEAD commit: <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jgeraigery/hadoop-555665675/commit/470f1f88c503c0d5abfd3273f348b226d6b3cfbc">470f1f88c503c0d5abfd3273f348b226d6b3cfbc</a> Found in base branch: hubspot-3.3 ### Vulnerability Details angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code. Publish Date: 2020-06-08 URL: <a href=https://www.mend.io/vulnerability-database/CVE-2020-7676>CVE-2020-7676</a> ### CVSS 3 Score Details (5.4) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None For more information on CVSS3 Scores, click <a rel="noreferrer nofollow" target="_blank" href="https://www.first.org/cvss/calculator/3.0">here</a>. ### Suggested Fix Type: Upgrade version Origin: <a rel="noreferrer nofollow" target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7676">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7676</a> Release Date: 2020-10-09 Fix Resolution: 1.8.0 </details><details> <summary><img src='https://whitesource-resources.whitesourcesoftware.com/medium_vul.png?' width=19 height=20> CVE-2023-26118</summary> ### Vulnerable Library - angular-1.5.0.js AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction. Library home page: <a rel="noreferrer nofollow" target="_blank" href="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.5.0/angular.js">https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.5.0/angular.js</a> Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html Dependency Hierarchy: - :x: **angular-1.5.0.js** (Vulnerable Library) Found in HEAD commit: <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jgeraigery/hadoop-555665675/commit/470f1f88c503c0d5abfd3273f348b226d6b3cfbc">470f1f88c503c0d5abfd3273f348b226d6b3cfbc</a> Found in base branch: hubspot-3.3 ### Vulnerability Details Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. Publish Date: 2023-03-30 URL: <a href=https://www.mend.io/vulnerability-database/CVE-2023-26118>CVE-2023-26118</a> ### CVSS 3 Score Details (5.3) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low For more information on CVSS3 Scores, click <a rel="noreferrer nofollow" target="_blank" href="https://www.first.org/cvss/calculator/3.0">here</a>. </details><details> <summary><img src='https://whitesource-resources.whitesourcesoftware.com/medium_vul.png?' width=19 height=20> CVE-2023-26117</summary> ### Vulnerable Library - angular-1.5.0.js AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction. Library home page: <a rel="noreferrer nofollow" target="_blank" href="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.5.0/angular.js">https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.5.0/angular.js</a> Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html Dependency Hierarchy: - :x: **angular-1.5.0.js** (Vulnerable Library) Found in HEAD commit: <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jgeraigery/hadoop-555665675/commit/470f1f88c503c0d5abfd3273f348b226d6b3cfbc">470f1f88c503c0d5abfd3273f348b226d6b3cfbc</a> Found in base branch: hubspot-3.3 ### Vulnerability Details Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. Publish Date: 2023-03-30 URL: <a href=https://www.mend.io/vulnerability-database/CVE-2023-26117>CVE-2023-26117</a> ### CVSS 3 Score Details (5.3) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low For more information on CVSS3 Scores, click <a rel="noreferrer nofollow" target="_blank" href="https://www.first.org/cvss/calculator/3.0">here</a>. </details><details> <summary><img src='https://whitesource-resources.whitesourcesoftware.com/medium_vul.png?' width=19 height=20> CVE-2023-26116</summary> ### Vulnerable Library - angular-1.5.0.js AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction. Library home page: <a rel="noreferrer nofollow" target="_blank" href="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.5.0/angular.js">https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.5.0/angular.js</a> Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower_components/js-xlsx/demos/angular/index.html Dependency Hierarchy: - :x: **angular-1.5.0.js** (Vulnerable Library) Found in HEAD commit: <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jgeraigery/hadoop-555665675/commit/470f1f88c503c0d5abfd3273f348b226d6b3cfbc">470f1f88c503c0d5abfd3273f348b226d6b3cfbc</a> Found in base branch: hubspot-3.3 ### Vulnerability Details Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. Publish Date: 2023-03-30 URL: <a href=https://www.mend.io/vulnerability-database/CVE-2023-26116>CVE-2023-26116</a> ### CVSS 3 Score Details (5.3) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low For more information on CVSS3 Scores, click <a rel="noreferrer nofollow" target="_blank" href="https://www.first.org/cvss/calculator/3.0">here</a>. </details> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/mend-for-github-com[bot]"><img src="https://avatars.githubusercontent.com/in/30796?v=4" />mend-for-github-com[bot]</a> commented 4 months ago </div> <div class="markdown-body"> :information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #87 </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>

jgeraigery / hadoop-555665675

angular-1.5.0.js: 7 vulnerabilities (highest severity is: 8.6) - autoclosed #5

Vulnerabilities

Details