-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathyarn-audit-known-issues
1 lines (1 loc) · 3.56 KB
/
yarn-audit-known-issues
1
{"actions":[],"advisories":{"1099846":{"findings":[{"version":"0.6.0","paths":["express>cookie"]}],"found_by":null,"deleted":null,"references":"- https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x\n- https://github.com/jshttp/cookie/pull/167\n- https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c\n- https://github.com/advisories/GHSA-pxg6-pf52-xh8x","created":"2024-10-04T20:31:00.000Z","id":1099846,"npm_advisory_id":null,"overview":"### Impact\n\nThe cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize(\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a\", value)` would result in `\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test\"`, setting `userName` cookie to `<script>` and ignoring `value`.\n\nA similar escape can be used for `path` and `domain`, which could be abused to alter other fields of the cookie.\n\n### Patches\n\nUpgrade to 0.7.0, which updates the validation for `name`, `path`, and `domain`.\n\n### Workarounds\n\nAvoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.\n\n### References\n\n* https://github.com/jshttp/cookie/pull/167","reported_by":null,"title":"cookie accepts cookie name, path, and domain with out of bounds characters","metadata":null,"cves":["CVE-2024-47764"],"access":"public","severity":"low","module_name":"cookie","vulnerable_versions":"<0.7.0","github_advisory_id":"GHSA-pxg6-pf52-xh8x","recommendation":"Upgrade to version 0.7.0 or later","patched_versions":">=0.7.0","updated":"2024-10-04T20:31:01.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-74"],"url":"https://github.com/advisories/GHSA-pxg6-pf52-xh8x"},"1100563":{"findings":[{"version":"7.0.3","paths":["cross-env>cross-spawn"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-21538\n- https://github.com/moxystudio/node-cross-spawn/pull/160\n- https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff\n- https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f\n- https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230\n- https://github.com/moxystudio/node-cross-spawn/issues/165\n- https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349\n- https://github.com/advisories/GHSA-3xgq-45jj-v275","created":"2024-11-08T06:30:47.000Z","id":1100563,"npm_advisory_id":null,"overview":"Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in cross-spawn","metadata":null,"cves":["CVE-2024-21538"],"access":"public","severity":"high","module_name":"cross-spawn","vulnerable_versions":">=7.0.0 <7.0.5","github_advisory_id":"GHSA-3xgq-45jj-v275","recommendation":"Upgrade to version 7.0.5 or later","patched_versions":">=7.0.5","updated":"2024-11-19T16:19:50.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-3xgq-45jj-v275"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":1,"moderate":0,"high":1,"critical":0},"dependencies":203,"devDependencies":0,"optionalDependencies":0,"totalDependencies":203}}