alekeagle / eaglebot-eris Goto Github PK

View Code? Open in Web Editor NEW

0.0 0.0 1.0 242 KB

EagleBot in Eris form

JavaScript 100.00%

bot discord

eaglebot-eris's Introduction

Howdy

eaglebot-eris's People

Contributors

Watchers

Forkers

jdiavolos

eaglebot-eris's Issues

CVE-2019-13173 (High) detected in fstream-1.0.11.tgz

CVE-2019-13173 - High Severity Vulnerability

Vulnerable Library - fstream-1.0.11.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz

Path to dependency file: /EagleBot-Eris/package.json

Path to vulnerable library: /tmp/git/EagleBot-Eris/node_modules/npm/node_modules/fstream/package.json

Dependency Hierarchy:

npm-6.9.0.tgz (Root Library)
- node-gyp-3.8.0.tgz
  - ❌ fstream-1.0.11.tgz (Vulnerable Library)

Found in HEAD commit: ce922ebbd3d4363a4bfec25758f14fca5e5c862b

Vulnerability Details

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Publish Date: 2019-07-02

URL: CVE-2019-13173

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173

Release Date: 2019-07-02

Fix Resolution: 1.0.12

Step up your Open Source Security Game with WhiteSource here

WS-2019-0307 (Medium) detected in mem-1.1.0.tgz

WS-2019-0307 - Medium Severity Vulnerability

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: /tmp/ws-scm/EagleBot-Eris/package.json

Path to vulnerable library: /tmp/ws-scm/EagleBot-Eris/node_modules/npm/node_modules/mem/package.json

Dependency Hierarchy:

npm-6.13.4.tgz (Root Library)
- libnpx-10.2.0.tgz
  - yargs-11.0.0.tgz
    - os-locale-2.1.0.tgz
      - ❌ mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e4252df4aac30e6a4c5290e1fd41b5bad1b7399

Vulnerability Details

Denial of Service (DoS) vulnerability found in mem before 4.0.0. There is a failure in removal of old values from the cache. As a result, attacker may exhaust the system's memory.

Publish Date: 2019-12-01

URL: WS-2019-0307

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1084

Release Date: 2019-12-01

Fix Resolution: mem - 4.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2019-10742 (High) detected in axios-0.18.0.tgz

CVE-2019-10742 - High Severity Vulnerability

Vulnerable Library - axios-0.18.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.18.0.tgz

Path to dependency file: /EagleBot-Eris/package.json

Path to vulnerable library: /EagleBot-Eris/node_modules/axios/package.json

Dependency Hierarchy:

❌ axios-0.18.0.tgz (Vulnerable Library)

Found in HEAD commit: ce922ebbd3d4363a4bfec25758f14fca5e5c862b

Vulnerability Details

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Publish Date: 2019-05-07

URL: CVE-2019-10742

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: axios/axios#1098

Release Date: 2019-05-31

Fix Resolution: 0.19.0

Step up your Open Source Security Game with WhiteSource here

WS-2018-0236 (Medium) detected in mem-1.1.0.tgz

WS-2018-0236 - Medium Severity Vulnerability

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: /EagleBot-Eris/package.json

Path to vulnerable library: /tmp/git/EagleBot-Eris/node_modules/npm/node_modules/mem/package.json

Dependency Hierarchy:

npm-6.9.0.tgz (Root Library)
- libnpx-10.2.0.tgz
  - yargs-11.0.0.tgz
    - os-locale-2.1.0.tgz
      - ❌ mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: ce922ebbd3d4363a4bfec25758f14fca5e5c862b

Vulnerability Details

In nodejs-mem before version 4.0.0 there is a memory leak due to old results not being removed from the cache despite reaching maxAge. Exploitation of this can lead to exhaustion of memory and subsequent denial of service.

Publish Date: 2019-05-30

URL: WS-2018-0236

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1623744

Release Date: 2019-05-30

Fix Resolution: 4.0.0

Step up your Open Source Security Game with WhiteSource here

WS-2019-0310 (Medium) detected in https-proxy-agent-2.2.1.tgz

WS-2019-0310 - Medium Severity Vulnerability

Vulnerable Library - https-proxy-agent-2.2.1.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.2.1.tgz

Path to dependency file: /tmp/ws-scm/EagleBot-Eris/package.json

Path to vulnerable library: /tmp/ws-scm/EagleBot-Eris/node_modules/https-proxy-agent/package.json

Dependency Hierarchy:

node-4.6.4.tgz (Root Library)
- ❌ https-proxy-agent-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 8e4252df4aac30e6a4c5290e1fd41b5bad1b7399

Vulnerability Details

There is a Machine-In-The-Middle vulnerability found in https-proxy-agent before 2.2.3. There is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.

Publish Date: 2019-12-01

URL: WS-2019-0310

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1184

Release Date: 2019-12-01

Fix Resolution: https-proxy-agent - 2.2.3

Step up your Open Source Security Game with WhiteSource here

WS-2019-0047 (Medium) detected in tar-2.2.1.tgz

WS-2019-0047 - Medium Severity Vulnerability

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /EagleBot-Eris/package.json

Path to vulnerable library: /tmp/git/EagleBot-Eris/node_modules/npm/node_modules/node-gyp/node_modules/tar/package.json

Dependency Hierarchy:

npm-6.9.0.tgz (Root Library)
- node-gyp-3.8.0.tgz
  - ❌ tar-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 2468809357b1a8e8da5ad05aacd34803bfc5ca9e

Vulnerability Details

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Publish Date: 2019-04-05

URL: WS-2019-0047