GithubHelp home page GithubHelp logo

dvna's Introduction

Damn Vulnerable NodeJS Application (DVNA)

dvna-logo

Damn Vulnerable NodeJS Application (DVNA) is a simple NodeJS application to demonstrate OWASP Top 10 Vulnerabilities and guide on fixing and avoiding these vulnerabilities. The fixes branch will contain fixes for the vulnerabilities. Fixes for vunerabilities OWASP Top 10 2017 vulnerabilities at fixes-2017 branch.

The application is powered by commonly used libraries such as express, passport, sequelize, etc.

Developer Security Guide book

The application comes with a developer friendly comprehensive guidebook which can be used to learn, avoid and fix the vulnerabilities. The guide available at https://appsecco.com/books/dvna-developers-security-guide/ covers the following

  1. Instructions for setting up DVNA
  2. Instructions on exploiting the vulnerabilities
  3. Vulnerable code snippets and instructions on fixing vulnerabilities
  4. Recommendations for avoid such vulnerabilities
  5. References for learning more

The blog post for this release is at https://blog.appsecco.com/damn-vulnerable-nodejs-application-dvna-by-appsecco-7d782d36dc1e

Quick start

Try DVNA using a single command with Docker. This setup uses an SQLite database instead of MySQL.

docker run --name dvna -p 9090:9090 -d appsecco/dvna:sqlite

Access the application at http://127.0.0.1:9090/

Getting Started

DVNA can be deployed in three ways

  1. For Developers, using docker-compose with auto-reload on code updates
  2. For Security Testers, using the Official image from Docker Hub
  3. For Advanced Users, using a fully manual setup

Detailed instructions on setup and requirements are given in the Guide Gitbook

Development Setup

Clone this repository

git clone https://github.com/appsecco/dvna; cd dvna

Create a vars.env with the desired database configuration

MYSQL_USER=dvna
MYSQL_DATABASE=dvna
MYSQL_PASSWORD=passw0rd
MYSQL_RANDOM_ROOT_PASSWORD=yes

Start the application and database using docker-compose

docker-compose up

Access the application at http://127.0.0.1:9090/

The application will automatically reload on code changes, so feel free to patch and play around with the application.

Using Official Docker Image

Create a file named vars.env with the following configuration

MYSQL_USER=dvna
MYSQL_DATABASE=dvna
MYSQL_PASSWORD=passw0rd
MYSQL_RANDOM_ROOT_PASSWORD=yes
MYSQL_HOST=mysql-db
MYSQL_PORT=3306

Start a MySQL container

docker run --name dvna-mysql --env-file vars.env -d mysql:5.7

Start the application using the official image

docker run --name dvna-app --env-file vars.env --link dvna-mysql:mysql-db -p 9090:9090 appsecco/dvna

Access the application at http://127.0.0.1:9090/ and start testing!

Manual Setup

Clone the repository

git clone https://github.com/appsecco/dvna; cd dvna

Configure the environment variables with your database information

export MYSQL_USER=dvna
export MYSQL_DATABASE=dvna
export MYSQL_PASSWORD=passw0rd
export MYSQL_HOST=127.0.0.1
export MYSQL_PORT=3306

Install Dependencies

npm install

Start the application

npm start

Access the application at http://localhost:9090

TODO

  • Link commits to fixes in documentation
  • Add new vulnerabilities from OWASP Top 10 2017
  • Improve application features, documentation

Contributing

In case of bugs in the application, please create an issue on github. Pull requests are highly welcome!

Thanks

Abhisek Datta - abhisek for application architecture and front-end code

License

MIT

dvna's People

Contributors

mend-for-github-com[bot] avatar

dvna's Issues

CVE-2020-11022 (Medium) detected in jquery-1.11.1.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.11.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.js

Path to dependency file: dvna/node_modules/javascript-natural-sort/unit-tests.html

Path to vulnerable library: dvna/node_modules/javascript-natural-sort/unit-tests.html

Dependency Hierarchy:

  • jquery-1.11.1.js (Vulnerable Library)

Found in HEAD commit: 36c617da7227c5471a24ab8d026c496382f77ef5

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

CVE-2018-14404 (High) detected in juice-shopjuice-shop-8.5.1_node11_windows_x64

CVE-2018-14404 - High Severity Vulnerability

Vulnerable Library - juice-shopjuice-shop-8.5.1_node11_windows_x64

Probably the most modern and sophisticated insecure web application

Library home page: https://sourceforge.net/projects/juice-shop/

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerable Source Files (1)

dvna/node_modules/libxmljs/vendor/libxml/xpath.c

Vulnerability Details

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.

Publish Date: 2018-07-19

URL: CVE-2018-14404

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GNOME/libxml2@a436374

Release Date: 2018-07-19

Fix Resolution: nokogiri- 2.9.5, libxml2 - 2.9.9

CVE-2017-9049 (High) detected in https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

CVE-2017-9049 - High Severity Vulnerability

Vulnerable Library - https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

Library home page: https://source.codeaurora.org/quic/la/platform/external/libxml2/

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerable Source Files (1)

dvna/node_modules/libxmljs/vendor/libxml/parser.c

Vulnerability Details

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.

Publish Date: 2017-05-18

URL: CVE-2017-9049

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049

Release Date: 2017-05-18

Fix Resolution: v2.9.4

CVE-2021-3518 (High) detected in gettextv0.20.1

CVE-2021-3518 - High Severity Vulnerability

Vulnerable Library - gettextv0.20.1

git://git.savannah.gnu.org/gettext.git

Library home page: https://github.com/autotools-mirror/gettext.git

Found in HEAD commit: 36c617da7227c5471a24ab8d026c496382f77ef5

Found in base branch: main

Vulnerable Source Files (1)

dvna/node_modules/libxmljs/vendor/libxml/xinclude.c

Vulnerability Details

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

Publish Date: 2021-05-18

URL: CVE-2021-3518

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1954242

Fix Resolution: Upgrade to version libxml2 2.9.11 or greater

CVE-2015-9251 (Medium) detected in jquery-1.11.1.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.11.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.js

Path to dependency file: dvna/node_modules/javascript-natural-sort/unit-tests.html

Path to vulnerable library: dvna/node_modules/javascript-natural-sort/unit-tests.html

Dependency Hierarchy:

  • jquery-1.11.1.js (Vulnerable Library)

Found in HEAD commit: 36c617da7227c5471a24ab8d026c496382f77ef5

Found in base branch: main

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

CVE-2020-7746 (High) detected in Chart-2.5.0.min.js

CVE-2020-7746 - High Severity Vulnerability

Vulnerable Library - Chart-2.5.0.min.js

Simple HTML5 charts using the canvas element.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/Chart.js/2.5.0/Chart.min.js

Path to dependency file: dvna/node_modules/mathjs/examples/browser/rocket_trajectory_optimization.html

Path to vulnerable library: dvna/node_modules/mathjs/examples/browser/rocket_trajectory_optimization.html

Dependency Hierarchy:

  • Chart-2.5.0.min.js (Vulnerable Library)

Found in HEAD commit: 36c617da7227c5471a24ab8d026c496382f77ef5

Found in base branch: main

Vulnerability Details

This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.

Publish Date: 2020-10-29

URL: CVE-2020-7746

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7746

Release Date: 2020-07-21

Fix Resolution: chart.js - 2.9.4

CVE-2020-24977 (Medium) detected in gettextv0.20.1

CVE-2020-24977 - Medium Severity Vulnerability

Vulnerable Library - gettextv0.20.1

git://git.savannah.gnu.org/gettext.git

Library home page: https://github.com/autotools-mirror/gettext.git

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerable Source Files (1)

dvna/node_modules/libxmljs/vendor/libxml/xmlschemastypes.c

Vulnerability Details

GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.

