mend-for-github-com[bot]
commented
5 months ago :information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #549
Closed mend-for-github-com[bot] closed 5 months ago
mend-for-github-com[bot]
commented
5 months ago :information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #549
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-13822
### Vulnerable Library - elliptic-6.4.1.tgzEC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - node-libs-browser-2.2.0.tgz - crypto-browserify-3.12.0.tgz - browserify-sign-4.0.4.tgz - :x: **elliptic-6.4.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
### CVSS 3 Score Details (7.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-07-02
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (webpack): 4.30.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-4068
### Vulnerable Library - braces-3.0.2.tgzBash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - watchpack-1.7.2.tgz - chokidar-3.4.0.tgz - :x: **braces-3.0.2.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Publish Date: 2024-05-14
URL: CVE-2024-4068
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2023-46234
### Vulnerable Library - browserify-sign-4.0.4.tgzadds node crypto signing for browsers
Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.0.4.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - node-libs-browser-2.2.0.tgz - crypto-browserify-3.12.0.tgz - :x: **browserify-sign-4.0.4.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsbrowserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.
Publish Date: 2023-10-26
URL: CVE-2023-46234
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
Release Date: 2023-10-26
Fix Resolution (browserify-sign): 4.2.2
Direct dependency fix Resolution (webpack): 4.30.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-27290
### Vulnerable Library - ssri-6.0.1.tgzStandard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - terser-webpack-plugin-1.4.3.tgz - cacache-12.0.3.tgz - :x: **ssri-6.0.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-vx3p-948g-6vhq
Release Date: 2021-03-12
Fix Resolution (ssri): 6.0.2
Direct dependency fix Resolution (webpack): 4.30.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-28469
### Vulnerable Library - glob-parent-5.1.1.tgzExtract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - watchpack-1.7.2.tgz - chokidar-3.4.0.tgz - :x: **glob-parent-5.1.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThis affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (webpack): 5.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-28498
### Vulnerable Library - elliptic-6.4.1.tgzEC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - node-libs-browser-2.2.0.tgz - crypto-browserify-3.12.0.tgz - browserify-sign-4.0.4.tgz - :x: **elliptic-6.4.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
### CVSS 3 Score Details (6.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution (elliptic): 6.5.4
Direct dependency fix Resolution (webpack): 4.30.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2019-0427
### Vulnerable Library - elliptic-6.4.1.tgzEC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - node-libs-browser-2.2.0.tgz - crypto-browserify-3.12.0.tgz - browserify-sign-4.0.4.tgz - :x: **elliptic-6.4.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe function getNAF() in elliptic library has information leakage. This issue is mitigated in version 6.5.2
Publish Date: 2019-11-22
URL: WS-2019-0427
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-11-22
Fix Resolution (elliptic): 6.5.2
Direct dependency fix Resolution (webpack): 4.30.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2019-0424
### Vulnerable Library - elliptic-6.4.1.tgzEC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - node-libs-browser-2.2.0.tgz - crypto-browserify-3.12.0.tgz - browserify-sign-4.0.4.tgz - :x: **elliptic-6.4.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsall versions of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0424
Release Date: 2019-11-13
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (webpack): 4.30.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-15366
### Vulnerable Library - ajv-6.10.0.tgzAnother JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.0.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - :x: **ajv-6.10.0.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsAn issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
### CVSS 3 Score Details (5.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (webpack): 4.30.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.