hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
Versions of base64url before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jsonwebtoken/node_modules/ms/package.json
Found in HEAD commit: d804f0146ba2b48648893ac54a20b8bcb43f60d5
Vulnerabilities
Details
CVE-2018-3728
### Vulnerable Library - hoek-2.16.3.tgzGeneral purpose node utilities
Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hoek/package.json
Dependency Hierarchy: - jsonwebtoken-7.1.9.tgz (Root Library) - joi-6.10.1.tgz - :x: **hoek-2.16.3.tgz** (Vulnerable Library)
Found in HEAD commit: d804f0146ba2b48648893ac54a20b8bcb43f60d5
Found in base branch: main
### Vulnerability Detailshoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-03-30
URL: CVE-2018-3728
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3728
Release Date: 2018-03-30
Fix Resolution (hoek): 4.2.0
Direct dependency fix Resolution (jsonwebtoken): 7.2.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2017-18214
### Vulnerable Library - moment-2.18.1.tgzParse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.18.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/moment/package.json
Dependency Hierarchy: - jsonwebtoken-7.1.9.tgz (Root Library) - joi-6.10.1.tgz - :x: **moment-2.18.1.tgz** (Vulnerable Library)
Found in HEAD commit: d804f0146ba2b48648893ac54a20b8bcb43f60d5
Found in base branch: main
### Vulnerability DetailsThe moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
Publish Date: 2018-03-04
URL: CVE-2017-18214
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18214
Release Date: 2018-03-04
Fix Resolution (moment): 2.19.3
Direct dependency fix Resolution (jsonwebtoken): 7.1.10
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2018-0096
### Vulnerable Library - base64url-2.0.0.tgzFor encoding to/from base64urls
Library home page: https://registry.npmjs.org/base64url/-/base64url-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/base64url/package.json
Dependency Hierarchy: - jsonwebtoken-7.1.9.tgz (Root Library) - jws-3.1.4.tgz - :x: **base64url-2.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: d804f0146ba2b48648893ac54a20b8bcb43f60d5
Found in base branch: main
### Vulnerability DetailsVersions of base64url before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.
Publish Date: 2018-05-16
URL: WS-2018-0096
### CVSS 3 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://hackerone.com/reports/321687
Release Date: 2018-01-27
Fix Resolution (base64url): 3.0.0
Direct dependency fix Resolution (jsonwebtoken): 7.1.10
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2017-0247
### Vulnerable Library - ms-0.7.3.tgzTiny milisecond conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jsonwebtoken/node_modules/ms/package.json
Dependency Hierarchy: - jsonwebtoken-7.1.9.tgz (Root Library) - :x: **ms-0.7.3.tgz** (Vulnerable Library)
Found in HEAD commit: d804f0146ba2b48648893ac54a20b8bcb43f60d5
Found in base branch: main
### Vulnerability DetailsAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-04-12
URL: WS-2017-0247
### CVSS 2 Score Details (3.4)Base Score Metrics not available
### Suggested FixType: Upgrade version
Origin: https://github.com/vercel/ms/pull/89
Release Date: 2017-04-12
Fix Resolution (ms): 2.0.0
Direct dependency fix Resolution (jsonwebtoken): 7.4.1
:rescue_worker_helmet: Automatic Remediation is available for this issue:rescue_worker_helmet: Automatic Remediation is available for this issue.