Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bulk vulnerability fix - Lockfile fix #3

Closed
wants to merge 1 commit into from
Closed

Bulk vulnerability fix - Lockfile fix #3

wants to merge 1 commit into from

Conversation

debricked[bot]
Copy link

@debricked debricked bot commented Jul 1, 2021
edited
Loading

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2021–23343
  • Description

    NVD

    All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        ReDoS in path-parse · Issue #8 · jbgutierrez/path-parse · GitHub
        Pony Mail!

CVE–2021–23364
debricked–124
CVE–2021–23362
CVE–2020–7597
  • Description

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

    The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

    NVD

    codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.

    GitHub

    codecov NPM module allows remote attackers to execute arbitrary commands

    codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.

  • CVSS details - 8.8

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required Low
    User interaction None
    Scope Unchanged
    Confidentiality High
    Integrity High
    Availability High
  • References

        [CE-1330] Escaping args (#167) · codecov/codecov-node@02cf13d · GitHub
        NVD - CVE-2020-7597
        codecov NPM module allows remote attackers to execute arbitrary commands · CVE-2020-7597 · GitHub Advisory Database · GitHub

CVE–2020–15123
CVE–2019–20149
CVE–2019–10747
CVE–2021–32640
  • Description

    Uncontrolled Resource Consumption

    The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

    NVD

    ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

    GitHub

    ReDoS in Sec-Websocket-Protocol header

    Impact

    A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

    Proof of concept

    for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

    Patches

    The vulnerability was fixed in ws@7.4.6 (websockets/ws@00c425e) and backported to ws@6.2.2 (websockets/ws@78c676d) and ws@5.2.3 (websockets/ws@76d47c1).

    Workarounds

    In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

    Credits

    The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

  • CVSS details - 5.3

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability Low
  • References

        ReDoS in Sec-Websocket-Protocol header · Advisory · websockets/ws · GitHub
        [security] Fix ReDoS vulnerability · websockets/ws@00c425e · GitHub
        Pony Mail!

CVE–2019–16769
  • Description

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

    NVD

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

    GitHub

    Cross-Site Scripting in serialize-javascript

    Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.

    Recommendation

    Upgrade to version 2.1.1 or later.

  • CVSS details - 5.4

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required Low
    User interaction Required
    Scope Changed
    Confidentiality Low
    Integrity Low
    Availability None
  • References

        regular expressions Cross-Site Scripting (XSS) vulnerability · Advisory · yahoo/serialize-javascript · GitHub
        NVD - CVE-2019-16769
        Cross-Site Scripting in serialize-javascript · CVE-2019-16769 · GitHub Advisory Database · GitHub

CVE–2020–7660
  • Description

    Deserialization of Untrusted Data

    The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

    NVD

    serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

    GitHub

    Insecure serialization leading to RCE in serialize-javascript

    serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

    An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.

    The following proof-of-concept calls console.log() when the running eval():
    eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R-<UID>-0__@'}) + ')');

    NVD

    serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

  • CVSS details - 8.1

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity High
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality High
    Integrity High
    Availability High
  • References

        Don't replace regex / function placeholders within string literals (#79) · yahoo/serialize-javascript@f21a6fb · GitHub
        NVD - CVE-2020-7660
        Insecure serialization leading to RCE in serialize-javascript · CVE-2020-7660 · GitHub Advisory Database · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked

 

@debricked debricked bot force-pushed the debricked-fix-bulk_fix-7c9de0635ffdfa45 branch from c086810 to 0c55d60 Compare July 5, 2021 09:10
@debricked debricked bot force-pushed the debricked-fix-bulk_fix-7c9de0635ffdfa45 branch from 0c55d60 to 10e4c67 Compare July 9, 2021 14:28
@debricked debricked bot closed this Sep 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants