luanp / konfig-manager Goto Github PK
View Code? Open in Web Editor NEWKong API Gateway Config Manager
Kong API Gateway Config Manager
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.14.tgz
Path to dependency file: konfig-manager/package.json
Path to vulnerable library: konfig-manager/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: konfig-manager/package.json
Path to vulnerable library: konfig-manager/node_modules/yargs-unparser/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: f779c9ec2a6e2c00a3a0df38f2d0a69cbcd2b538
Found in base branch: master
Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15.
Publish Date: 2020-07-15
URL: CVE-2020-8203
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-23
Fix Resolution: lodash - 4.17.19
Step up your Open Source Security Game with WhiteSource here
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@oclif/errors/node_modules/ansi-regex/package.json,/node_modules/widest-line/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Found in HEAD commit: 5898f05a9d2742f667fe0b2c11f8515414682be2
Found in base branch: master
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 5.0.1
Direct dependency fix Resolution (@oclif/config): 1.18.3
Step up your Open Source Security Game with Mend here
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /tmp/ws-scm/konfig-manager/package.json
Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /tmp/ws-scm/konfig-manager/package.json
Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/coveralls/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: 51268cb29d1e6994b2e12fbee0910f2fa66bed6a
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.2
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/konfig-manager/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: /konfig-manager/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: 3012ee1b0f0c99fe1aecd4b172e98e4d8bfa9414
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: konfig-manager/package.json
Path to vulnerable library: konfig-manager/node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 28e1f5692671bcfebc4479e8232d8de12c69d03f
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
Base Score Metrics:
Type: Upgrade version
Origin: jbgutierrez/path-parse#8
Release Date: 2021-05-04
Fix Resolution: path-parse - 1.0.7
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/konfig-manager/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: /konfig-manager/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: eda20410754e44ef12a67b3854d285746d7b516c
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with WhiteSource here
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.24.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
Found in HEAD commit: 51268cb29d1e6994b2e12fbee0910f2fa66bed6a
Found in base branch: master
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.
Publish Date: 2022-05-03
URL: CVE-2022-1214
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/
Release Date: 2022-05-03
Fix Resolution: 0.26.0
Step up your Open Source Security Game with WhiteSource here
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.7.tgz
Dependency Hierarchy:
Found in HEAD commit: 5898f05a9d2742f667fe0b2c11f8515414682be2
Found in base branch: master
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (axios): 0.26.0
Step up your Open Source Security Game with Mend here
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-16.1.0.tgz
Path to dependency file: /tmp/ws-scm/konfig-manager/package.json
Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/yargs/node_modules/yargs-parser/package.json
Dependency Hierarchy:
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.1.tgz
Path to dependency file: /tmp/ws-scm/konfig-manager/package.json
Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: 4cc23a6e26bbe1aaad25633458048013ca404969
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608
Release Date: 2020-03-16
Fix Resolution: v18.1.1;13.1.2;15.0.1
Step up your Open Source Security Game with WhiteSource here
A tiny (108 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.25.tgz
Dependency Hierarchy:
Found in base branch: master
The package nanoid before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Publish Date: 2022-01-14
URL: CVE-2021-23566
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23566
Release Date: 2022-01-14
Fix Resolution: nanoid - 3.1.31
Step up your Open Source Security Game with WhiteSource here
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 5898f05a9d2742f667fe0b2c11f8515414682be2
Found in base branch: master
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution (glob-parent): 6.0.1
Direct dependency fix Resolution (@oclif/config): 1.18.3
Step up your Open Source Security Game with Mend here
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.2.tgz
Path to dependency file: /tmp/ws-scm/konfig-manager/package.json
Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: 3012ee1b0f0c99fe1aecd4b172e98e4d8bfa9414
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Publish Date: 2020-05-01
URL: WS-2020-0068
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/package/yargs-parser
Release Date: 2020-05-04
Fix Resolution: https://www.npmjs.com/package/yargs-parser/v/18.1.2,https://www.npmjs.com/package/yargs-parser/v/15.0.1
Step up your Open Source Security Game with WhiteSource here
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: 5898f05a9d2742f667fe0b2c11f8515414682be2
Found in base branch: master
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Base Score Metrics:
Step up your Open Source Security Game with Mend here
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy:
Found in HEAD commit: 4363a7af48707a91c42b5a4e146459a5cd608775
Found in base branch: master
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (axios): 0.25.0
Step up your Open Source Security Game with WhiteSource here
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.1.tgz
Path to dependency file: /tmp/ws-scm/konfig-manager/package.json
Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: d9234784b681b40704ad1b57a1bf3e6b9e58726d
Prototype Pollution vulnerability found in handlebars 1.0.6 before 4.5.3. It is possible to add or modify properties to the Object prototype through a malicious template. Attacker may crash the application or execute Arbitrary Code in specific conditions.
Publish Date: 2019-12-05
URL: WS-2019-0333
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1325
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.3
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.14.tgz
Path to dependency file: /tmp/ws-scm/konfig-manager/package.json
Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /tmp/ws-scm/konfig-manager/package.json
Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/yargs-unparser/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 3012ee1b0f0c99fe1aecd4b172e98e4d8bfa9414
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Object value retrieval given a string path
Library home page: https://registry.npmjs.org/pathval/-/pathval-1.1.0.tgz
Path to dependency file: konfig-manager/package.json
Path to vulnerable library: konfig-manager/node_modules/pathval/package.json
Dependency Hierarchy:
Found in HEAD commit: 4ddf160976a10dcea27f9cf28e2a42625643f382
Found in base branch: master
This affects all versions of package pathval.
Publish Date: 2020-10-26
URL: CVE-2020-7751
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz
Path to dependency file: konfig-manager/package.json
Path to vulnerable library: konfig-manager/node_modules/glob-parent/package.json,konfig-manager/node_modules/fast-glob/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 0327828e7414e67db056c5a398962355f6cd9da8
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: konfig-manager/package.json
Path to vulnerable library: konfig-manager/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 8d60676460a0b5ed34e3fbf3e2338ebae29229de
Found in base branch: master
All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)
Publish Date: 2021-02-15
URL: CVE-2020-28500
Base Score Metrics:
Type: Upgrade version
Origin: lodash/lodash@02906b8
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
Dependabot couldn't find a package.json for this project.
Dependabot requires a package.json to evaluate your project's current JavaScript dependencies. It had expected to find one at the path: /package.json
.
If this isn't a JavaScript project, or if it is a library, you may wish to disable updates for it from within Dependabot.
You can mention @dependabot in the comments below to contact the Dependabot team.
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/konfig-manager/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: /konfig-manager/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: 6cf1c90234018918d4880f5236899871c45957b4
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
Base Score Metrics:
Type: Upgrade version
Origin: rails/jquery-rails@8f601cb
Release Date: 2020-05-19
Fix Resolution: jquery-rails - 2.2.0
Step up your Open Source Security Game with WhiteSource here
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json-schema/package.json
Dependency Hierarchy:
Found in HEAD commit: 5898f05a9d2742f667fe0b2c11f8515414682be2
Found in base branch: master
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution: json-schema - 0.4.0
Step up your Open Source Security Game with WhiteSource here
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: konfig-manager/package.json
Path to vulnerable library: konfig-manager/node_modules/ini/package.json
Dependency Hierarchy:
Found in HEAD commit: 4b00b1ca4c16201e9069f3af1f230c84ade491a4
Found in base branch: master
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution: v1.3.6
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: konfig-manager/package.json
Path to vulnerable library: konfig-manager/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 8d60676460a0b5ed34e3fbf3e2338ebae29229de
Found in base branch: master
All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.
Publish Date: 2021-02-15
URL: CVE-2021-23337
Base Score Metrics:
Type: Upgrade version
Origin: lodash/lodash@3469357
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.1.tgz
Path to dependency file: /tmp/ws-scm/konfig-manager/package.json
Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: d9234784b681b40704ad1b57a1bf3e6b9e58726d
Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.
Publish Date: 2019-12-05
URL: WS-2019-0332
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.3
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/konfig-manager/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: /konfig-manager/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: eda20410754e44ef12a67b3854d285746d7b516c
JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.
Publish Date: 2016-11-27
URL: WS-2016-0090
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-04-08
Fix Resolution: 2.2.0
Step up your Open Source Security Game with WhiteSource here
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.2.tgz
Path to dependency file: konfig-manager/package.json
Path to vulnerable library: konfig-manager/node_modules/table/node_modules/ajv/package.json
Dependency Hierarchy:
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.0.tgz
Path to dependency file: konfig-manager/package.json
Path to vulnerable library: konfig-manager/node_modules/ajv/package.json
Dependency Hierarchy:
Found in HEAD commit: f779c9ec2a6e2c00a3a0df38f2d0a69cbcd2b538
Found in base branch: master
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3
Release Date: 2020-07-15
Fix Resolution: ajv - 6.12.3
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /konfig-manager/package.json
Path to vulnerable library: /tmp/git/konfig-manager/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: e3bb0295fc6a327da0057d218b3a293f9dd3531c
A Prototype Pollution vulnerability was found in lodash through version 4.17.11.
Publish Date: 2019-07-08
URL: CVE-2019-10744
Type: Upgrade version
Origin: lodash/lodash@a01e4fa
Release Date: 2019-07-08
Fix Resolution: 4.17.12
Step up your Open Source Security Game with WhiteSource here
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /konfig-manager/package.json
Path to vulnerable library: /tmp/git/konfig-manager/node_modules/mixin-deep/package.json
Dependency Hierarchy:
Found in HEAD commit: 6dc96eb6097fb96b83aa88e342ceab3c5ad85b6a
mixin-deep before 1.3.2 is vulnerable to Prototype Pollution.
Publish Date: 2019-07-11
URL: CVE-2019-10746
Type: Upgrade version
Origin: jonschlinkert/mixin-deep@8f464c8
Release Date: 2019-07-11
Fix Resolution: 1.3.2
Step up your Open Source Security Game with WhiteSource here
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-3.0.0.tgz
Path to dependency file: /tmp/ws-scm/konfig-manager/package.json
Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: b46b4b46d2277e8689594243d49b716982337617
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-01
Fix Resolution: serialize-javascript - 3.1.0
Step up your Open Source Security Game with WhiteSource here
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.1.tgz
Path to dependency file: /tmp/ws-scm/konfig-manager/package.json
Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: d9234784b681b40704ad1b57a1bf3e6b9e58726d
Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-12-05
URL: WS-2019-0331
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.2
Step up your Open Source Security Game with WhiteSource here
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 1012b375ddeb12d04444e742d117fd8ecdbff58c
Found in base branch: master
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774
Release Date: 2020-11-17
Fix Resolution: 5.0.5
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: konfig-manager/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: konfig-manager/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: f779c9ec2a6e2c00a3a0df38f2d0a69cbcd2b538
Found in base branch: master
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/konfig-manager/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: /konfig-manager/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: eda20410754e44ef12a67b3854d285746d7b516c
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.