opentok / opentok-video-call-center

Sample code for building a basic agent queuing system
MIT License
20 stars 19 forks source link

opentok-2.15.2.tgz: 3 vulnerabilities (highest severity is: 6.5) #94

Open mend-for-github-com[bot] opened 1 year ago

mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - opentok-2.15.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (opentok version) Remediation Possible** Reachability
CVE-2023-26136 Medium 6.5 Proof of concept 0.3% tough-cookie-2.5.0.tgz Transitive 2.17.0
CVE-2023-28155 Medium 6.1 Not Defined 0.1% request-2.88.2.tgz Transitive N/A*
CVE-2022-25883 Medium 5.3 Proof of concept 0.2% semver-7.3.8.tgz Transitive 2.17.0

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-26136 ### Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tough-cookie/package.json

Dependency Hierarchy: - opentok-2.15.2.tgz (Root Library) - request-2.88.2.tgz - :x: **tough-cookie-2.5.0.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

### Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 0.3%

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (opentok): 2.17.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-28155 ### Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Dependency Hierarchy: - opentok-2.15.2.tgz (Root Library) - :x: **request-2.88.2.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

CVE-2022-25883 ### Vulnerable Library - semver-7.3.8.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-7.3.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/node_modules/semver/package.json,/node_modules/css-loader/node_modules/semver/package.json

Dependency Hierarchy: - opentok-2.15.2.tgz (Root Library) - jsonwebtoken-9.0.0.tgz - :x: **semver-7.3.8.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

### Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 0.2%

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 7.5.2

Direct dependency fix Resolution (opentok): 2.17.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.