GithubHelp home page GithubHelp logo

harrinry / core Goto Github PK

View Code? Open in Web Editor NEW

This project forked from drupal/core

0.0 0.0 0.0 144.38 MB

Subtree split of drupal's /core directory

License: GNU General Public License v2.0

PHP 86.42% JavaScript 4.84% CSS 4.59% HTML 0.14% Shell 0.15% Twig 3.86%

core's People

Contributors

alexpott avatar ayeletcr avatar bbenjamin avatar bramg avatar crell avatar damz avatar davereid avatar dbuytaert avatar deviantintegral avatar donquixote avatar eclipsegc avatar edysmp avatar effulgentsia avatar goba avatar heyrocker avatar jhodgdon-drp avatar jodyhamilton avatar junowilderness avatar katbailey avatar larowlan avatar lauriii avatar linclark avatar neclimdul avatar niklasf avatar pounard avatar quicksketch avatar sun avatar timplunkett avatar webchick avatar xjm avatar

core's Issues

CVE-2021-23555 (High) detected in vm2-3.9.5.tgz

CVE-2021-23555 - High Severity Vulnerability

Vulnerable Library - vm2-3.9.5.tgz

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!

Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/vm2/package.json

Dependency Hierarchy:

  • nightwatch-1.7.11.tgz (Root Library)
    • proxy-agent-5.0.0.tgz
      • pac-proxy-agent-5.0.0.tgz
        • pac-resolver-5.0.0.tgz
          • degenerator-3.0.1.tgz
            • vm2-3.9.5.tgz (Vulnerable Library)

Found in base branch: 9.4.x

Vulnerability Details

The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.

Publish Date: 2022-02-11

URL: CVE-2021-23555

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23555

Release Date: 2022-02-11

Fix Resolution: vm2 - 3.9.6

CVE-2022-0536 (Low) detected in follow-redirects-1.14.4.tgz

CVE-2022-0536 - Low Severity Vulnerability

Vulnerable Library - follow-redirects-1.14.4.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

  • chromedriver-87.0.7.tgz (Root Library)
    • axios-0.21.4.tgz
      • follow-redirects-1.14.4.tgz (Vulnerable Library)

Found in base branch: 9.4.x

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (2.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Adjacent
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution (follow-redirects): 1.14.8

Direct dependency fix Resolution (chromedriver): 88.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-3803 (High) detected in nth-check-1.0.2.tgz

CVE-2021-3803 - High Severity Vulnerability

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nth-check/package.json

Dependency Hierarchy:

  • ckeditor5-dev-utils-25.4.5.tgz (Root Library)
    • cssnano-4.1.11.tgz
      • cssnano-preset-default-4.0.8.tgz
        • postcss-svgo-4.0.3.tgz
          • svgo-1.3.2.tgz
            • css-select-2.1.0.tgz
              • nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: b709d5d52c63939480cdc94350a24a9aca4df838

Found in base branch: 9.4.x

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: fb55/nth-check@v2.0.0...v2.0.1

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

CVE-2021-3807 (High) detected in ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • nightwatch-1.7.11.tgz (Root Library)
    • mocha-6.2.3.tgz
      • yargs-13.3.2.tgz
        • cliui-5.0.0.tgz
          • strip-ansi-5.2.0.tgz
            • ansi-regex-4.1.0.tgz (Vulnerable Library)
ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • nightwatch-1.7.11.tgz (Root Library)
    • mocha-6.2.3.tgz
      • wide-align-1.1.3.tgz
        • string-width-2.1.1.tgz
          • strip-ansi-4.0.0.tgz
            • ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b709d5d52c63939480cdc94350a24a9aca4df838

