Hello,
First, let me preface this with "I am not a Dev" I'm a security Architect in charge of Application Security for my company.
We have been scanning the Opensource frameworks used by my company and found that this library calls in Dependencies that have known vulnerabilities. I've been told that this library is an integral part of this, and cannot be removed/replaced. So we are wondering if the original Dev or another person willing to Fork it for a security version. can update the following Nested Dependencies.
IP.js
Currently, you call version 1.0.1, This dependency has been found to be Vulnerable based on the below description. The upgrade to version 1.1.5 clears the known issue:
Explanation
The IP package is vulnerable to Uninitialized Memory Exposure. The mask() function in the ip.jsfile does not initialize the buffer memory with zeros when a buffer is created using the constructor with the numeric size parameter. A remote attacker can exploit this vulnerability by crafting an IP masking request, which returns uninitialized memory. The contents of uninitialized memory are undefined and potentially contain sensitive information, which leads to Information Disclosure.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Categories
Data
Root Cause
IP : 1.0.1
Advisories
Project: https://github.com/indutny/node-ip/commit/b2b4469255a624619b...
boom.js
Currently, your app calls in Boom.js and there are no known non-vulnerable versions of this app. I'm posting the Vuln information below. If some research could be done to determine if this is a required dependency, or can some other dependency be used:
Explanation
The boom package is vulnerable to Cross-Site Scripting (XSS), as the reformat() method in index.js allows malicious JavaScript in the error response message. A remote attacker can exploit this vulnerability by enticing a user to click on a maliciously crafted URL with a JavaScript payload, resulting in script execution once the victim navigates to the page.
Detection
The application is vulnerable by using this package.
Recommendation
“Advisory: The "Insert Security Application Scanning Vendor name Here" discovered that this vulnerability was fixed in version 0.3.8 and reintroduced in version 2.2.0. It is developers responsibility to escape the message that is returned using boom.”
Categories
Data
Root Cause
boom : 2.10.1
Advisories
Project: https://github.com/hapijs/boom/pull/3
Project: https://github.com/hapijs/hapi/pull/2370
stritti
commented
5 years ago
Hello, First, let me preface this with "I am not a Dev" I'm a security Architect in charge of Application Security for my company.
We have been scanning the Opensource frameworks used by my company and found that this library calls in Dependencies that have known vulnerabilities. I've been told that this library is an integral part of this, and cannot be removed/replaced. So we are wondering if the original Dev or another person willing to Fork it for a security version. can update the following Nested Dependencies.
IP.js Currently, you call version 1.0.1, This dependency has been found to be Vulnerable based on the below description. The upgrade to version 1.1.5 clears the known issue: Explanation
The IP package is vulnerable to Uninitialized Memory Exposure. The mask() function in the ip.jsfile does not initialize the buffer memory with zeros when a buffer is created using the constructor with the numeric size parameter. A remote attacker can exploit this vulnerability by crafting an IP masking request, which returns uninitialized memory. The contents of uninitialized memory are undefined and potentially contain sensitive information, which leads to Information Disclosure. Detection The application is vulnerable by using this component. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Data Root Cause IP : 1.0.1 Advisories Project: https://github.com/indutny/node-ip/commit/b2b4469255a624619b...
boom.js Currently, your app calls in Boom.js and there are no known non-vulnerable versions of this app. I'm posting the Vuln information below. If some research could be done to determine if this is a required dependency, or can some other dependency be used:
Explanation The boom package is vulnerable to Cross-Site Scripting (XSS), as the reformat() method in index.js allows malicious JavaScript in the error response message. A remote attacker can exploit this vulnerability by enticing a user to click on a maliciously crafted URL with a JavaScript payload, resulting in script execution once the victim navigates to the page. Detection The application is vulnerable by using this package. Recommendation “Advisory: The "Insert Security Application Scanning Vendor name Here" discovered that this vulnerability was fixed in version 0.3.8 and reintroduced in version 2.2.0. It is developers responsibility to escape the message that is returned using boom.” Categories Data Root Cause boom : 2.10.1 Advisories Project: https://github.com/hapijs/boom/pull/3 Project: https://github.com/hapijs/hapi/pull/2370
Thanks, Bob Hood