luanp / konfig-manager Goto Github PK

Vulnerable Libraries - lodash-4.17.14.tgz, lodash-4.17.15.tgz

Found in HEAD commit: f779c9ec2a6e2c00a3a0df38f2d0a69cbcd2b538

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-23

Fix Resolution: lodash - 4.17.19

Vulnerable Library - ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@oclif/errors/node_modules/ansi-regex/package.json,/node_modules/widest-line/node_modules/ansi-regex/package.json

Dependency Hierarchy:

• config-1.18.2.tgz (Root Library)
  • errors-1.3.4.tgz
    • strip-ansi-6.0.0.tgz
      • ❌ ansi-regex-5.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 5898f05a9d2742f667fe0b2c11f8515414682be2

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (@oclif/config): 1.18.3

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz

Found in HEAD commit: 51268cb29d1e6994b2e12fbee0910f2fa66bed6a

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.2

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/konfig-manager/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /konfig-manager/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

• ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 3012ee1b0f0c99fe1aecd4b172e98e4d8bfa9414

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: konfig-manager/package.json

Path to vulnerable library: konfig-manager/node_modules/path-parse/package.json

Dependency Hierarchy:

• babel-eslint-10.1.0.tgz (Root Library)
  • resolve-1.15.1.tgz
    • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 28e1f5692671bcfebc4479e8232d8de12c69d03f

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jbgutierrez/path-parse#8

Release Date: 2021-05-04

Fix Resolution: path-parse - 1.0.7

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/konfig-manager/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /konfig-manager/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

• ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: eda20410754e44ef12a67b3854d285746d7b516c

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Library - axios-0.24.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.24.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

• ❌ axios-0.24.0.tgz (Vulnerable Library)

Found in HEAD commit: 51268cb29d1e6994b2e12fbee0910f2fa66bed6a

Found in base branch: master

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.

Publish Date: 2022-05-03

URL: CVE-2022-1214

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/

Release Date: 2022-05-03

Fix Resolution: 0.26.0

Vulnerable Library - follow-redirects-1.14.7.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.7.tgz

Dependency Hierarchy:

• axios-0.25.0.tgz (Root Library)
  • ❌ follow-redirects-1.14.7.tgz (Vulnerable Library)

Found in HEAD commit: 5898f05a9d2742f667fe0b2c11f8515414682be2

Found in base branch: master

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution (follow-redirects): 1.14.8

Direct dependency fix Resolution (axios): 0.26.0

Vulnerable Libraries - yargs-parser-16.1.0.tgz, yargs-parser-13.1.1.tgz

Found in HEAD commit: 4cc23a6e26bbe1aaad25633458048013ca404969

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

Vulnerable Library - nanoid-3.1.25.tgz

A tiny (108 bytes), secure URL-friendly unique string ID generator

Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.25.tgz

Dependency Hierarchy:

• mocha-9.1.3.tgz (Root Library)
  • ❌ nanoid-3.1.25.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package nanoid before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Publish Date: 2022-01-14

URL: CVE-2021-23566

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23566

Release Date: 2022-01-14

Fix Resolution: nanoid - 3.1.31

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

• config-1.18.2.tgz (Root Library)
  • globby-11.0.4.tgz
    • fast-glob-3.1.1.tgz
      • ❌ glob-parent-5.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 5898f05a9d2742f667fe0b2c11f8515414682be2

Found in base branch: master

Vulnerability Details

The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution (glob-parent): 6.0.1

Direct dependency fix Resolution (@oclif/config): 1.18.3

Vulnerable Library - yargs-parser-13.1.2.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.2.tgz

Path to dependency file: /tmp/ws-scm/konfig-manager/package.json

Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• mocha-7.1.1.tgz (Root Library)
  • ❌ yargs-parser-13.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 3012ee1b0f0c99fe1aecd4b172e98e4d8bfa9414

Vulnerability Details

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Publish Date: 2020-05-01

URL: WS-2020-0068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/package/yargs-parser

Release Date: 2020-05-04

Fix Resolution: https://www.npmjs.com/package/yargs-parser/v/18.1.2,https://www.npmjs.com/package/yargs-parser/v/15.0.1

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

• rc-1.2.8.tgz (Root Library)
  • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 5898f05a9d2742f667fe0b2c11f8515414682be2

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution: minimist - 1.2.6

Vulnerable Library - follow-redirects-1.14.4.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

• axios-0.24.0.tgz (Root Library)
  • ❌ follow-redirects-1.14.4.tgz (Vulnerable Library)

Found in HEAD commit: 4363a7af48707a91c42b5a4e146459a5cd608775

Found in base branch: master

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution (follow-redirects): 1.14.7

Direct dependency fix Resolution (axios): 0.25.0

Vulnerable Library - handlebars-4.5.1.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.1.tgz

Path to dependency file: /tmp/ws-scm/konfig-manager/package.json

Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/handlebars/package.json

Dependency Hierarchy:

• nyc-14.1.1.tgz (Root Library)
  • istanbul-reports-2.2.6.tgz
    • ❌ handlebars-4.5.1.tgz (Vulnerable Library)

Found in HEAD commit: d9234784b681b40704ad1b57a1bf3e6b9e58726d

Vulnerability Details

Prototype Pollution vulnerability found in handlebars 1.0.6 before 4.5.3. It is possible to add or modify properties to the Object prototype through a malicious template. Attacker may crash the application or execute Arbitrary Code in specific conditions.

Publish Date: 2019-12-05

URL: WS-2019-0333

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1325

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Vulnerable Libraries - lodash-4.17.14.tgz, lodash-4.17.15.tgz

Found in HEAD commit: 3012ee1b0f0c99fe1aecd4b172e98e4d8bfa9414

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - pathval-1.1.0.tgz

Object value retrieval given a string path

Library home page: https://registry.npmjs.org/pathval/-/pathval-1.1.0.tgz

Path to dependency file: konfig-manager/package.json

Path to vulnerable library: konfig-manager/node_modules/pathval/package.json

Dependency Hierarchy:

• chai-4.2.0.tgz (Root Library)
  • ❌ pathval-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 4ddf160976a10dcea27f9cf28e2a42625643f382

Found in base branch: master

Vulnerability Details

This affects all versions of package pathval.

Publish Date: 2020-10-26

URL: CVE-2020-7751

CVSS 3 Score Details (6.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: High

Vulnerable Library - glob-parent-5.1.0.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz

Path to dependency file: konfig-manager/package.json

Path to vulnerable library: konfig-manager/node_modules/glob-parent/package.json,konfig-manager/node_modules/fast-glob/node_modules/glob-parent/package.json

Dependency Hierarchy:

• globby-11.0.3.tgz (Root Library)
  • fast-glob-3.1.1.tgz
    • ❌ glob-parent-5.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 0327828e7414e67db056c5a398962355f6cd9da8

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: konfig-manager/package.json

Path to vulnerable library: konfig-manager/node_modules/lodash/package.json

Dependency Hierarchy:

• dev-cli-1.26.0.tgz (Root Library)
  • ❌ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 8d60676460a0b5ed34e3fbf3e2338ebae29229de

Found in base branch: master

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@02906b8

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/konfig-manager/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /konfig-manager/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

• ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 6cf1c90234018918d4880f5236899871c45957b4

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: rails/jquery-rails@8f601cb

Release Date: 2020-05-19

Fix Resolution: jquery-rails - 2.2.0

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

• coveralls-3.1.1.tgz (Root Library)
  • request-2.88.2.tgz
    • http-signature-1.2.0.tgz
      • jsprim-1.4.1.tgz
        • ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 5898f05a9d2742f667fe0b2c11f8515414682be2

Found in base branch: master

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution: json-schema - 0.4.0

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: konfig-manager/package.json

Path to vulnerable library: konfig-manager/node_modules/ini/package.json

Dependency Hierarchy:

• rc-1.2.8.tgz (Root Library)
  • ❌ ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 4b00b1ca4c16201e9069f3af1f230c84ade491a4

Found in base branch: master

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution: v1.3.6

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: konfig-manager/package.json

Path to vulnerable library: konfig-manager/node_modules/lodash/package.json

Dependency Hierarchy:

• dev-cli-1.26.0.tgz (Root Library)
  • ❌ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 8d60676460a0b5ed34e3fbf3e2338ebae29229de

Found in base branch: master

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerable Library - handlebars-4.5.1.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.1.tgz

Path to dependency file: /tmp/ws-scm/konfig-manager/package.json

Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/handlebars/package.json

Dependency Hierarchy:

• nyc-14.1.1.tgz (Root Library)
  • istanbul-reports-2.2.6.tgz
    • ❌ handlebars-4.5.1.tgz (Vulnerable Library)

Found in HEAD commit: d9234784b681b40704ad1b57a1bf3e6b9e58726d

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.

Publish Date: 2019-12-05

URL: WS-2019-0332

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/konfig-manager/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /konfig-manager/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

• ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: eda20410754e44ef12a67b3854d285746d7b516c

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Vulnerable Libraries - ajv-6.12.2.tgz, ajv-6.10.0.tgz

Found in HEAD commit: f779c9ec2a6e2c00a3a0df38f2d0a69cbcd2b538

Found in base branch: master

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3

Release Date: 2020-07-15

Fix Resolution: ajv - 6.12.3

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /konfig-manager/package.json

Path to vulnerable library: /tmp/git/konfig-manager/node_modules/lodash/package.json

Dependency Hierarchy:

• dev-cli-1.22.0.tgz (Root Library)
  • ❌ lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: e3bb0295fc6a327da0057d218b3a293f9dd3531c

Vulnerability Details

A Prototype Pollution vulnerability was found in lodash through version 4.17.11.

Publish Date: 2019-07-08

URL: CVE-2019-10744

CVSS 2 Score Details (7.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@a01e4fa

Release Date: 2019-07-08

Fix Resolution: 4.17.12

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /konfig-manager/package.json

Path to vulnerable library: /tmp/git/konfig-manager/node_modules/mixin-deep/package.json

Dependency Hierarchy:

• dev-cli-1.22.0.tgz (Root Library)
  • qqjs-0.3.10.tgz
    • globby-8.0.2.tgz
      • fast-glob-2.2.7.tgz
        • micromatch-3.1.10.tgz
          • snapdragon-0.8.2.tgz
            • base-0.11.2.tgz
              • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 6dc96eb6097fb96b83aa88e342ceab3c5ad85b6a

Vulnerability Details

mixin-deep before 1.3.2 is vulnerable to Prototype Pollution.

Publish Date: 2019-07-11

URL: CVE-2019-10746

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-07-11

Fix Resolution: 1.3.2

Vulnerable Library - serialize-javascript-3.0.0.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-3.0.0.tgz

Path to dependency file: /tmp/ws-scm/konfig-manager/package.json

Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• mocha-8.0.1.tgz (Root Library)
  • ❌ serialize-javascript-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b46b4b46d2277e8689594243d49b716982337617

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-01

Fix Resolution: serialize-javascript - 3.1.0

Vulnerable Library - handlebars-4.5.1.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.1.tgz

Path to dependency file: /tmp/ws-scm/konfig-manager/package.json

Path to vulnerable library: /tmp/ws-scm/konfig-manager/node_modules/handlebars/package.json

Dependency Hierarchy:

• nyc-14.1.1.tgz (Root Library)
  • istanbul-reports-2.2.6.tgz
    • ❌ handlebars-4.5.1.tgz (Vulnerable Library)

Found in HEAD commit: d9234784b681b40704ad1b57a1bf3e6b9e58726d

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-12-05

URL: WS-2019-0331

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.2

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Dependency Hierarchy:

• nyc-15.1.0.tgz (Root Library)
  • yargs-15.3.1.tgz
    • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 1012b375ddeb12d04444e742d117fd8ecdbff58c

Found in base branch: master

Vulnerability Details

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774

Release Date: 2020-11-17

Fix Resolution: 5.0.5

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: konfig-manager/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: konfig-manager/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

• ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: f779c9ec2a6e2c00a3a0df38f2d0a69cbcd2b538

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/konfig-manager/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /konfig-manager/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

• ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: eda20410754e44ef12a67b3854d285746d7b516c

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0