search

snowdensb / braindump

BrainDump is a simple, powerful, and open note taking platform that makes it easy to organize your life.
MIT License
0 stars 0 forks source link

npm-watch-0.1.6.tgz: 8 vulnerabilities (highest severity is: 9.8) - autoclosed #191

Closed mend-for-github-com[bot] closed 4 weeks ago

mend-for-github-com[bot] commented 6 months ago
Vulnerable Library - npm-watch-0.1.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/fsevents

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (npm-watch version) Remediation Possible** Reachability
MSC-2023-16650 Critical 9.8 fsevents-1.0.15.tgz Transitive N/A*
CVE-2023-45311 Critical 9.8 fsevents-1.0.15.tgz Transitive 0.1.7
CVE-2018-3750 High 7.3 deep-extend-0.4.1.tgz Transitive 0.1.7
CVE-2019-10795 Medium 6.3 undefsafe-0.0.3.tgz Transitive 0.1.7
CVE-2022-33987 Medium 5.3 got-3.3.1.tgz Transitive 0.7.0
CVE-2017-20162 Medium 4.3 ms-0.7.1.tgz Transitive 0.1.7
CVE-2017-16137 Low 3.7 debug-2.2.0.tgz Transitive 0.1.7
CVE-2017-20165 Low 3.5 debug-2.2.0.tgz Transitive 0.1.7

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

MSC-2023-16650 ### Vulnerable Library - fsevents-1.0.15.tgz

Native Access to Mac OS-X FSEvents

Library home page: https://registry.npmjs.org/fsevents/-/fsevents-1.0.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/fsevents

Dependency Hierarchy: - npm-watch-0.1.6.tgz (Root Library) - nodemon-1.11.0.tgz - chokidar-1.6.1.tgz - :x: **fsevents-1.0.15.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

This package has been identified by Mend as containing potential malicious functionality. The severity of the functionality can change depending on where the library is running (user's machine or backend server). The following risks were identified: Malware dropper – this package contains a Trojan horse, allowing the unauthorized installation of other potentially malicious software.

Publish Date: 2023-09-20

URL: MSC-2023-16650

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2023-45311 ### Vulnerable Library - fsevents-1.0.15.tgz

Native Access to Mac OS-X FSEvents

Library home page: https://registry.npmjs.org/fsevents/-/fsevents-1.0.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/fsevents

Dependency Hierarchy: - npm-watch-0.1.6.tgz (Root Library) - nodemon-1.11.0.tgz - chokidar-1.6.1.tgz - :x: **fsevents-1.0.15.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary. NOTE: some sources feel that this means that no version is affected any longer, because the URL is not controlled by an adversary.

Publish Date: 2023-10-06

URL: CVE-2023-45311

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-45311

Release Date: 2023-10-06

Fix Resolution (fsevents): 1.2.11

Direct dependency fix Resolution (npm-watch): 0.1.7

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-3750 ### Vulnerable Library - deep-extend-0.4.1.tgz

Recursive object extending

Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/deep-extend

Dependency Hierarchy: - npm-watch-0.1.6.tgz (Root Library) - nodemon-1.11.0.tgz - chokidar-1.6.1.tgz - fsevents-1.0.15.tgz - node-pre-gyp-0.6.31.tgz - rc-1.1.6.tgz - :x: **deep-extend-0.4.1.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

Publish Date: 2018-07-03

URL: CVE-2018-3750

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750

Release Date: 2018-05-24

Fix Resolution (deep-extend): 0.5.1

Direct dependency fix Resolution (npm-watch): 0.1.7

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-10795 ### Vulnerable Library - undefsafe-0.0.3.tgz

Undefined safe way of extracting object properties

Library home page: https://registry.npmjs.org/undefsafe/-/undefsafe-0.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undefsafe

Dependency Hierarchy: - npm-watch-0.1.6.tgz (Root Library) - nodemon-1.11.0.tgz - :x: **undefsafe-0.0.3.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.

Publish Date: 2020-02-18

URL: CVE-2019-10795

### CVSS 3 Score Details (6.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10795

Release Date: 2020-02-27

Fix Resolution (undefsafe): 2.0.3

Direct dependency fix Resolution (npm-watch): 0.1.7

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-33987 ### Vulnerable Library - got-3.3.1.tgz

Simplified HTTP/HTTPS requests

Library home page: https://registry.npmjs.org/got/-/got-3.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got

Dependency Hierarchy: - npm-watch-0.1.6.tgz (Root Library) - nodemon-1.11.0.tgz - update-notifier-0.5.0.tgz - latest-version-1.0.1.tgz - package-json-1.2.0.tgz - :x: **got-3.3.1.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution (got): 11.8.6

Direct dependency fix Resolution (npm-watch): 0.7.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-20162 ### Vulnerable Library - ms-0.7.1.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ms

Dependency Hierarchy: - npm-watch-0.1.6.tgz (Root Library) - nodemon-1.11.0.tgz - chokidar-1.6.1.tgz - fsevents-1.0.15.tgz - node-pre-gyp-0.6.31.tgz - tar-pack-3.3.0.tgz - debug-2.2.0.tgz - :x: **ms-0.7.1.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The patch is named caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.

Publish Date: 2023-01-05

URL: CVE-2017-20162

### CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-01-05

Fix Resolution (ms): 2.0.0

Direct dependency fix Resolution (npm-watch): 0.1.7

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-16137 ### Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/debug

Dependency Hierarchy: - npm-watch-0.1.6.tgz (Root Library) - nodemon-1.11.0.tgz - chokidar-1.6.1.tgz - fsevents-1.0.15.tgz - node-pre-gyp-0.6.31.tgz - tar-pack-3.3.0.tgz - :x: **debug-2.2.0.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

### CVSS 3 Score Details (3.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-gxpj-cx7g-858c

Release Date: 2018-06-07

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (npm-watch): 0.1.7

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-20165 ### Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/debug

Dependency Hierarchy: - npm-watch-0.1.6.tgz (Root Library) - nodemon-1.11.0.tgz - chokidar-1.6.1.tgz - fsevents-1.0.15.tgz - node-pre-gyp-0.6.31.tgz - tar-pack-3.3.0.tgz - :x: **debug-2.2.0.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The identifier of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.

Publish Date: 2023-01-09

URL: CVE-2017-20165

### CVSS 3 Score Details (3.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-9vvw-cc9w-f27h

Release Date: 2023-01-09

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (npm-watch): 0.1.7

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] commented 4 weeks ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.