grunt-retire-0.3.12.tgz: 13 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - grunt-retire-0.3.12.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cryptiles/package.json,/node_modules/npm/node_modules/request/node_modules/hawk/node_modules/cryptiles/package.json

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2021-23807	High	9.8	jsonpointer-4.0.1.tgz	Transitive	1.0.0	✅
WS-2020-0344	High	9.8	is-my-json-valid-2.19.0.tgz	Transitive	1.0.0	✅
CVE-2018-1000620	High	9.8	cryptiles-2.0.5.tgz	Transitive	1.0.7	✅
CVE-2018-3728	High	8.8	hoek-2.16.3.tgz	Transitive	1.0.7	✅
WS-2020-0345	High	8.2	jsonpointer-4.0.1.tgz	Transitive	1.0.0	✅
CVE-2017-15010	High	7.5	tough-cookie-2.2.2.tgz	Transitive	1.0.7	✅
WS-2020-0342	High	7.5	is-my-json-valid-2.19.0.tgz	Transitive	1.0.0	✅
CVE-2017-1000048	High	7.5	qs-5.2.1.tgz	Transitive	1.0.7	✅
CVE-2021-23358	High	7.2	underscore-1.8.3.tgz	Transitive	1.0.2	✅
CVE-2020-8244	Medium	6.5	bl-1.0.3.tgz	Transitive	1.0.7	✅
CVE-2017-16026	Medium	5.9	request-2.67.0.tgz	Transitive	1.0.7	✅
CVE-2016-1000232	Medium	5.3	tough-cookie-2.2.2.tgz	Transitive	1.0.7	✅
WS-2018-0076	Medium	5.1	tunnel-agent-0.4.3.tgz	Transitive	1.0.7	✅

Details

CVE-2021-23807

### Vulnerable Library - jsonpointer-4.0.1.tgz

Simple JSON Addressing.

Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonpointer/package.json

Dependency Hierarchy: - grunt-retire-0.3.12.tgz (Root Library) - request-2.67.0.tgz - har-validator-2.0.6.tgz - is-my-json-valid-2.19.0.tgz - :x: **jsonpointer-4.0.1.tgz** (Vulnerable Library)

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Found in base branch: main

### Vulnerability Details

This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.

Publish Date: 2021-11-03

URL: CVE-2021-23807

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23807

Release Date: 2021-11-03

Fix Resolution (jsonpointer): 5.0.0

Direct dependency fix Resolution (grunt-retire): 1.0.0

In order to enable automatic remediation, please create workflow rules

WS-2020-0344

### Vulnerable Library - is-my-json-valid-2.19.0.tgz

A JSONSchema validator that uses code generation to be extremely fast

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.19.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-my-json-valid/package.json

Dependency Hierarchy: - grunt-retire-0.3.12.tgz (Root Library) - request-2.67.0.tgz - har-validator-2.0.6.tgz - :x: **is-my-json-valid-2.19.0.tgz** (Vulnerable Library)

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Found in base branch: main

### Vulnerability Details

Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.

Publish Date: 2020-06-09

URL: WS-2020-0344

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/mafintosh/is-my-json-valid/commit/c3fc04fc455d40e9b29537f8e2c73a28ce106edb

Release Date: 2020-06-09

Fix Resolution (is-my-json-valid): 2.20.3

Direct dependency fix Resolution (grunt-retire): 1.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2018-1000620

### Vulnerable Library - cryptiles-2.0.5.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cryptiles/package.json,/node_modules/npm/node_modules/request/node_modules/hawk/node_modules/cryptiles/package.json

Dependency Hierarchy: - grunt-retire-0.3.12.tgz (Root Library) - request-2.67.0.tgz - hawk-3.1.3.tgz - :x: **cryptiles-2.0.5.tgz** (Vulnerable Library)

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Found in base branch: main

### Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (grunt-retire): 1.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2018-3728

### Vulnerable Library - hoek-2.16.3.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hoek/package.json,/node_modules/npm/node_modules/request/node_modules/hawk/node_modules/hoek/package.json

Dependency Hierarchy: - grunt-retire-0.3.12.tgz (Root Library) - request-2.67.0.tgz - hawk-3.1.3.tgz - :x: **hoek-2.16.3.tgz** (Vulnerable Library)

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Found in base branch: main

### Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2018-03-30

Fix Resolution (hoek): 4.2.0

Direct dependency fix Resolution (grunt-retire): 1.0.7

In order to enable automatic remediation, please create workflow rules

WS-2020-0345

### Vulnerable Library - jsonpointer-4.0.1.tgz

Simple JSON Addressing.

Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonpointer/package.json

Dependency Hierarchy: - grunt-retire-0.3.12.tgz (Root Library) - request-2.67.0.tgz - har-validator-2.0.6.tgz - is-my-json-valid-2.19.0.tgz - :x: **jsonpointer-4.0.1.tgz** (Vulnerable Library)

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Found in base branch: main

### Vulnerability Details

Prototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.

Publish Date: 2020-07-03

URL: WS-2020-0345

### CVSS 3 Score Details (8.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/janl/node-jsonpointer/releases/tag/v4.1.0

Release Date: 2020-07-03

Fix Resolution (jsonpointer): 4.1.0

Direct dependency fix Resolution (grunt-retire): 1.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2017-15010

### Vulnerable Library - tough-cookie-2.2.2.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grunt-retire/node_modules/tough-cookie/package.json

Dependency Hierarchy: - grunt-retire-0.3.12.tgz (Root Library) - request-2.67.0.tgz - :x: **tough-cookie-2.2.2.tgz** (Vulnerable Library)

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Found in base branch: main

### Vulnerability Details

A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

Publish Date: 2017-10-04

URL: CVE-2017-15010

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15010

Release Date: 2017-10-04

Fix Resolution (tough-cookie): 2.3.3

Direct dependency fix Resolution (grunt-retire): 1.0.7

In order to enable automatic remediation, please create workflow rules

WS-2020-0342

### Vulnerable Library - is-my-json-valid-2.19.0.tgz

A JSONSchema validator that uses code generation to be extremely fast

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.19.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-my-json-valid/package.json

Dependency Hierarchy: - grunt-retire-0.3.12.tgz (Root Library) - request-2.67.0.tgz - har-validator-2.0.6.tgz - :x: **is-my-json-valid-2.19.0.tgz** (Vulnerable Library)

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Found in base branch: main

### Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.

Publish Date: 2020-06-27

URL: WS-2020-0342

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/mafintosh/is-my-json-valid/commit/c3fc04fc455d40e9b29537f8e2c73a28ce106edb

Release Date: 2020-06-27

Fix Resolution (is-my-json-valid): 2.20.2

Direct dependency fix Resolution (grunt-retire): 1.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2017-1000048

### Vulnerable Library - qs-5.2.1.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-5.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grunt-retire/node_modules/qs/package.json

Dependency Hierarchy: - grunt-retire-0.3.12.tgz (Root Library) - request-2.67.0.tgz - :x: **qs-5.2.1.tgz** (Vulnerable Library)

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Found in base branch: main

### Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048

Release Date: 2017-07-17

Fix Resolution (qs): 6.0.4

Direct dependency fix Resolution (grunt-retire): 1.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2021-23358

### Vulnerable Library - underscore-1.8.3.tgz

JavaScript's functional programming helper library.

Library home page: https://registry.npmjs.org/underscore/-/underscore-1.8.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/retire/node_modules/underscore/package.json

Dependency Hierarchy: - grunt-retire-0.3.12.tgz (Root Library) - retire-1.1.6.tgz - :x: **underscore-1.8.3.tgz** (Vulnerable Library)

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Found in base branch: main

### Vulnerability Details

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Publish Date: 2021-03-29

URL: CVE-2021-23358

### CVSS 3 Score Details (7.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

Release Date: 2021-03-29

Fix Resolution (underscore): 1.12.1

Direct dependency fix Resolution (grunt-retire): 1.0.2

In order to enable automatic remediation, please create workflow rules

CVE-2020-8244

### Vulnerable Library - bl-1.0.3.tgz

Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!

Library home page: https://registry.npmjs.org/bl/-/bl-1.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/bl/package.json

Dependency Hierarchy: - grunt-retire-0.3.12.tgz (Root Library) - request-2.67.0.tgz - :x: **bl-1.0.3.tgz** (Vulnerable Library)

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Found in base branch: main

### Vulnerability Details

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Publish Date: 2020-08-30

URL: CVE-2020-8244

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-pp7h-53gx-mx7r

Release Date: 2020-08-30

Fix Resolution (bl): 1.2.3

Direct dependency fix Resolution (grunt-retire): 1.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2017-16026

### Vulnerable Library - request-2.67.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.67.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grunt-retire/node_modules/request/package.json

Dependency Hierarchy: - grunt-retire-0.3.12.tgz (Root Library) - :x: **request-2.67.0.tgz** (Vulnerable Library)

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Found in base branch: main

### Vulnerability Details

Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.

Publish Date: 2018-06-04

URL: CVE-2017-16026

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16026

Release Date: 2018-06-04

Fix Resolution (request): 2.68.0

Direct dependency fix Resolution (grunt-retire): 1.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2016-1000232

### Vulnerable Library - tough-cookie-2.2.2.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grunt-retire/node_modules/tough-cookie/package.json

Dependency Hierarchy: - grunt-retire-0.3.12.tgz (Root Library) - request-2.67.0.tgz - :x: **tough-cookie-2.2.2.tgz** (Vulnerable Library)

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Found in base branch: main

### Vulnerability Details

NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.

Publish Date: 2018-09-05

URL: CVE-2016-1000232

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/130

Release Date: 2018-09-05

Fix Resolution (tough-cookie): 2.3.0

Direct dependency fix Resolution (grunt-retire): 1.0.7

In order to enable automatic remediation, please create workflow rules

WS-2018-0076

### Vulnerable Library - tunnel-agent-0.4.3.tgz

HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.

Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/request/node_modules/tunnel-agent/package.json,/node_modules/tunnel-agent/package.json

Dependency Hierarchy: - grunt-retire-0.3.12.tgz (Root Library) - request-2.67.0.tgz - :x: **tunnel-agent-0.4.3.tgz** (Vulnerable Library)

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Found in base branch: main

### Vulnerability Details

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.

Publish Date: 2017-03-05

URL: WS-2018-0076

### CVSS 3 Score Details (5.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/598

Release Date: 2017-03-05

Fix Resolution (tunnel-agent): 0.6.0

Direct dependency fix Resolution (grunt-retire): 1.0.7

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

samq-starkcorp / JS-Demo

grunt-retire-0.3.12.tgz: 13 vulnerabilities (highest severity is: 9.8) - autoclosed #23

Vulnerabilities

Details