search

uriel-naor / ISSUES

0 stars 0 forks source link

log4js-2.11.0.tgz: 7 vulnerabilities (highest severity is: 9.8) - autoclosed #8

Closed uriel-mend-app[bot] closed 1 year ago

uriel-mend-app[bot] commented 1 year ago
Vulnerable Library - log4js-2.11.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hoek/package.json

Found in HEAD commit: dee5a70e928db205548af0d03b542cca4bf5461b

Mend has checked all newer package trees, and you are on the least vulnerable package!

Please note: There might be a version that explicitly solves one or more of the vulnerabilities listed below, but we do not recommend it. For more info about the optional fixes, check the section “Details” below.

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (log4js version) Fix PR available
CVE-2018-1000620 High 9.8 cryptiles-2.0.5.tgz Transitive N/A*
CVE-2021-28918 High 9.1 netmask-1.0.6.tgz Transitive N/A*
CVE-2018-3728 High 8.8 hoek-2.16.3.tgz Transitive N/A*
CVE-2017-16115 High 7.5 timespan-2.3.0.tgz Transitive N/A*
CVE-2019-10742 High 7.5 axios-0.15.3.tgz Transitive N/A*
CVE-2021-29418 Medium 5.3 netmask-1.0.6.tgz Transitive N/A*
WS-2018-0076 Medium 5.0 tunnel-agent-0.4.3.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2018-1000620 ### Vulnerable Library - cryptiles-2.0.5.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cryptiles/package.json

Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - loggly-1.1.1.tgz - request-2.75.0.tgz - hawk-3.1.3.tgz - :x: **cryptiles-2.0.5.tgz** (Vulnerable Library)

Found in HEAD commit: dee5a70e928db205548af0d03b542cca4bf5461b

Found in base branch: main

### Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution: v4.1.2

CVE-2021-28918 ### Vulnerable Library - netmask-1.0.6.tgz

Parse and lookup IP network blocks

Library home page: https://registry.npmjs.org/netmask/-/netmask-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/netmask/package.json

Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - mailgun-js-0.18.1.tgz - proxy-agent-3.0.3.tgz - pac-proxy-agent-3.0.1.tgz - pac-resolver-3.0.0.tgz - :x: **netmask-1.0.6.tgz** (Vulnerable Library)

Found in HEAD commit: dee5a70e928db205548af0d03b542cca4bf5461b

Found in base branch: main

### Vulnerability Details

Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.

Publish Date: 2021-04-01

URL: CVE-2021-28918

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-pch5-whg9-qr2r

Release Date: 2021-04-01

Fix Resolution: netmask - 2.0.1

CVE-2018-3728 ### Vulnerable Library - hoek-2.16.3.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hoek/package.json

Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - loggly-1.1.1.tgz - request-2.75.0.tgz - hawk-3.1.3.tgz - :x: **hoek-2.16.3.tgz** (Vulnerable Library)

Found in HEAD commit: dee5a70e928db205548af0d03b542cca4bf5461b

Found in base branch: main

### Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3728

Release Date: 2018-03-30

Fix Resolution: 4.2.1,5.0.3

CVE-2017-16115 ### Vulnerable Library - timespan-2.3.0.tgz

A JavaScript TimeSpan library for node.js (and soon the browser)

Library home page: https://registry.npmjs.org/timespan/-/timespan-2.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/timespan/package.json

Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - loggly-1.1.1.tgz - :x: **timespan-2.3.0.tgz** (Vulnerable Library)

Found in HEAD commit: dee5a70e928db205548af0d03b542cca4bf5461b

Found in base branch: main

### Vulnerability Details

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

Publish Date: 2018-06-07

URL: CVE-2017-16115

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2019-10742 ### Vulnerable Library - axios-0.15.3.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - :x: **axios-0.15.3.tgz** (Vulnerable Library)

Found in HEAD commit: dee5a70e928db205548af0d03b542cca4bf5461b

Found in base branch: main

### Vulnerability Details

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Publish Date: 2019-05-07

URL: CVE-2019-10742

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-05-31

Fix Resolution: 0.19.0

CVE-2021-29418 ### Vulnerable Library - netmask-1.0.6.tgz

Parse and lookup IP network blocks

Library home page: https://registry.npmjs.org/netmask/-/netmask-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/netmask/package.json

Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - mailgun-js-0.18.1.tgz - proxy-agent-3.0.3.tgz - pac-proxy-agent-3.0.1.tgz - pac-resolver-3.0.0.tgz - :x: **netmask-1.0.6.tgz** (Vulnerable Library)

Found in HEAD commit: dee5a70e928db205548af0d03b542cca4bf5461b

Found in base branch: main

### Vulnerability Details

The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.

Publish Date: 2021-03-30

URL: CVE-2021-29418

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://vuln.ryotak.me/advisories/6.txt

Release Date: 2021-03-30

Fix Resolution: 2.0.1

WS-2018-0076 ### Vulnerable Library - tunnel-agent-0.4.3.tgz

HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.

Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loggly/node_modules/tunnel-agent/package.json

Dependency Hierarchy: - log4js-2.11.0.tgz (Root Library) - loggly-1.1.1.tgz - request-2.75.0.tgz - :x: **tunnel-agent-0.4.3.tgz** (Vulnerable Library)

Found in HEAD commit: dee5a70e928db205548af0d03b542cca4bf5461b

Found in base branch: main

### Vulnerability Details

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.

Publish Date: 2017-03-05

URL: WS-2018-0076

### CVSS 2 Score Details (5.0)

Base Score Metrics not available

### Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/598

Release Date: 2018-01-27

Fix Resolution: 0.6.0

uriel-mend-app[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

uriel-mend-app[bot] commented 1 year ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

uriel-mend-app[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.