GithubHelp home page GithubHelp logo

gatsby-one's People

Contributors

alexantom avatar gatsby-cloud[bot] avatar mend-for-github-com[bot] avatar

Watchers

avatar avatar

gatsby-one's Issues

CVE-2015-9251 (Medium) detected in multiple libraries

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-2.1.4.min.js, jquery-1.9.1.js, jquery-1.7.1.min.js

jquery-2.1.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/gatsby-one/node_modules/js-base64/.attic/test-moment/index.html

Path to vulnerable library: /gatsby-one/node_modules/js-base64/.attic/test-moment/index.html

Dependency Hierarchy:

  • jquery-2.1.4.min.js (Vulnerable Library)
jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: /tmp/ws-scm/gatsby-one/node_modules/tinycolor2/test/index.html

Path to vulnerable library: /gatsby-one/node_modules/tinycolor2/test/../demo/jquery-1.9.1.js,/gatsby-one/node_modules/tinycolor2/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • jquery-1.9.1.js (Vulnerable Library)
jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/gatsby-one/node_modules/sockjs/examples/express/index.html

Path to vulnerable library: /gatsby-one/node_modules/sockjs/examples/express/index.html,/gatsby-one/node_modules/sockjs/examples/hapi/html/index.html,/gatsby-one/node_modules/sockjs/examples/echo/index.html,/gatsby-one/node_modules/sockjs/examples/multiplex/index.html,/gatsby-one/node_modules/sockjs/examples/express-3.x/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

CVE-2020-7608 (High) detected in yargs-parser-5.0.0.tgz, yargs-parser-11.1.1.tgz

CVE-2020-7608 - High Severity Vulnerability

Vulnerable Libraries - yargs-parser-5.0.0.tgz, yargs-parser-11.1.1.tgz

yargs-parser-5.0.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-5.0.0.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /tmp/ws-scm/gatsby-one/node_modules/sass-graph/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Root Library)
    • sass-graph-2.2.4.tgz
      • yargs-7.1.0.tgz
        • yargs-parser-5.0.0.tgz (Vulnerable Library)
yargs-parser-11.1.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /tmp/ws-scm/gatsby-one/node_modules/webpack-dev-server/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • gatsby-2.20.10.tgz (Root Library)
    • webpack-dev-server-3.10.3.tgz
      • yargs-12.0.5.tgz
        • yargs-parser-11.1.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

CVE-2019-11358 (Medium) detected in multiple libraries

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-2.1.4.min.js, jquery-1.9.1.js, jquery-3.2.1.min.js

jquery-2.1.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/gatsby-one/node_modules/js-base64/.attic/test-moment/index.html

Path to vulnerable library: /gatsby-one/node_modules/js-base64/.attic/test-moment/index.html

Dependency Hierarchy:

  • jquery-2.1.4.min.js (Vulnerable Library)
jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: /tmp/ws-scm/gatsby-one/node_modules/tinycolor2/test/index.html

Path to vulnerable library: /gatsby-one/node_modules/tinycolor2/test/../demo/jquery-1.9.1.js,/gatsby-one/node_modules/tinycolor2/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • jquery-1.9.1.js (Vulnerable Library)
jquery-3.2.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/gatsby-one/node_modules/superagent/docs/tail.html

Path to vulnerable library: /gatsby-one/node_modules/superagent/docs/tail.html

Dependency Hierarchy:

  • jquery-3.2.1.min.js (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

CVE-2018-19839 (Medium) detected in node-sass-4.13.1.tgz, CSS::Sass-v3.4.11

CVE-2018-19839 - Medium Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.

Publish Date: 2018-12-04

URL: CVE-2018-19839

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19839

Release Date: 2020-03-20

Fix Resolution: LibSass - 3.5.5

  • Check this box to open an automated fix PR

CVE-2018-11697 (High) detected in multiple libraries

CVE-2018-11697 - High Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11697

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11697

Release Date: 2019-09-01

Fix Resolution: LibSass - 3.6.0

  • Check this box to open an automated fix PR

CVE-2018-19797 (Medium) detected in multiple libraries

CVE-2018-19797 - Medium Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-03

URL: CVE-2018-19797

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19797

Release Date: 2019-09-01

Fix Resolution: LibSass - 3.6.0

  • Check this box to open an automated fix PR

CVE-2018-20190 (Medium) detected in node-sass-4.13.1.tgz, node-sass-v4.13.1

CVE-2018-20190 - Medium Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-17

URL: CVE-2018-20190

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20190

Release Date: 2018-12-17

Fix Resolution: LibSass - 3.6.0

  • Check this box to open an automated fix PR

CVE-2019-18797 (Medium) detected in node-sass-4.13.1.tgz, node-sass-v4.13.1

CVE-2019-18797 - Medium Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp.

Publish Date: 2019-11-06

URL: CVE-2019-18797

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18797

Release Date: 2019-11-06

Fix Resolution: LibSass - 3.6.3

  • Check this box to open an automated fix PR

CVE-2018-11695 (High) detected in node-sass-4.13.1.tgz, node-sass-v4.13.1

CVE-2018-11695 - High Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

An issue was discovered in LibSass through 3.5.2. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11695

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11695

Release Date: 2018-06-04

Fix Resolution: LibSass - 3.6.0

  • Check this box to open an automated fix PR

CVE-2018-11694 (High) detected in node-sass-4.13.1.tgz, node-sass-v4.13.1

CVE-2018-11694 - High Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11694

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11694

Release Date: 2018-06-04

Fix Resolution: LibSass - 3.6.0

  • Check this box to open an automated fix PR

CVE-2018-20821 (Medium) detected in node-sass-4.13.1.tgz, node-sass-v4.13.1

CVE-2018-20821 - Medium Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20821

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20821

Release Date: 2019-04-23

Fix Resolution: LibSass - 3.6.0

  • Check this box to open an automated fix PR

CVE-2019-6286 (Medium) detected in node-sass-4.13.1.tgz, node-sass-v4.13.1

CVE-2019-6286 - Medium Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.

Publish Date: 2019-01-14

URL: CVE-2019-6286

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6286

Release Date: 2019-08-06

Fix Resolution: LibSass - 3.6.0

  • Check this box to open an automated fix PR

CVE-2018-20822 (Medium) detected in node-sass-4.13.1.tgz, node-sass-v4.13.1

CVE-2018-20822 - Medium Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20822

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20822

Release Date: 2019-08-06

Fix Resolution: LibSass - 3.6.0

  • Check this box to open an automated fix PR

CVE-2018-11693 (High) detected in node-sass-4.13.1.tgz, node-sass-v4.13.1

CVE-2018-11693 - High Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11693

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11693

Release Date: 2018-06-04

Fix Resolution: LibSass - 3.5.5

  • Check this box to open an automated fix PR

CVE-2019-6284 (Medium) detected in node-sass-4.13.1.tgz, node-sass-v4.13.1

CVE-2019-6284 - Medium Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6284

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284

Release Date: 2019-08-06

Fix Resolution: LibSass - 3.6.0

  • Check this box to open an automated fix PR

CVE-2018-19826 (Medium) detected in node-sass-4.13.1.tgz, node-sass-v4.13.1

CVE-2018-19826 - Medium Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters. NOTE: Upstream comments indicate this issue is closed as "won't fix" and "works as intended" by design.

Publish Date: 2018-12-03

URL: CVE-2018-19826

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19826

Release Date: 2019-09-01

Fix Resolution: LibSass - 3.6.0

  • Check this box to open an automated fix PR

CVE-2018-11698 (High) detected in node-sass-4.13.1.tgz, node-sass-v4.13.1

CVE-2018-11698 - High Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11698

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11698

Release Date: 2019-08-06

Fix Resolution: LibSass - 3.6.0

  • Check this box to open an automated fix PR

CVE-2020-8116 (High) detected in dot-prop-4.2.0.tgz

CVE-2020-8116 - High Severity Vulnerability

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /tmp/ws-scm/gatsby-one/node_modules/update-notifier/node_modules/dot-prop/package.json

Dependency Hierarchy:

  • gatsby-2.20.10.tgz (Root Library)
    • devcert-1.1.0.tgz
      • configstore-3.1.2.tgz
        • dot-prop-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

CVE-2012-6708 (Medium) detected in jquery-1.7.1.min.js

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/gatsby-one/node_modules/sockjs/examples/express/index.html

Path to vulnerable library: /gatsby-one/node_modules/sockjs/examples/express/index.html,/gatsby-one/node_modules/sockjs/examples/hapi/html/index.html,/gatsby-one/node_modules/sockjs/examples/echo/index.html,/gatsby-one/node_modules/sockjs/examples/multiplex/index.html,/gatsby-one/node_modules/sockjs/examples/express-3.x/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

CVE-2018-19827 (High) detected in multiple libraries

CVE-2018-19827 - High Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-12-03

URL: CVE-2018-19827

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: sass/libsass#2784

Release Date: 2019-08-29

Fix Resolution: LibSass - 3.6.0

  • Check this box to open an automated fix PR

CVE-2018-19838 (Medium) detected in node-sass-4.13.1.tgz, node-sass-v4.13.1

CVE-2018-19838 - Medium Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().

Publish Date: 2018-12-04

URL: CVE-2018-19838

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/blob/3.6.0/src/ast.cpp

Release Date: 2019-07-01

Fix Resolution: LibSass - 3.6.0

  • Check this box to open an automated fix PR

CVE-2019-6283 (Medium) detected in node-sass-4.13.1.tgz, node-sass-v4.13.1

CVE-2019-6283 - Medium Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6283

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284

Release Date: 2019-08-06

Fix Resolution: LibSass - 3.6.0

  • Check this box to open an automated fix PR

CVE-2018-11499 (High) detected in node-sass-4.13.1.tgz, node-sass-v4.13.1

CVE-2018-11499 - High Severity Vulnerability

Vulnerable Libraries - node-sass-4.13.1.tgz

node-sass-4.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz

Path to dependency file: /tmp/ws-scm/gatsby-one/package.json

Path to vulnerable library: /gatsby-one/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: a5bf8acca7cd42003efe74a9db60e62230bc1c63

Vulnerability Details

A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.

Publish Date: 2018-05-26

URL: CVE-2018-11499

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499

Release Date: 2018-05-26

Fix Resolution: LibSass - 3.6.0

  • Check this box to open an automated fix PR

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.