GithubHelp home page GithubHelp logo

seagate / cortx-halo Goto Github PK

View Code? Open in Web Editor NEW
2.0 2.0 21.0 1.34 MB

License: GNU Affero General Public License v3.0

JavaScript 0.22% HTML 0.12% TypeScript 25.95% Vue 42.33% SCSS 0.38% Python 30.64% Jinja 0.37%

cortx-halo's People

Contributors

ajaysrivas avatar akash2144 avatar dependabot[bot] avatar mend-for-github-com[bot] avatar mukhtar-inamdar avatar mukul-seagate11 avatar nareshgopal avatar rajnish-thegreat avatar sampadap03 avatar satyakoli avatar shailesh-vaidya avatar shaileshsvc avatar sujit-h-singh avatar yash-dk avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

nareshgopal sujit-h-singh yanqingfu mariyappanp akash2144 shaileshsvc yash-dk mukhtar-inamdar rajnish-thegreat sampadap03 ajaysrivas satyakoli jyoti-cs soniyamoholkar ajayksri rajeshdesh 5l1v3r1 sanket292001 anjalikolekar189 jyotiranjanbaral

cortx-halo's Issues

moment-2.29.3.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - moment-2.29.3.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.29.3.tgz

Path to dependency file: /manager/gui/package.json

Path to vulnerable library: /manager/gui/node_modules/moment/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-31129 High 7.5 moment-2.29.3.tgz Direct moment - 2.29.4

Details

CVE-2022-31129

Vulnerable Library - moment-2.29.3.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.29.3.tgz

Path to dependency file: /manager/gui/package.json

Path to vulnerable library: /manager/gui/node_modules/moment/package.json

Dependency Hierarchy:

  • moment-2.29.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Publish Date: 2022-07-06

URL: CVE-2022-31129

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wc69-rhjr-hc9g

Release Date: 2022-07-06

Fix Resolution: moment - 2.29.4

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

d3-7.3.0.tgz: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - d3-7.3.0.tgz

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (d3 version) Remediation Available
WS-2022-0322 High 7.5 d3-color-3.0.1.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

WS-2022-0322

Vulnerable Library - d3-color-3.0.1.tgz

Color spaces! RGB, HSL, Cubehelix, Lab and HCL (Lch).

Library home page: https://registry.npmjs.org/d3-color/-/d3-color-3.0.1.tgz

Dependency Hierarchy:

  • d3-7.3.0.tgz (Root Library)
    • d3-color-3.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds.

Publish Date: 2022-09-29

URL: WS-2022-0322

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-36jr-mh4h-2g58

Release Date: 2022-09-29

Fix Resolution: d3-color - 3.1.0

c3-0.7.20.tgz: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - c3-0.7.20.tgz

Path to dependency file: /manager/gui/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (c3 version) Remediation Available
WS-2022-0322 High 7.5 d3-color-1.4.1.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

WS-2022-0322

Vulnerable Library - d3-color-1.4.1.tgz

Color spaces! RGB, HSL, Cubehelix, Lab and HCL (Lch).

Library home page: https://registry.npmjs.org/d3-color/-/d3-color-1.4.1.tgz

Dependency Hierarchy:

  • c3-0.7.20.tgz (Root Library)
    • d3-5.16.0.tgz
      • d3-color-1.4.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds.

Publish Date: 2022-09-29

URL: WS-2022-0322

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-36jr-mh4h-2g58

Release Date: 2022-09-29

Fix Resolution: d3-color - 3.1.0

vuetify-2.6.2.tgz: 1 vulnerabilities (highest severity is: 5.4)

Vulnerable Library - vuetify-2.6.2.tgz

Vue Material Component Framework

Library home page: https://registry.npmjs.org/vuetify/-/vuetify-2.6.2.tgz

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (vuetify version) Remediation Available
CVE-2022-25873 Medium 5.4 vuetify-2.6.2.tgz Direct 2.6.10

Details

CVE-2022-25873

Vulnerable Library - vuetify-2.6.2.tgz

Vue Material Component Framework

Library home page: https://registry.npmjs.org/vuetify/-/vuetify-2.6.2.tgz

Dependency Hierarchy:

  • vuetify-2.6.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component.

Publish Date: 2022-09-18

URL: CVE-2022-25873

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-25873

Release Date: 2022-09-18

Fix Resolution: 2.6.10

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.