Publish Date: 2020-09-04

URL: CVE-2020-24977

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.fedoraproject.org/archives/list/[email protected]/message/2NQ5GTDYOVH26PBCPYXXMGW5ZZXWMGZC/

Release Date: 2020-09-04

Fix Resolution: 2.9.10-7

CVE-2018-9251 (Medium) detected in https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

CVE-2018-9251 - Medium Severity Vulnerability

Vulnerable Library - https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

Library home page: https://source.codeaurora.org/quic/la/platform/external/libxml2/

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerable Source Files (1)

dvna/node_modules/libxmljs/vendor/libxml/xzlib.c

Vulnerability Details

The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.

Publish Date: 2018-04-04

URL: CVE-2018-9251

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-9251

Release Date: 2018-04-04

Fix Resolution: v2.9.9-rc1

CVE-2020-7699 (High) detected in express-fileupload-0.4.0.tgz - autoclosed

CVE-2020-7699 - High Severity Vulnerability

Vulnerable Library - express-fileupload-0.4.0.tgz

Simple express file upload middleware that wraps around Busboy

Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-0.4.0.tgz

Path to dependency file: dvna/package.json

Path to vulnerable library: dvna/node_modules/express-fileupload/package.json

Dependency Hierarchy:

  • express-fileupload-0.4.0.tgz (Vulnerable Library)

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerability Details

This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.

Publish Date: 2020-07-30

URL: CVE-2020-7699

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: richardgirges/express-fileupload#236

Release Date: 2020-07-21

Fix Resolution: 1.1.8

⛑️ Automatic Remediation is available for this issue

CVE-2017-1001003 (High) detected in multiple libraries - autoclosed

CVE-2017-1001003 - High Severity Vulnerability

Vulnerable Libraries - math-3.10.1.js, math-3.10.1.min.js, mathjs-3.10.1.tgz

math-3.10.1.js

Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser and offers an integrated solution to work with numbers, big numbers, complex numbers, units, and matrices.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/mathjs/3.10.1/math.js

Path to dependency file: dvna/node_modules/mathjs/examples/browser/angle_configuration.html

Path to vulnerable library: dvna/node_modules/mathjs/examples/browser/../../dist/math.js,dvna/node_modules/mathjs/test/../dist/math.js

Dependency Hierarchy:

  • math-3.10.1.js (Vulnerable Library)
math-3.10.1.min.js

Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser and offers an integrated solution to work with numbers, big numbers, complex numbers, units, and matrices.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/mathjs/3.10.1/math.min.js

Path to dependency file: dvna/node_modules/mathjs/test/test.min.html

Path to vulnerable library: dvna/node_modules/mathjs/test/../dist/math.min.js

Dependency Hierarchy:

  • math-3.10.1.min.js (Vulnerable Library)
mathjs-3.10.1.tgz

Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with dif

Library home page: https://registry.npmjs.org/mathjs/-/mathjs-3.10.1.tgz

Path to dependency file: dvna/package.json

Path to vulnerable library: dvna/node_modules/mathjs/package.json

Dependency Hierarchy:

  • mathjs-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerability Details

math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.

Publish Date: 2017-11-27

URL: CVE-2017-1001003

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1001003

Release Date: 2017-11-27

Fix Resolution: 3.17.0

CVE-2021-3541 (Medium) detected in https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

CVE-2021-3541 - Medium Severity Vulnerability

Vulnerable Library - https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

Library home page: https://source.codeaurora.org/quic/la/platform/external/libxml2/

Found in HEAD commit: 36c617da7227c5471a24ab8d026c496382f77ef5

Found in base branch: main

Vulnerable Source Files (1)

dvna/node_modules/libxmljs/vendor/libxml/parser.c

Vulnerability Details

A security issue was found in libxml2 before version 2.9.11. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.

Publish Date: 2021-05-10

URL: CVE-2021-3541

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security.archlinux.org/CVE-2021-3541

Release Date: 2021-05-10

Fix Resolution: v2.9.11

CVE-2021-3537 (Medium) detected in https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

CVE-2021-3537 - Medium Severity Vulnerability

Vulnerable Library - https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

Library home page: https://source.codeaurora.org/quic/la/platform/external/libxml2/

Found in HEAD commit: 36c617da7227c5471a24ab8d026c496382f77ef5

Found in base branch: main

Vulnerable Source Files (1)

dvna/node_modules/libxmljs/vendor/libxml/parser.c

Vulnerability Details

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

Publish Date: 2021-05-14

URL: CVE-2021-3537

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1956522

Release Date: 2021-05-14

Fix Resolution: libxml2 2.9.11

WS-2019-0314 (Medium) detected in express-fileupload-0.4.0.tgz - autoclosed

WS-2019-0314 - Medium Severity Vulnerability

Vulnerable Library - express-fileupload-0.4.0.tgz

Simple express file upload middleware that wraps around Busboy

Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-0.4.0.tgz

Path to dependency file: dvna/package.json

Path to vulnerable library: dvna/node_modules/express-fileupload/package.json

Dependency Hierarchy:

  • express-fileupload-0.4.0.tgz (Vulnerable Library)

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerability Details

In "richardgirges/express-fileupload", versions prior to v1.1.6-alpha.6 are vulnerable to DOS, as a result of an unparsed file name.

Publish Date: 2019-10-18

URL: WS-2019-0314

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1216

Release Date: 2019-12-01

Fix Resolution: express-fileupload - 1.1.6-alpha.6

  • Check this box to open an automated fix PR

CVE-2017-1001002 (High) detected in multiple libraries - autoclosed

CVE-2017-1001002 - High Severity Vulnerability

Vulnerable Libraries - math-3.10.1.js, math-3.10.1.min.js, mathjs-3.10.1.tgz

math-3.10.1.js

Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser and offers an integrated solution to work with numbers, big numbers, complex numbers, units, and matrices.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/mathjs/3.10.1/math.js

Path to dependency file: dvna/node_modules/mathjs/examples/browser/angle_configuration.html

Path to vulnerable library: dvna/node_modules/mathjs/examples/browser/../../dist/math.js,dvna/node_modules/mathjs/test/../dist/math.js

Dependency Hierarchy:

  • math-3.10.1.js (Vulnerable Library)
math-3.10.1.min.js

Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser and offers an integrated solution to work with numbers, big numbers, complex numbers, units, and matrices.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/mathjs/3.10.1/math.min.js

Path to dependency file: dvna/node_modules/mathjs/test/test.min.html

Path to vulnerable library: dvna/node_modules/mathjs/test/../dist/math.min.js

Dependency Hierarchy:

  • math-3.10.1.min.js (Vulnerable Library)
mathjs-3.10.1.tgz

Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with dif

Library home page: https://registry.npmjs.org/mathjs/-/mathjs-3.10.1.tgz

Path to dependency file: dvna/package.json

Path to vulnerable library: dvna/node_modules/mathjs/package.json

Dependency Hierarchy:

  • mathjs-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerability Details

math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.

Publish Date: 2017-11-27

URL: CVE-2017-1001002

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1001002

Release Date: 2017-11-27

Fix Resolution: 3.17.0

CVE-2017-1001004 (High) detected in null

CVE-2017-1001004 - High Severity Vulnerability

Vulnerable Library - null

Unmatched Source Files

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerable Source Files (1)

dvna/node_modules/typed-function/examples/../typed-function.js

Vulnerability Details

typed-function before 0.10.6 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.

Publish Date: 2017-11-27

URL: CVE-2017-1001004

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1001004

Release Date: 2017-11-27

Fix Resolution: 0.10.6

CVE-2020-11023 (Medium) detected in jquery-1.11.1.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.11.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.js

Path to dependency file: dvna/node_modules/javascript-natural-sort/unit-tests.html

Path to vulnerable library: dvna/node_modules/javascript-natural-sort/unit-tests.html

Dependency Hierarchy:

  • jquery-1.11.1.js (Vulnerable Library)

Found in HEAD commit: 36c617da7227c5471a24ab8d026c496382f77ef5

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

CVE-2018-9466 (Medium) detected in gettextv0.20.1, https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

CVE-2018-9466 - Medium Severity Vulnerability

Vulnerable Libraries - gettextv0.20.1, https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

Vulnerability Details

A Remote Code Execution was discovered in libxml2 before version 2.9.8.

Publish Date: 2019-01-01

URL: CVE-2018-9466

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://source.android.com/security/bulletin/2018-09-01

Release Date: 2019-01-01

Fix Resolution: android-9.0.0_r5,android-8.1.0_r45

CVE-2020-3846 (High) detected in gettextv0.20.1

CVE-2020-3846 - High Severity Vulnerability

Vulnerable Library - gettextv0.20.1

git://git.savannah.gnu.org/gettext.git

Library home page: https://github.com/autotools-mirror/gettext.git

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerable Source Files (1)

dvna/node_modules/libxmljs/vendor/libxml/buf.c

Vulnerability Details

A buffer overflow was addressed with improved size validation. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, macOS Catalina 10.15.3, tvOS 13.3.1, watchOS 6.1.2, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution.

Publish Date: 2020-02-27

URL: CVE-2020-3846

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://gitlab.gnome.org/GNOME/libxml2/-/network/master?extended_sha1=bf2e96173d4f78f564015a925970077501586fbe

Release Date: 2020-03-03

Fix Resolution: v2.9.11

CVE-2017-5941 (High) detected in node-serialize-0.0.4.tgz

CVE-2017-5941 - High Severity Vulnerability

Vulnerable Library - node-serialize-0.0.4.tgz

Serialize a object including it's function into a JSON.

Library home page: https://registry.npmjs.org/node-serialize/-/node-serialize-0.0.4.tgz

Path to dependency file: dvna/package.json

Path to vulnerable library: dvna/node_modules/node-serialize/package.json

Dependency Hierarchy:

  • node-serialize-0.0.4.tgz (Vulnerable Library)

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerability Details

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).

Publish Date: 2017-02-09

URL: CVE-2017-5941

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2018-14567 (Medium) detected in https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

CVE-2018-14567 - Medium Severity Vulnerability

Vulnerable Library - https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

Library home page: https://source.codeaurora.org/quic/la/platform/external/libxml2/

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerable Source Files (1)

dvna/node_modules/libxmljs/vendor/libxml/xzlib.c

Vulnerability Details

libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.

Publish Date: 2018-08-16

URL: CVE-2018-14567

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14567

Release Date: 2018-08-16

Fix Resolution: v2.9.9-rc1

CVE-2017-16004 (Medium) detected in node-serialize-0.0.4.tgz

CVE-2017-16004 - Medium Severity Vulnerability

Vulnerable Library - node-serialize-0.0.4.tgz

Serialize a object including it's function into a JSON.

Library home page: https://registry.npmjs.org/node-serialize/-/node-serialize-0.0.4.tgz

Path to dependency file: dvna/package.json

Path to vulnerable library: dvna/node_modules/node-serialize/package.json

Dependency Hierarchy:

  • node-serialize-0.0.4.tgz (Vulnerable Library)

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerability Details

node-serialize ll versions can be abused to execute arbitrary code via an immediately invoked function expression

Publish Date: 2019-07-11

URL: CVE-2017-16004

CVSS 2 Score Details (5.0)

Base Score Metrics not available

CVE-2019-20388 (High) detected in https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

CVE-2019-20388 - High Severity Vulnerability

Vulnerable Library - https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

Library home page: https://source.codeaurora.org/quic/la/platform/external/libxml2/

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerable Source Files (1)

dvna/node_modules/libxmljs/vendor/libxml/xmlschemas.c

Vulnerability Details

xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.

Publish Date: 2020-01-21

URL: CVE-2019-20388

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security.gentoo.org/glsa/202010-04

Fix Resolution: All libxml2 users should upgrade to the latest version # emerge --sync # emerge --ask --oneshot --verbose >=dev-libs/libxml2-2.9.10 >=

WS-2021-0153 (High) detected in ejs-2.7.4.tgz

WS-2021-0153 - High Severity Vulnerability

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Path to dependency file: dvna/package.json

Path to vulnerable library: dvna/node_modules/ejs/package.json

Dependency Hierarchy:

  • ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 36c617da7227c5471a24ab8d026c496382f77ef5

Found in base branch: main

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: mde/ejs#571

Release Date: 2021-01-22

Fix Resolution: ejs - 3.1.6

⛑️ Automatic Remediation is available for this issue

CVE-2019-11358 (Medium) detected in jquery-1.11.1.js

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.11.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.js

Path to dependency file: dvna/node_modules/javascript-natural-sort/unit-tests.html

Path to vulnerable library: dvna/node_modules/javascript-natural-sort/unit-tests.html

Dependency Hierarchy:

  • jquery-1.11.1.js (Vulnerable Library)

Found in HEAD commit: 36c617da7227c5471a24ab8d026c496382f77ef5

Found in base branch: main

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

CVE-2021-3517 (High) detected in gettextv0.20.1

CVE-2021-3517 - High Severity Vulnerability

Vulnerable Library - gettextv0.20.1

git://git.savannah.gnu.org/gettext.git

Library home page: https://github.com/autotools-mirror/gettext.git

Found in HEAD commit: 36c617da7227c5471a24ab8d026c496382f77ef5

Found in base branch: main

Vulnerable Source Files (1)

dvna/node_modules/libxmljs/vendor/libxml/entities.c

Vulnerability Details

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Publish Date: 2021-05-19

URL: CVE-2021-3517

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security.gentoo.org/glsa/202107-05

Fix Resolution: All libxml2 users should upgrade to the latest version # emerge --sync # emerge --ask --oneshot --verbose >=dev-libs/libxml2-2.9.12-r3 >=

CVE-2019-19956 (High) detected in https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

CVE-2019-19956 - High Severity Vulnerability

Vulnerable Library - https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

Library home page: https://source.codeaurora.org/quic/la/platform/external/libxml2/

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerable Source Files (1)

dvna/node_modules/libxmljs/vendor/libxml/parser.c

Vulnerability Details

xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.

Publish Date: 2019-12-24

URL: CVE-2019-19956

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: GNOME/libxml2@5a02583

Release Date: 2019-08-26

Fix Resolution: Replace or update the following file: parser.c

CVE-2021-3516 (High) detected in https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

CVE-2021-3516 - High Severity Vulnerability

Vulnerable Library - https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0

Library home page: https://source.codeaurora.org/quic/la/platform/external/libxml2/

Found in HEAD commit: 36c617da7227c5471a24ab8d026c496382f77ef5

Found in base branch: main

Vulnerable Source Files (1)

dvna/node_modules/libxmljs/vendor/libxml/xmllint.c

Vulnerability Details

There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.

Publish Date: 2021-06-01

URL: CVE-2021-3516

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1954225

Fix Resolution: Upgrade to version libxml2 2.9.11 or greater

CVE-2020-7743 (High) detected in mathjs-3.10.1.tgz - autoclosed

CVE-2020-7743 - High Severity Vulnerability

Vulnerable Library - mathjs-3.10.1.tgz

Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with dif

Library home page: https://registry.npmjs.org/mathjs/-/mathjs-3.10.1.tgz

Path to dependency file: dvna/package.json

Path to vulnerable library: dvna/node_modules/mathjs/package.json

Dependency Hierarchy:

  • mathjs-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: ebbe518de6103063656cb8a1c3d1040aacb09826

Found in base branch: main

Vulnerability Details

The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.

Publish Date: 2020-10-13

URL: CVE-2020-7743

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7743

Release Date: 2020-07-21

Fix Resolution: 7.5.1

⛑️ Automatic Remediation is available for this issue

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.