Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bulk vulnerability fix - Lockfile fix #253

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

debricked[bot]
Copy link

@debricked debricked bot commented Jul 9, 2021

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2019–10744
CVE–2020–8203
CVE–2020–28500
  • Description

    NVD

    All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

  • CVSS details - 5.3

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability Low
  • References

        CONFIRM
        perf: improve performance of toNumber, trim and trimEnd on large input strings by falsyvalues · Pull Request #5065 · lodash/lodash · GitHub
        February 2021 Lodash Vulnerabilities in NetApp Products | NetApp Product Security

CVE–2021–23337
CVE–2021–23343
  • Description

    NVD

    All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        ReDoS in path-parse · Issue #8 · jbgutierrez/path-parse · GitHub
        Pony Mail!

CVE–2020–7598
CVE–2021–29060
  • Description

    Allocation of Resources Without Limits or Throttling

    The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

    NVD

    A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.

    GitHub

    Regular Expression Denial of Service (ReDOS)

    In the npm package color-string, there is a ReDos (Regular Expression Denial of Service) vulnerability regarding an exponential time complexity for
    linearly increasing input lengths for hwb() color strings.

    Strings reaching more than 5000 characters would see several
    milliseconds of processing time; strings reaching more than
    50,000 characters began seeing 1500ms (1.5s) of processing time.

    The cause was due to a the regular expression that parses
    hwb() strings - specifically, the hue value - where
    the integer portion of the hue value used a 0-or-more quantifier
    shortly thereafter followed by a 1-or-more quantifier.

    This caused excessive backtracking and a cartesian scan,
    resulting in exponential time complexity given a linear
    increase in input length.

  • CVSS details - 5.3

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability Low
  • References

        SaveResults/color-string.js at main · yetingli/SaveResults · GitHub
        PoCs/Color-String.md at main · yetingli/PoCs · GitHub
        fix ReDos in hwb() parser (low-severity) · Qix-/color-string@0789e21 · GitHub
        color-string - npm

CVE–2020–7774
CVE–2020–7733
CVE–2020–7793
  • Description

    Uncontrolled Resource Consumption

    The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

    NVD

    The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        Fix ReDoS vulnerabilities reported by Snyk · faisalman/ua-parser-js@6d1f26d · GitHub

CVE–2021–27292
CVE–2021–23368
CVE–2020–8116
CVE–2021–28092
  • Description

    NVD

    The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

    GitHub

    Regular Expression Denial of Service (ReDoS)

    The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        Releases · sindresorhus/is-svg · GitHub
        Release v4.2.2 · sindresorhus/is-svg · GitHub
        is-svg - npm
        CVE-2021-28092 Node.js Vulnerability in NetApp Products | NetApp Product Security

CVE–2021–29059
  • Description

    Allocation of Resources Without Limits or Throttling

    The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

    NVD

    A vulnerability was discovered in IS-SVG version 4.3.1 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        SaveResults/is-svg.js at main · yetingli/SaveResults · GitHub
        is-svg - npm
        Release v4.3.0 · sindresorhus/is-svg · GitHub
        PoCs/IS-SVG.md at main · yetingli/PoCs · GitHub

CVE–2019–10747
CVE–2021–25949
CVE–2019–10746
debricked–124
CVE–2019–20149
CVE–2020–13822
CVE–2020–28498
CVE–2020–7608
  • Description

    Improper Input Validation

    The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

    NVD

    yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

    NVD

    yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

  • CVSS details - 5.3

     

    CVSS3 metrics
    Attack Vector Local
    Attack Complexity Low
    Privileges Required Low
    User interaction None
    Scope Unchanged
    Confidentiality Low
    Integrity Low
    Availability Low
  • References

        THIRD PARTY
        fix: proto will now be replaced with proto in parse (#258) · yargs/yargs-parser@63810ca · GitHub

debricked–149739
CVE–2021–23329
CVE–2018–3774
CVE–2020–8124
  • Description

    Improper Input Validation

    The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

    NVD

    Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.

    NVD

    Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.

  • CVSS details - 5.3

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity Low
    Availability None
  • References

        THIRD PARTY
        HackerOne

CVE–2021–27515
CVE–2020–7662
CVE–2021–26707
  • Description

    NVD

    The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

    GitHub

    Prototype pollution in Merge-deep

    The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

  • CVSS details - 9.8

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality High
    Integrity High
    Availability High
  • References

        add isValidKey function to ensure only valid keys are merged · jonschlinkert/merge-deep@11e5dd5 · GitHub
        merge-deep - npm
        GHSL-2020-160: Prototype pollution in Merge-deep | GitHub Security Lab

CVE–2021–23362
CVE–2021–23358
CVE–2019–15657
CVE–2019–20922
  • Description

    Loop with Unreachable Exit Condition ('Infinite Loop')

    The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

    NVD

    Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        fix: non-eager matching raw-block-contents · handlebars-lang/handlebars.js@8d5530e · GitHub
        npm

CVE–2019–20920
  • Description

    Improper Control of Generation of Code ('Code Injection')

    The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

    NVD

    Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

  • CVSS details - 8.1

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity High
    Privileges Required None
    User interaction None
    Scope Changed
    Confidentiality High
    Integrity Low
    Availability Low
  • References

        npm
        npm

CVE–2021–23369
CVE–2021–23383
CVE–2018–16469
  • Description

    Improper Input Validation

    The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

    NVD

    The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.

    GitHub

    Prototype Pollution in merge

    Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype.

    Recommendation

    Update to version 1.2.1 or later.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        HackerOne
        Prototype Pollution in merge · CVE-2018-16469 · GitHub Advisory Database · GitHub
        NVD - CVE-2018-16469

CVE–2020–28499
  • Description

    NVD

    All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

    GitHub

    Prototype Pollution in merge

    All versions of package merge <2.1.1 are vulnerable to Prototype Pollution via _recursiveMerge .

  • CVSS details - 9.8

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality High
    Integrity High
    Availability High
  • References

        CVE-2020-28499 | merge Package Prototype _recursiveMerge code injection (SNYK-JS-MERGE-1042987)
        CONFIRM

CVE–2017–16028
CVE–2018–14732
CVE–2021–23386
  • Description

    Exposure of Sensitive Information to an Unauthorized Actor

    The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

    NVD

    This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

    GitHub

    Potential memory exposure in dns-packet

    This affects the package dns-packet before versions 1.3.2 and 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

  • CVSS details - 6.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required Low
    User interaction None
    Scope Unchanged
    Confidentiality High
    Integrity None
    Availability None
  • References

        HackerOne
        do trim on encodingLength as well · mafintosh/dns-packet@25f15dd · GitHub

debricked–149740
CVE–2020–7720
CVE–2020–7693

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked

 

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants