Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-7788
### Vulnerable Library - ini-1.3.5.tgz
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23413
### Vulnerable Library - jszip-3.5.0.tgz
Create, read and edit .zip files with JavaScript http://stuartk.com/jszip
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.
Path to dependency file: /angular/package.json
Path to vulnerable library: /aspnet-core/src/Thor.SSO.HttpApi.Host/node_modules/ini/package.json,/angular/node_modules/ini/package.json
Found in HEAD commit: 2f6811d1524ee5c5357ac1bc44db8755973358c4
Vulnerabilities
Details
CVE-2021-3918
### Vulnerable Library - json-schema-0.2.3.tgzJSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/json-schema/package.json
Dependency Hierarchy: - protractor-7.0.0.tgz (Root Library) - webdriver-manager-12.1.7.tgz - request-2.88.2.tgz - http-signature-1.2.0.tgz - jsprim-1.4.1.tgz - :x: **json-schema-0.2.3.tgz** (Vulnerable Library)
Found in HEAD commit: 2f6811d1524ee5c5357ac1bc44db8755973358c4
Found in base branch: develop
### Vulnerability Detailsjson-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution: json-schema - 0.4.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-7788
### Vulnerable Library - ini-1.3.5.tgzAn ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: /aspnet-core/src/Thor.SSO.HttpApi.Host/package.json
Path to vulnerable library: /aspnet-core/src/Thor.SSO.HttpApi.Host/node_modules/ini/package.json,/angular/node_modules/ini/package.json
Dependency Hierarchy: - protractor-7.0.0.tgz (Root Library) - webdriver-manager-12.1.7.tgz - :x: **ini-1.3.5.tgz** (Vulnerable Library)
Found in HEAD commit: 2f6811d1524ee5c5357ac1bc44db8755973358c4
Found in base branch: develop
### Vulnerability DetailsThis affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution: v1.3.6
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23413
### Vulnerable Library - jszip-3.5.0.tgzCreate, read and edit .zip files with JavaScript http://stuartk.com/jszip
Library home page: https://registry.npmjs.org/jszip/-/jszip-3.5.0.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/jszip/package.json
Dependency Hierarchy: - protractor-7.0.0.tgz (Root Library) - selenium-webdriver-3.6.0.tgz - :x: **jszip-3.5.0.tgz** (Vulnerable Library)
Found in HEAD commit: 2f6811d1524ee5c5357ac1bc44db8755973358c4
Found in base branch: develop
### Vulnerability DetailsThis affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.
Publish Date: 2021-07-25
URL: CVE-2021-23413
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413
Release Date: 2021-07-25
Fix Resolution: jszip - 3.7.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)