Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

karma-0.13.22.tgz: 11 vulnerabilities (highest severity is: 9.1) #3

Open
mend-for-github-com bot opened this issue Feb 8, 2022 · 0 comments
Open

karma-0.13.22.tgz: 11 vulnerabilities (highest severity is: 9.1) #3

mend-for-github-com bot opened this issue Feb 8, 2022 · 0 comments
Labels
security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-for-github-com
Copy link

Vulnerable Library - karma-0.13.22.tgz

Spectacular Test Runner for JavaScript.

Library home page: https://registry.npmjs.org/karma/-/karma-0.13.22.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/karma/package.json

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2019-10744 High 9.1 lodash-3.10.1.tgz Transitive 2.0.0
WS-2018-0650 High 7.5 useragent-2.3.0.tgz Transitive N/A
CVE-2020-8203 High 7.4 lodash-3.10.1.tgz Transitive 2.0.0
CVE-2021-23337 High 7.2 lodash-3.10.1.tgz Transitive 2.0.0
CVE-2022-0155 Medium 6.5 follow-redirects-1.14.4.tgz Transitive N/A
CVE-2019-1010266 Medium 6.5 lodash-3.10.1.tgz Transitive 2.0.0
CVE-2018-3721 Medium 6.5 lodash-3.10.1.tgz Transitive 2.0.0
CVE-2020-7598 Medium 5.6 minimist-0.0.10.tgz Transitive 5.0.0
CVE-2018-16487 Medium 5.6 lodash-3.10.1.tgz Transitive 2.0.0
CVE-2022-21704 Medium 5.5 log4js-0.6.38.tgz Transitive N/A
CVE-2022-0437 Medium 5.4 karma-0.13.22.tgz Direct karma - v6.3.14

Details

CVE-2019-10744

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/karma-webpack/node_modules/lodash/package.json,/node_modules/sauce-connect-launcher/node_modules/lodash/package.json,/node_modules/karma/node_modules/lodash/package.json

Dependency Hierarchy:

  • karma-0.13.22.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (karma): 2.0.0

⛑️ Automatic Remediation is available for this issue

WS-2018-0650

Vulnerable Library - useragent-2.3.0.tgz

Fastest, most accurate & effecient user agent string parser, uses Browserscope's research for parsing

Library home page: https://registry.npmjs.org/useragent/-/useragent-2.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/useragent/package.json

Dependency Hierarchy:

  • karma-0.13.22.tgz (Root Library)
    • useragent-2.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in useragent through 2.3.0.

Publish Date: 2018-02-27

URL: WS-2018-0650

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0650

Release Date: 2018-02-27

Fix Resolution: NorDroN.AngularTemplate - 0.1.6;dotnetng.template - 1.0.0.4;JetBrains.Rider.Frontend5 - 213.0.20211008.154703-eap03;MIDIator.WebClient - 1.0.105

CVE-2020-8203

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/karma-webpack/node_modules/lodash/package.json,/node_modules/sauce-connect-launcher/node_modules/lodash/package.json,/node_modules/karma/node_modules/lodash/package.json

Dependency Hierarchy:

  • karma-0.13.22.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.9

Direct dependency fix Resolution (karma): 2.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-23337

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/karma-webpack/node_modules/lodash/package.json,/node_modules/sauce-connect-launcher/node_modules/lodash/package.json,/node_modules/karma/node_modules/lodash/package.json

Dependency Hierarchy:

  • karma-0.13.22.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (karma): 2.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-0155

Vulnerable Library - follow-redirects-1.14.4.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

  • karma-0.13.22.tgz (Root Library)
    • http-proxy-1.18.1.tgz
      • follow-redirects-1.14.4.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution: follow-redirects - v1.14.7

CVE-2019-1010266

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/karma-webpack/node_modules/lodash/package.json,/node_modules/sauce-connect-launcher/node_modules/lodash/package.json,/node_modules/karma/node_modules/lodash/package.json

Dependency Hierarchy:

  • karma-0.13.22.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2020-09-30

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (karma): 2.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2018-3721

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/karma-webpack/node_modules/lodash/package.json,/node_modules/sauce-connect-launcher/node_modules/lodash/package.json,/node_modules/karma/node_modules/lodash/package.json

Dependency Hierarchy:

  • karma-0.13.22.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (karma): 2.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-7598

Vulnerable Library - minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/optimist/node_modules/minimist/package.json

Dependency Hierarchy:

  • karma-0.13.22.tgz (Root Library)
    • optimist-0.6.1.tgz
      • minimist-0.0.10.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (karma): 5.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2018-16487

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/karma-webpack/node_modules/lodash/package.json,/node_modules/sauce-connect-launcher/node_modules/lodash/package.json,/node_modules/karma/node_modules/lodash/package.json

Dependency Hierarchy:

  • karma-0.13.22.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (karma): 2.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-21704

Vulnerable Library - log4js-0.6.38.tgz

Port of Log4js to work with node.

Library home page: https://registry.npmjs.org/log4js/-/log4js-0.6.38.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/log4js/package.json

Dependency Hierarchy:

  • karma-0.13.22.tgz (Root Library)
    • log4js-0.6.38.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.

Publish Date: 2022-01-19

URL: CVE-2022-21704

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-82v2-mx6x-wq7q

Release Date: 2022-01-19

Fix Resolution: log4js - 6.4.0

CVE-2022-0437

Vulnerable Library - karma-0.13.22.tgz

Spectacular Test Runner for JavaScript.

Library home page: https://registry.npmjs.org/karma/-/karma-0.13.22.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/karma/package.json

Dependency Hierarchy:

  • karma-0.13.22.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.

Publish Date: 2022-02-05

URL: CVE-2022-0437

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-0437

Release Date: 2022-02-05

Fix Resolution: karma - v6.3.14

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.
@mend-for-github-com mend-for-github-com bot added the security vulnerability Security vulnerability detected by WhiteSource label Feb 8, 2022
@mend-for-github-com mend-for-github-com bot mentioned this issue Feb 8, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants