karma-2.0.5.tgz: 44 vulnerabilities (highest severity is: 9.8) - autoclosed

[mend-for-github-com[bot]]

Vulnerable Library - karma-2.0.5.tgz

Spectacular Test Runner for JavaScript.

Library home page: https://registry.npmjs.org/karma/-/karma-2.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/karma/package.json

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (karma version)	Remediation Possible**
CVE-2021-23406	Critical	9.8	detected in multiple dependencies	Transitive	3.0.0	✅
CVE-2022-0691	Critical	9.8	url-parse-1.4.7.tgz	Transitive	3.0.0	✅
CVE-2022-2421	Critical	9.8	socket.io-parser-3.1.3.tgz	Transitive	5.0.8	✅
CVE-2023-26136	Critical	9.8	tough-cookie-2.3.4.tgz	Transitive	3.0.0	✅
CVE-2020-7769	Critical	9.8	nodemailer-2.7.2.tgz	Transitive	3.0.0	✅
WS-2020-0344	Critical	9.8	is-my-json-valid-2.20.0.tgz	Transitive	3.0.0	✅
CVE-2021-44906	Critical	9.8	minimist-0.0.10.tgz	Transitive	5.0.0	✅
CVE-2021-31597	Critical	9.4	xmlhttprequest-ssl-1.5.5.tgz	Transitive	5.0.8	✅
CVE-2021-28918	Critical	9.1	netmask-1.0.6.tgz	Transitive	3.0.0	✅
CVE-2022-0686	Critical	9.1	url-parse-1.4.7.tgz	Transitive	3.0.0	✅
CVE-2021-23400	High	8.8	nodemailer-2.7.2.tgz	Transitive	3.0.0	✅
CVE-2020-28502	High	8.1	xmlhttprequest-ssl-1.5.5.tgz	Transitive	5.0.8	✅
WS-2020-0443	High	8.1	socket.io-2.0.4.tgz	Transitive	5.0.8	✅
CVE-2020-28469	High	7.5	glob-parent-3.1.0.tgz	Transitive	4.2.0	✅
CVE-2022-0654	High	7.5	requestretry-1.13.0.tgz	Transitive	3.0.0	✅
CVE-2017-16115	High	7.5	timespan-2.3.0.tgz	Transitive	N/A*	❌
CVE-2021-3749	High	7.5	axios-0.15.3.tgz	Transitive	3.0.0	✅
CVE-2022-29167	High	7.5	hawk-3.1.3.tgz	Transitive	3.0.0	✅
WS-2018-0650	High	7.5	useragent-2.2.1.tgz	Transitive	N/A*	❌
CVE-2020-36048	High	7.5	engine.io-3.1.5.tgz	Transitive	5.0.8	✅
WS-2020-0342	High	7.5	is-my-json-valid-2.20.0.tgz	Transitive	3.0.0	✅
CVE-2020-36049	High	7.5	socket.io-parser-3.1.3.tgz	Transitive	5.0.8	✅
CVE-2021-29469	High	7.5	redis-2.8.0.tgz	Transitive	3.0.0	✅
CVE-2021-23358	High	7.2	underscore-1.7.0.tgz	Transitive	3.0.0	✅
CVE-2022-0155	Medium	6.5	follow-redirects-1.0.0.tgz	Transitive	3.0.0	✅
CVE-2022-41940	Medium	6.5	engine.io-3.1.5.tgz	Transitive	5.0.8	✅
CVE-2023-45857	Medium	6.5	axios-0.15.3.tgz	Transitive	3.0.0	✅
CVE-2020-8244	Medium	6.5	bl-1.1.2.tgz	Transitive	3.0.0	✅
CVE-2022-0437	Medium	6.1	karma-2.0.5.tgz	Direct	6.3.14	✅
CVE-2021-23495	Medium	6.1	karma-2.0.5.tgz	Direct	6.3.16	✅
CVE-2023-26159	Medium	6.1	follow-redirects-1.0.0.tgz	Transitive	3.0.0	✅
CVE-2023-28155	Medium	6.1	request-2.75.0.tgz	Transitive	N/A*	❌
CVE-2022-0536	Medium	5.9	follow-redirects-1.0.0.tgz	Transitive	3.0.0	✅
CVE-2020-28168	Medium	5.9	axios-0.15.3.tgz	Transitive	3.0.0	✅
CVE-2020-7598	Medium	5.6	minimist-0.0.10.tgz	Transitive	5.0.0	✅
CVE-2019-10742	Medium	5.5	axios-0.15.3.tgz	Transitive	3.0.0	✅
CVE-2022-21704	Medium	5.5	log4js-2.11.0.tgz	Transitive	5.0.8	✅
CVE-2022-0512	Medium	5.3	url-parse-1.4.7.tgz	Transitive	3.0.0	✅
CVE-2021-3664	Medium	5.3	url-parse-1.4.7.tgz	Transitive	3.0.0	✅
CVE-2021-29418	Medium	5.3	netmask-1.0.6.tgz	Transitive	3.0.0	✅
CVE-2021-27515	Medium	5.3	url-parse-1.4.7.tgz	Transitive	3.0.0	✅
CVE-2022-0639	Medium	5.3	url-parse-1.4.7.tgz	Transitive	3.0.0	✅
WS-2018-0076	Medium	5.1	tunnel-agent-0.4.3.tgz	Transitive	3.0.0	✅
CVE-2020-28481	Medium	4.3	socket.io-2.0.4.tgz	Transitive	5.0.8	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2021-23406

