File Metadata Microservice Freecode camp exercise
Home Page: https://file-metadata-mubaidr.herokuapp.com/
License: Apache License 2.0
Vulnerable Library - debug-2.6.8.tgzsmall debugging utility
path: /tmp/git/File-Metadata-Microservice/node_modules/debug/package.json
Library home page: https://registry.npmjs.org/debug/-/debug-2.6.8.tgz
Dependency Hierarchy:
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/534
Release Date: 2017-09-27
Fix Resolution: Version 2.x.x: Update to version 2.6.9 or later. Version 3.x.x: Update to version 3.1.0 or later.
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - lodash-4.17.4.tgzLodash modular utilities.
path: /tmp/git/File-Metadata-Microservice/node_modules/lodash/package.json
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Dependency Hierarchy:
Vulnerability Details
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3721
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-3721
Fix Resolution: Upgrade to version lodash 4.17.5 or greater
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - mime-1.3.4.tgzA comprehensive library for mime-type mapping
path: /tmp/git/File-Metadata-Microservice/node_modules/mime/package.json
Library home page: http://registry.npmjs.org/mime/-/mime-1.3.4.tgz
Dependency Hierarchy:
Vulnerability Details
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
CVSS 3 Score Details (7.5)
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - fresh-0.5.0.tgzHTTP response freshness testing
path: /tmp/git/File-Metadata-Microservice/node_modules/fresh/package.json
Library home page: https://registry.npmjs.org/fresh/-/fresh-0.5.0.tgz
Dependency Hierarchy:
Vulnerability Details
Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Publish Date: 2018-06-07
URL: CVE-2017-16119
CVSS 3 Score Details (7.5)
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - forwarded-0.1.0.tgzParse HTTP X-Forwarded-For header
path: /tmp/git/File-Metadata-Microservice/node_modules/forwarded/package.json
Library home page: http://registry.npmjs.org/forwarded/-/forwarded-0.1.0.tgz
Dependency Hierarchy:
Vulnerability Details
The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Publish Date: 2018-06-07
URL: CVE-2017-16118
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/527
Release Date: 2017-09-26
Fix Resolution: Update to version 0.1.2 or later
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - url-parse-1.1.9.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
path: /tmp/git/File-Metadata-Microservice/node_modules/url-parse/package.json
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz
Dependency Hierarchy:
Vulnerability Details
Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
Publish Date: 2018-08-12
URL: CVE-2018-3774
CVSS 3 Score Details (10.0)
Base Score Metrics:
Suggested Fix
Type: Change files
Origin: unshiftio/url-parse@53b1794
Release Date: 2018-07-29
Fix Resolution: Replace or update the following files: index.js, test.js
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - ws-3.0.0.tgzSimple to use, blazing fast and thoroughly tested websocket client and server for Node.js
path: /tmp/git/File-Metadata-Microservice/node_modules/ws/package.json
Library home page: https://registry.npmjs.org/ws/-/ws-3.0.0.tgz
Dependency Hierarchy:
Vulnerability Details
Affected version of ws (0.2.6--3.3.0) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.
Publish Date: 2017-11-08
URL: WS-2017-0421
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/550/versions
Release Date: 2019-01-24
Fix Resolution: 3.3.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - mime-1.3.4.tgzA comprehensive library for mime-type mapping
path: /tmp/git/File-Metadata-Microservice/node_modules/mime/package.json
Library home page: http://registry.npmjs.org/mime/-/mime-1.3.4.tgz
Dependency Hierarchy:
Vulnerability Details
Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.
Publish Date: 2017-09-27
URL: WS-2017-0330
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Step up your Open Source Security Game with WhiteSource here
🚨 You need to enable Continuous Integration on all branches of this repository. 🚨
To enable Greenkeeper, you need to make sure that a commit status is reported on all branches. This is required by Greenkeeper because it uses your CI build statuses to figure out when to notify you about breaking changes.
Since we didn’t receive a CI status on the greenkeeper/initial branch, it’s possible that you don’t have CI set up yet. We recommend using Travis CI, but Greenkeeper will work with every other CI service as well.
If you have already set up a CI for this repository, you might need to check how it’s configured. Make sure it is set to run on all new branches. If you don’t want it to run on absolutely every branch, you can whitelist branches starting with greenkeeper/.
Once you have installed and configured CI on this repository correctly, you’ll need to re-trigger Greenkeeper’s initial pull request. To do this, please delete the greenkeeper/initial branch in this repository, and then remove and re-add this repository to the Greenkeeper App’s white list on Github. You'll find this list on your repo or organization’s settings page, under Installed GitHub Apps.
Vulnerable Library - open-0.0.5.tgzopen a file or url in the user's preferred application
path: /tmp/git/File-Metadata-Microservice/node_modules/open/package.json
Library home page: http://registry.npmjs.org/open/-/open-0.0.5.tgz
Dependency Hierarchy:
Vulnerability Details
All versions of open are vulnerable to command injection when unsanitized user input is passed in.
Publish Date: 2018-05-16
URL: WS-2018-0107
CVSS 2 Score Details (10.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/663
Release Date: 2018-05-16
Fix Resolution: No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available.
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - lodash-4.17.4.tgzLodash modular utilities.
path: /tmp/git/File-Metadata-Microservice/node_modules/lodash/package.json
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Dependency Hierarchy:
Vulnerability Details
In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Publish Date: 2018-11-25
URL: WS-2018-0210
CVSS 2 Score Details (3.5)
Base Score Metrics not available
Suggested Fix
Type: Change files
Origin: lodash/lodash@90e6199
Release Date: 2018-08-31
Fix Resolution: Replace or update the following files: lodash.js, test.js
Step up your Open Source Security Game with WhiteSource here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