Found in base branch: 9.4.x

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (nightwatch): 2.0.0-alpha.3

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (nightwatch): 2.0.0-alpha.3

⛑️ Automatic Remediation is available for this issue

CVE-2021-3918 (High) detected in json-schema-0.2.3.tgz

CVE-2021-3918 - High Severity Vulnerability

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

  • nightwatch-1.7.11.tgz (Root Library)
    • request-2.88.2.tgz
      • http-signature-1.2.0.tgz
        • jsprim-1.4.1.tgz
          • json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: b709d5d52c63939480cdc94350a24a9aca4df838

Found in base branch: 9.4.x

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (nightwatch): 1.7.12

⛑️ Automatic Remediation is available for this issue

CVE-2022-0155 (Medium) detected in follow-redirects-1.14.4.tgz

CVE-2022-0155 - Medium Severity Vulnerability

Vulnerable Library - follow-redirects-1.14.4.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

  • chromedriver-87.0.7.tgz (Root Library)
    • axios-0.21.4.tgz
      • follow-redirects-1.14.4.tgz (Vulnerable Library)

Found in HEAD commit: b709d5d52c63939480cdc94350a24a9aca4df838

Found in base branch: 9.4.x

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution (follow-redirects): 1.14.8

Direct dependency fix Resolution (chromedriver): 88.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-0144 (High) detected in shelljs-0.8.4.tgz

CVE-2022-0144 - High Severity Vulnerability

Vulnerable Library - shelljs-0.8.4.tgz

Portable Unix shell commands for Node.js

Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.8.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/shelljs/package.json

Dependency Hierarchy:

  • ckeditor5-dev-utils-25.4.5.tgz (Root Library)
    • shelljs-0.8.4.tgz (Vulnerable Library)

Found in HEAD commit: b709d5d52c63939480cdc94350a24a9aca4df838

Found in base branch: 9.4.x

Vulnerability Details

shelljs is vulnerable to Improper Privilege Management

Publish Date: 2022-01-11

URL: CVE-2022-0144

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: shelljs/shelljs@d919d22

Release Date: 2022-01-11

Fix Resolution (shelljs): 0.8.5

Direct dependency fix Resolution (@ckeditor/ckeditor5-dev-utils): 28.0.2

⛑️ Automatic Remediation is available for this issue

CVE-2020-28469 (High) detected in glob-parent-3.1.0.tgz

CVE-2020-28469 - High Severity Vulnerability

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

  • ckeditor5-dev-utils-25.4.5.tgz (Root Library)
    • postcss-mixins-6.2.3.tgz
      • globby-8.0.2.tgz
        • fast-glob-2.2.7.tgz
          • glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: b709d5d52c63939480cdc94350a24a9aca4df838

Found in base branch: 9.4.x

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

CVE-2021-33587 (High) detected in css-what-3.4.2.tgz

CVE-2021-33587 - High Severity Vulnerability

Vulnerable Library - css-what-3.4.2.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/css-what/package.json

Dependency Hierarchy:

  • ckeditor5-dev-utils-25.4.5.tgz (Root Library)
    • cssnano-4.1.11.tgz
      • cssnano-preset-default-4.0.8.tgz
        • postcss-svgo-4.0.3.tgz
          • svgo-1.3.2.tgz
            • css-select-2.1.0.tgz
              • css-what-3.4.2.tgz (Vulnerable Library)

Found in HEAD commit: b709d5d52c63939480cdc94350a24a9aca4df838

Found in base branch: 9.4.x

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution: css-what - 5.0.1

CVE-2021-33502 (High) detected in normalize-url-3.3.0.tgz

CVE-2021-33502 - High Severity Vulnerability

Vulnerable Library - normalize-url-3.3.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/normalize-url/package.json

Dependency Hierarchy:

  • ckeditor5-dev-utils-25.4.5.tgz (Root Library)
    • cssnano-4.1.11.tgz
      • cssnano-preset-default-4.0.8.tgz
        • postcss-normalize-url-4.0.1.tgz
          • normalize-url-3.3.0.tgz (Vulnerable Library)

Found in HEAD commit: b709d5d52c63939480cdc94350a24a9aca4df838

Found in base branch: 9.4.x

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.