### Vulnerable Libraries - pac-resolver-3.0.0.tgz, degenerator-1.0.4.tgz

### pac-resolver-3.0.0.tgz

Generates an asynchronous resolver function from a PAC file

Library home page: https://registry.npmjs.org/pac-resolver/-/pac-resolver-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pac-resolver/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - mailgun-js-0.18.1.tgz - proxy-agent-3.0.3.tgz - pac-proxy-agent-3.0.1.tgz - :x: **pac-resolver-3.0.0.tgz** (Vulnerable Library) ### degenerator-1.0.4.tgz

Turns sync functions into async generator functions

Library home page: https://registry.npmjs.org/degenerator/-/degenerator-1.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/degenerator/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - mailgun-js-0.18.1.tgz - proxy-agent-3.0.3.tgz - pac-proxy-agent-3.0.1.tgz - pac-resolver-3.0.0.tgz - :x: **degenerator-1.0.4.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. **NOTE:** The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.

Publish Date: 2021-08-24

URL: CVE-2021-23406

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-9j49-mfvp-vmhm

Release Date: 2021-08-24

Fix Resolution (pac-resolver): 5.0.0

Direct dependency fix Resolution (karma): 3.0.0

Fix Resolution (degenerator): 5.0.0

Direct dependency fix Resolution (karma): 3.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-0691

### Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - amqplib-0.5.6.tgz - :x: **url-parse-1.4.7.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (karma): 3.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-2421

### Vulnerable Library - socket.io-parser-3.1.3.tgz

socket.io protocol parser

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/socket.io-parser/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - socket.io-2.0.4.tgz - :x: **socket.io-parser-3.1.3.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Publish Date: 2022-10-26

URL: CVE-2022-2421

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-qm95-pgcg-qqfq

Release Date: 2022-10-26

Fix Resolution (socket.io-parser): 3.3.3

Direct dependency fix Resolution (karma): 5.0.8

In order to enable automatic remediation, please create workflow rules

CVE-2023-26136

### Vulnerable Library - tough-cookie-2.3.4.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tough-cookie/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - loggly-1.1.1.tgz - request-2.75.0.tgz - :x: **tough-cookie-2.3.4.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (karma): 3.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2020-7769

### Vulnerable Library - nodemailer-2.7.2.tgz

Easy as cake e-mail sending from your Node.js applications

Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-2.7.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nodemailer/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - :x: **nodemailer-2.7.2.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

Publish Date: 2020-11-12

URL: CVE-2020-7769

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2020-7769

Release Date: 2020-11-12

Fix Resolution (nodemailer): 6.4.16

Direct dependency fix Resolution (karma): 3.0.0

In order to enable automatic remediation, please create workflow rules

WS-2020-0344

### Vulnerable Library - is-my-json-valid-2.20.0.tgz

A [JSONSchema](https://json-schema.org/) validator that uses code generation to be extremely fast.

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.20.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-my-json-valid/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - loggly-1.1.1.tgz - request-2.75.0.tgz - har-validator-2.0.6.tgz - :x: **is-my-json-valid-2.20.0.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.

Publish Date: 2020-06-09

URL: WS-2020-0344

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-06-09

Fix Resolution (is-my-json-valid): 2.20.3

Direct dependency fix Resolution (karma): 3.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-44906

### Vulnerable Library - minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/optimist/node_modules/minimist/package.json,/app/compilers/react-compiler/node_modules/optimist/node_modules/minimist/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - optimist-0.6.1.tgz - :x: **minimist-0.0.10.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 0.2.4

Direct dependency fix Resolution (karma): 5.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-31597

### Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - socket.io-2.0.4.tgz - socket.io-client-2.0.4.tgz - engine.io-client-3.1.6.tgz - :x: **xmlhttprequest-ssl-1.5.5.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Publish Date: 2021-04-23

URL: CVE-2021-31597

### CVSS 3 Score Details (9.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597

Release Date: 2021-04-23

Fix Resolution (xmlhttprequest-ssl): 1.6.1

Direct dependency fix Resolution (karma): 5.0.8

In order to enable automatic remediation, please create workflow rules

CVE-2021-28918

### Vulnerable Library - netmask-1.0.6.tgz

Parse and lookup IP network blocks

Library home page: https://registry.npmjs.org/netmask/-/netmask-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/netmask/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - mailgun-js-0.18.1.tgz - proxy-agent-3.0.3.tgz - pac-proxy-agent-3.0.1.tgz - pac-resolver-3.0.0.tgz - :x: **netmask-1.0.6.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.

Publish Date: 2021-04-01

URL: CVE-2021-28918

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-pch5-whg9-qr2r

Release Date: 2021-04-01

Fix Resolution (netmask): 2.0.1

Direct dependency fix Resolution (karma): 3.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-0686

### Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - amqplib-0.5.6.tgz - :x: **url-parse-1.4.7.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Publish Date: 2022-02-20

URL: CVE-2022-0686

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686

Release Date: 2022-02-20

Fix Resolution (url-parse): 1.5.8

Direct dependency fix Resolution (karma): 3.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-23400

### Vulnerable Library - nodemailer-2.7.2.tgz

Easy as cake e-mail sending from your Node.js applications

Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-2.7.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nodemailer/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - :x: **nodemailer-2.7.2.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

Publish Date: 2021-06-29

URL: CVE-2021-23400

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23400

Release Date: 2021-06-29

Fix Resolution (nodemailer): 6.6.1

Direct dependency fix Resolution (karma): 3.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2020-28502

### Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - socket.io-2.0.4.tgz - socket.io-client-2.0.4.tgz - engine.io-client-3.1.6.tgz - :x: **xmlhttprequest-ssl-1.5.5.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Publish Date: 2021-03-05

URL: CVE-2020-28502

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-h4j5-c7cj-74xg

Release Date: 2021-03-05

Fix Resolution (xmlhttprequest-ssl): 1.6.1

Direct dependency fix Resolution (karma): 5.0.8

In order to enable automatic remediation, please create workflow rules

WS-2020-0443

### Vulnerable Library - socket.io-2.0.4.tgz

node.js realtime framework server

Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/socket.io/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - :x: **socket.io-2.0.4.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

In socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".

Publish Date: 2020-02-20

URL: WS-2020-0443

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/931197

Release Date: 2020-02-20

Fix Resolution (socket.io): 2.4.0

Direct dependency fix Resolution (karma): 5.0.8

In order to enable automatic remediation, please create workflow rules

CVE-2020-28469

### Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/karma/node_modules/glob-parent/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - chokidar-2.1.8.tgz - :x: **glob-parent-3.1.0.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (karma): 4.2.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-0654

### Vulnerable Library - requestretry-1.13.0.tgz

request-retry wrap nodejs request to retry http(s) requests in case of error

Library home page: https://registry.npmjs.org/requestretry/-/requestretry-1.13.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/requestretry/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - slack-node-0.2.0.tgz - :x: **requestretry-1.13.0.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository fgribreau/node-request-retry prior to 7.0.0.

Publish Date: 2022-02-23

URL: CVE-2022-0654

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0654

Release Date: 2022-02-23

Fix Resolution (requestretry): 7.0.0

Direct dependency fix Resolution (karma): 3.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2017-16115

### Vulnerable Library - timespan-2.3.0.tgz

A JavaScript TimeSpan library for node.js (and soon the browser)

Library home page: https://registry.npmjs.org/timespan/-/timespan-2.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/timespan/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - loggly-1.1.1.tgz - :x: **timespan-2.3.0.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

Publish Date: 2018-06-07

URL: CVE-2017-16115

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2021-3749

### Vulnerable Library - axios-0.15.3.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - :x: **axios-0.15.3.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

axios is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-08-31

URL: CVE-2021-3749

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/

Release Date: 2021-08-31

Fix Resolution (axios): 0.18.1

Direct dependency fix Resolution (karma): 3.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-29167

### Vulnerable Library - hawk-3.1.3.tgz

HTTP Hawk Authentication Scheme

Library home page: https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hawk/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - loggly-1.1.1.tgz - request-2.75.0.tgz - :x: **hawk-3.1.3.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.

Publish Date: 2022-05-05

URL: CVE-2022-29167

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq

Release Date: 2022-05-05

Fix Resolution (hawk): 9.0.1

Direct dependency fix Resolution (karma): 3.0.0

In order to enable automatic remediation, please create workflow rules

WS-2018-0650

### Vulnerable Library - useragent-2.2.1.tgz

Fastest, most accurate & effecient user agent string parser, uses Browserscope's research for parsing

Library home page: https://registry.npmjs.org/useragent/-/useragent-2.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/useragent/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - :x: **useragent-2.2.1.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in useragent through 2.3.0.

Publish Date: 2018-02-27

URL: WS-2018-0650

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0650

Release Date: 2018-02-27

Fix Resolution: NorDroN.AngularTemplate - 0.1.6;dotnetng.template - 1.0.0.4;JetBrains.Rider.Frontend5 - 213.0.20211008.154703-eap03;MIDIator.WebClient - 1.0.105

CVE-2020-36048

### Vulnerable Library - engine.io-3.1.5.tgz

The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server

Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/engine.io/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - socket.io-2.0.4.tgz - :x: **engine.io-3.1.5.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Publish Date: 2021-01-08

URL: CVE-2020-36048

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048

Release Date: 2021-01-08

Fix Resolution (engine.io): 3.6.0

Direct dependency fix Resolution (karma): 5.0.8

In order to enable automatic remediation, please create workflow rules

WS-2020-0342

### Vulnerable Library - is-my-json-valid-2.20.0.tgz

A [JSONSchema](https://json-schema.org/) validator that uses code generation to be extremely fast.

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.20.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-my-json-valid/package.json

Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - loggly-1.1.1.tgz - request-2.75.0.tgz - har-validator-2.0.6.tgz - :x: **is-my-json-valid-2.20.0.tgz** (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

### Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.

Publish Date: 2020-06-27

URL: WS-2020-0342

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-06-27

Fix Resolution (is-my-json-valid): 2.20.2

Direct dependency fix Resolution (karma): 3.0.0

In order to enable automatic remediation, please create workflow rules

---

In order to enable automatic remediation for this issue, please create workflow rules

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com[bot]]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com[bot]]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.