Closed mend-for-github-com[bot] closed 7 months ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - karma-2.0.5.tgz
Spectacular Test Runner for JavaScript.
Library home page: https://registry.npmjs.org/karma/-/karma-2.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/karma/package.json
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-23406
### Vulnerable Libraries - pac-resolver-3.0.0.tgz, degenerator-1.0.4.tgz### pac-resolver-3.0.0.tgz
Generates an asynchronous resolver function from a PAC file
Library home page: https://registry.npmjs.org/pac-resolver/-/pac-resolver-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pac-resolver/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - mailgun-js-0.18.1.tgz - proxy-agent-3.0.3.tgz - pac-proxy-agent-3.0.1.tgz - :x: **pac-resolver-3.0.0.tgz** (Vulnerable Library) ### degenerator-1.0.4.tgz
Turns sync functions into async generator functions
Library home page: https://registry.npmjs.org/degenerator/-/degenerator-1.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/degenerator/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - mailgun-js-0.18.1.tgz - proxy-agent-3.0.3.tgz - pac-proxy-agent-3.0.1.tgz - pac-resolver-3.0.0.tgz - :x: **degenerator-1.0.4.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsThis affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. **NOTE:** The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.
Publish Date: 2021-08-24
URL: CVE-2021-23406
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-9j49-mfvp-vmhm
Release Date: 2021-08-24
Fix Resolution (pac-resolver): 5.0.0
Direct dependency fix Resolution (karma): 3.0.0
Fix Resolution (degenerator): 5.0.0
Direct dependency fix Resolution (karma): 3.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-0691
### Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - amqplib-0.5.6.tgz - :x: **url-parse-1.4.7.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (karma): 3.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-2421
### Vulnerable Library - socket.io-parser-3.1.3.tgzsocket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io-parser/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - socket.io-2.0.4.tgz - :x: **socket.io-parser-3.1.3.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsDue to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
Publish Date: 2022-10-26
URL: CVE-2022-2421
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-qm95-pgcg-qqfq
Release Date: 2022-10-26
Fix Resolution (socket.io-parser): 3.3.3
Direct dependency fix Resolution (karma): 5.0.8
In order to enable automatic remediation, please create workflow rules
CVE-2023-26136
### Vulnerable Library - tough-cookie-2.3.4.tgzRFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tough-cookie/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - loggly-1.1.1.tgz - request-2.75.0.tgz - :x: **tough-cookie-2.3.4.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsVersions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (karma): 3.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-7769
### Vulnerable Library - nodemailer-2.7.2.tgzEasy as cake e-mail sending from your Node.js applications
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-2.7.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nodemailer/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - :x: **nodemailer-2.7.2.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsThis affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
Publish Date: 2020-11-12
URL: CVE-2020-7769
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2020-7769
Release Date: 2020-11-12
Fix Resolution (nodemailer): 6.4.16
Direct dependency fix Resolution (karma): 3.0.0
In order to enable automatic remediation, please create workflow rules
WS-2020-0344
### Vulnerable Library - is-my-json-valid-2.20.0.tgzA [JSONSchema](https://json-schema.org/) validator that uses code generation to be extremely fast.
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.20.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-my-json-valid/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - loggly-1.1.1.tgz - request-2.75.0.tgz - har-validator-2.0.6.tgz - :x: **is-my-json-valid-2.20.0.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsArbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.
Publish Date: 2020-06-09
URL: WS-2020-0344
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-06-09
Fix Resolution (is-my-json-valid): 2.20.3
Direct dependency fix Resolution (karma): 3.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-44906
### Vulnerable Library - minimist-0.0.10.tgzparse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/optimist/node_modules/minimist/package.json,/app/compilers/react-compiler/node_modules/optimist/node_modules/minimist/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - optimist-0.6.1.tgz - :x: **minimist-0.0.10.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsMinimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (karma): 5.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-31597
### Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgzXMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - socket.io-2.0.4.tgz - socket.io-client-2.0.4.tgz - engine.io-client-3.1.6.tgz - :x: **xmlhttprequest-ssl-1.5.5.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsThe xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
### CVSS 3 Score Details (9.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.0.8
In order to enable automatic remediation, please create workflow rules
CVE-2021-28918
### Vulnerable Library - netmask-1.0.6.tgzParse and lookup IP network blocks
Library home page: https://registry.npmjs.org/netmask/-/netmask-1.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/netmask/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - mailgun-js-0.18.1.tgz - proxy-agent-3.0.3.tgz - pac-proxy-agent-3.0.1.tgz - pac-resolver-3.0.0.tgz - :x: **netmask-1.0.6.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsImproper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
Publish Date: 2021-04-01
URL: CVE-2021-28918
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-pch5-whg9-qr2r
Release Date: 2021-04-01
Fix Resolution (netmask): 2.0.1
Direct dependency fix Resolution (karma): 3.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-0686
### Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - amqplib-0.5.6.tgz - :x: **url-parse-1.4.7.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (karma): 3.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-23400
### Vulnerable Library - nodemailer-2.7.2.tgzEasy as cake e-mail sending from your Node.js applications
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-2.7.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nodemailer/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - :x: **nodemailer-2.7.2.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsThe package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
Publish Date: 2021-06-29
URL: CVE-2021-23400
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23400
Release Date: 2021-06-29
Fix Resolution (nodemailer): 6.6.1
Direct dependency fix Resolution (karma): 3.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-28502
### Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgzXMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - socket.io-2.0.4.tgz - socket.io-client-2.0.4.tgz - engine.io-client-3.1.6.tgz - :x: **xmlhttprequest-ssl-1.5.5.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsThis affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.0.8
In order to enable automatic remediation, please create workflow rules
WS-2020-0443
### Vulnerable Library - socket.io-2.0.4.tgznode.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - :x: **socket.io-2.0.4.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsIn socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".
Publish Date: 2020-02-20
URL: WS-2020-0443
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://hackerone.com/reports/931197
Release Date: 2020-02-20
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (karma): 5.0.8
In order to enable automatic remediation, please create workflow rules
CVE-2020-28469
### Vulnerable Library - glob-parent-3.1.0.tgzStrips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/karma/node_modules/glob-parent/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - chokidar-2.1.8.tgz - :x: **glob-parent-3.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsThis affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (karma): 4.2.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-0654
### Vulnerable Library - requestretry-1.13.0.tgzrequest-retry wrap nodejs request to retry http(s) requests in case of error
Library home page: https://registry.npmjs.org/requestretry/-/requestretry-1.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/requestretry/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - slack-node-0.2.0.tgz - :x: **requestretry-1.13.0.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsExposure of Sensitive Information to an Unauthorized Actor in GitHub repository fgribreau/node-request-retry prior to 7.0.0.
Publish Date: 2022-02-23
URL: CVE-2022-0654
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0654
Release Date: 2022-02-23
Fix Resolution (requestretry): 7.0.0
Direct dependency fix Resolution (karma): 3.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2017-16115
### Vulnerable Library - timespan-2.3.0.tgzA JavaScript TimeSpan library for node.js (and soon the browser)
Library home page: https://registry.npmjs.org/timespan/-/timespan-2.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/timespan/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - loggly-1.1.1.tgz - :x: **timespan-2.3.0.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsThe timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.
Publish Date: 2018-06-07
URL: CVE-2017-16115
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.CVE-2021-3749
### Vulnerable Library - axios-0.15.3.tgzPromise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - :x: **axios-0.15.3.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability Detailsaxios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution (axios): 0.18.1
Direct dependency fix Resolution (karma): 3.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-29167
### Vulnerable Library - hawk-3.1.3.tgzHTTP Hawk Authentication Scheme
Library home page: https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hawk/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - loggly-1.1.1.tgz - request-2.75.0.tgz - :x: **hawk-3.1.3.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsHawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.
Publish Date: 2022-05-05
URL: CVE-2022-29167
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq
Release Date: 2022-05-05
Fix Resolution (hawk): 9.0.1
Direct dependency fix Resolution (karma): 3.0.0
In order to enable automatic remediation, please create workflow rules
WS-2018-0650
### Vulnerable Library - useragent-2.2.1.tgzFastest, most accurate & effecient user agent string parser, uses Browserscope's research for parsing
Library home page: https://registry.npmjs.org/useragent/-/useragent-2.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/useragent/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - :x: **useragent-2.2.1.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsRegular Expression Denial of Service (ReDoS) vulnerability was found in useragent through 2.3.0.
Publish Date: 2018-02-27
URL: WS-2018-0650
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0650
Release Date: 2018-02-27
Fix Resolution: NorDroN.AngularTemplate - 0.1.6;dotnetng.template - 1.0.0.4;JetBrains.Rider.Frontend5 - 213.0.20211008.154703-eap03;MIDIator.WebClient - 1.0.105
CVE-2020-36048
### Vulnerable Library - engine.io-3.1.5.tgzThe realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine.io/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - socket.io-2.0.4.tgz - :x: **engine.io-3.1.5.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsEngine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution (engine.io): 3.6.0
Direct dependency fix Resolution (karma): 5.0.8
In order to enable automatic remediation, please create workflow rules
WS-2020-0342
### Vulnerable Library - is-my-json-valid-2.20.0.tgzA [JSONSchema](https://json-schema.org/) validator that uses code generation to be extremely fast.
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.20.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-my-json-valid/package.json
Dependency Hierarchy: - karma-2.0.5.tgz (Root Library) - log4js-2.11.0.tgz - loggly-1.1.1.tgz - request-2.75.0.tgz - har-validator-2.0.6.tgz - :x: **is-my-json-valid-2.20.0.tgz** (Vulnerable Library)
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
### Vulnerability DetailsRegular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.
Publish Date: 2020-06-27
URL: WS-2020-0342
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-06-27
Fix Resolution (is-my-json-valid): 2.20.2
Direct dependency fix Resolution (karma): 3.0.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules