Open dev-mend-for-github-com[bot] opened 2 years ago
dev-mend-for-github-com[bot]
commented
2 years ago :heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
dev-mend-for-github-com[bot]
commented
2 years ago :information_source: This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.
dev-mend-for-github-com[bot]
commented
2 years ago :heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
dev-mend-for-github-com[bot]
commented
2 years ago :information_source: This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-1.3.7.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/socket.io/package.json
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Vulnerabilities
Details
CVE-2020-28502
### Vulnerable Library - xmlhttprequest-1.5.0.tgzXMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest/-/xmlhttprequest-1.5.0.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/xmlhttprequest/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - socket.io-client-1.3.7.tgz - engine.io-client-1.5.4.tgz - :x: **xmlhttprequest-1.5.0.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability DetailsThis affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest): 1.7.0
Direct dependency fix Resolution (socket.io): 1.4.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2016-10518
### Vulnerable Library - ws-0.8.0.tgzsimple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.8.0.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/ws/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - engine.io-1.5.4.tgz - :x: **ws-0.8.0.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability DetailsA vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.
Publish Date: 2018-05-31
URL: CVE-2016-10518
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10518
Release Date: 2018-05-31
Fix Resolution (ws): 1.0.1
Direct dependency fix Resolution (socket.io): 1.4.1
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2016-10542
### Vulnerable Library - ws-0.8.0.tgzsimple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.8.0.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/ws/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - engine.io-1.5.4.tgz - :x: **ws-0.8.0.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability Detailsws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
Publish Date: 2018-05-31
URL: CVE-2016-10542
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-05-31
Fix Resolution (ws): 1.1.1
Direct dependency fix Resolution (socket.io): 1.5.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2020-36048
### Vulnerable Library - engine.io-1.5.4.tgzThe realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-1.5.4.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/engine.io/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - :x: **engine.io-1.5.4.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability DetailsEngine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution (engine.io): 4.0.0-alpha.0
Direct dependency fix Resolution (socket.io): 3.0.0-rc1
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2020-36049
### Vulnerable Libraries - socket.io-parser-2.2.4.tgz, socket.io-parser-2.2.2.tgz### socket.io-parser-2.2.4.tgz
socket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-2.2.4.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/socket.io-parser/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - :x: **socket.io-parser-2.2.4.tgz** (Vulnerable Library) ### socket.io-parser-2.2.2.tgz
socket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-2.2.2.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/socket.io-adapter/node_modules/socket.io-parser/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - socket.io-adapter-0.3.1.tgz - :x: **socket.io-parser-2.2.2.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability Detailssocket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
Publish Date: 2021-01-08
URL: CVE-2020-36049
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36049
Release Date: 2021-01-08
Fix Resolution (socket.io-parser): 3.3.2
Direct dependency fix Resolution (socket.io): 2.2.0
Fix Resolution (socket.io-parser): 3.3.2
Direct dependency fix Resolution (socket.io): 2.2.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2017-16113
### Vulnerable Library - parsejson-0.0.1.tgzMethod that parses a JSON string and returns a JSON object
Library home page: https://registry.npmjs.org/parsejson/-/parsejson-0.0.1.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/parsejson/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - socket.io-client-1.3.7.tgz - engine.io-client-1.5.4.tgz - :x: **parsejson-0.0.1.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability DetailsThe parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.
Publish Date: 2018-06-07
URL: CVE-2017-16113
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16113
Release Date: 2018-06-07
Fix Resolution: no_fix
WS-2017-0421
### Vulnerable Library - ws-0.8.0.tgzsimple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.8.0.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/ws/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - engine.io-1.5.4.tgz - :x: **ws-0.8.0.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability DetailsAffected version of ws (0.2.6 through 3.3.0 excluding 0.3.4-2, 0.3.5-2, 0.3.5-3, 0.3.5-4, 1.1.5, 2.0.0-beta.0, 2.0.0-beta.1 and 2.0.0-beta.2) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.
Publish Date: 2017-11-08
URL: WS-2017-0421
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a
Release Date: 2017-11-08
Fix Resolution (ws): 1.1.5
Direct dependency fix Resolution (socket.io): 1.7.4
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2016-0040
### Vulnerable Library - ws-0.8.0.tgzsimple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.8.0.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/ws/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - engine.io-1.5.4.tgz - :x: **ws-0.8.0.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability DetailsBy sending an overly long websocket payload to a ws server, it is possible to crash the node process.
Publish Date: 2016-06-23
URL: WS-2016-0040
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: N/A - Attack Complexity: N/A - Privileges Required: N/A - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/120/versions
Release Date: 2016-06-23
Fix Resolution (ws): 1.1.1
Direct dependency fix Resolution (socket.io): 1.5.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2015-8315
### Vulnerable Library - ms-0.6.2.tgzTiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.6.2.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/socket.io-adapter/node_modules/ms/package.json,/tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/engine.io-client/node_modules/ms/package.json,/tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/engine.io/node_modules/ms/package.json,/tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/socket.io/node_modules/ms/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - socket.io-client-1.3.7.tgz - engine.io-client-1.5.4.tgz - debug-1.0.4.tgz - :x: **ms-0.6.2.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability DetailsThe ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8315
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8315
Release Date: 2017-01-23
Fix Resolution (ms): 0.7.1
Direct dependency fix Resolution (socket.io): 1.4.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2017-0107
### Vulnerable Library - ws-0.8.0.tgzsimple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.8.0.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/ws/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - engine.io-1.5.4.tgz - :x: **ws-0.8.0.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability Detailswebsockets uses Math.random function to generate masking key. This function is not random enough allowing an attacker to easily guess the key. Having the key an attacker can read the payload causing potential information disclosure.
Publish Date: 2016-09-20
URL: WS-2017-0107
### CVSS 3 Score Details (7.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/websockets/ws/pull/832
Release Date: 2016-09-20
Fix Resolution (ws): 1.1.2
Direct dependency fix Resolution (socket.io): 1.7.3
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2016-10536
### Vulnerable Library - engine.io-client-1.5.4.tgzClient for the realtime Engine
Library home page: https://registry.npmjs.org/engine.io-client/-/engine.io-client-1.5.4.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/engine.io-client/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - socket.io-client-1.3.7.tgz - :x: **engine.io-client-1.5.4.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability Detailsengine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. The vulnerability is related to the way that node.js handles the `rejectUnauthorized` setting. If the value is something that evaluates to false, certificate verification will be disabled. This is problematic as engine.io-client 1.6.8 and earlier passes in an object for settings that includes the rejectUnauthorized property, whether it has been set or not. If the value has not been explicitly changed, it will be passed in as `null`, resulting in certificate verification being turned off.
Publish Date: 2018-05-31
URL: CVE-2016-10536
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10536
Release Date: 2018-05-31
Fix Resolution: JetBrains.Rider.Frontend5 - 212.0.20210826.92917,212.0.20211008.220753;engine.io-client - 1.6.9
CVE-2017-16137
### Vulnerable Libraries - debug-1.0.3.tgz, debug-1.0.2.tgz, debug-1.0.4.tgz, debug-0.7.4.tgz, debug-2.1.0.tgz### debug-1.0.3.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-1.0.3.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/engine.io/node_modules/debug/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - engine.io-1.5.4.tgz - :x: **debug-1.0.3.tgz** (Vulnerable Library) ### debug-1.0.2.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-1.0.2.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/socket.io-adapter/node_modules/debug/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - socket.io-adapter-0.3.1.tgz - :x: **debug-1.0.2.tgz** (Vulnerable Library) ### debug-1.0.4.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-1.0.4.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/engine.io-client/node_modules/debug/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - socket.io-client-1.3.7.tgz - engine.io-client-1.5.4.tgz - :x: **debug-1.0.4.tgz** (Vulnerable Library) ### debug-0.7.4.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-0.7.4.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/socket.io-parser/node_modules/debug/package.json,/tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/socket.io-adapter/node_modules/socket.io-parser/node_modules/debug/package.json,/tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/socket.io-client/node_modules/debug/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - socket.io-client-1.3.7.tgz - :x: **debug-0.7.4.tgz** (Vulnerable Library) ### debug-2.1.0.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.1.0.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/socket.io/node_modules/debug/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - :x: **debug-2.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability DetailsThe debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-06-07
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (socket.io): 2.0.2
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (socket.io): 2.0.2
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (socket.io): 2.0.2
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (socket.io): 2.0.2
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (socket.io): 2.0.2
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2020-28481
### Vulnerable Library - socket.io-1.3.7.tgznode.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-1.3.7.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/socket.io/package.json
Dependency Hierarchy: - :x: **socket.io-1.3.7.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability DetailsThe package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Publish Date: 2021-01-19
URL: CVE-2020-28481
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481
Release Date: 2021-01-19
Fix Resolution: 2.4.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2017-0247
### Vulnerable Library - ms-0.6.2.tgzTiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.6.2.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/socket.io-adapter/node_modules/ms/package.json,/tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/engine.io-client/node_modules/ms/package.json,/tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/engine.io/node_modules/ms/package.json,/tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/plugin/multiplex/node_modules/socket.io/node_modules/ms/package.json
Dependency Hierarchy: - socket.io-1.3.7.tgz (Root Library) - socket.io-client-1.3.7.tgz - engine.io-client-1.5.4.tgz - debug-1.0.4.tgz - :x: **ms-0.6.2.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability DetailsAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-04-12
URL: WS-2017-0247
### CVSS 2 Score Details (3.4)Base Score Metrics not available
### Suggested FixType: Upgrade version
Origin: https://github.com/vercel/ms/pull/89
Release Date: 2017-04-12
Fix Resolution (ms): 2.0.0
Direct dependency fix Resolution (socket.io): 2.0.2
:rescue_worker_helmet: Automatic Remediation is available for this issue:rescue_worker_helmet: Automatic Remediation is available for this issue.