Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

13 vulnerabilities in an indirect dependency uri-js #293

Open
josecelano opened this issue Jul 26, 2022 · 1 comment
Open

13 vulnerabilities in an indirect dependency uri-js #293

josecelano opened this issue Jul 26, 2022 · 1 comment
Labels
security

Comments

@josecelano
Copy link
Member

josecelano commented Jul 26, 2022
edited
Loading

ajv uses uri-js.

the new Megalinter linter Trivy found them.

Some of the vulnerabilities are already opened issues in the uri-js repo.

node_modules/uri-js/yarn.lock (yarn)
  ====================================
  Total: 13 (UNKNOWN: 0, LOW: 2, MEDIUM: 5, HIGH: 5, CRITICAL: 1)
  
  ┌─────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────────┬─────────────────────────────────────────────────────────────┐
  │   Library   │    Vulnerability    │ Severity │ Installed Version │       Fixed Version        │                            Title                            │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ ansi-regex  │ CVE-2021-3807       │ HIGH     │ 3.0.03.0.1, 4.1.1, 5.0.1, 6.0.1 │ nodejs-ansi-regex: Regular expression denial of service     │
  │             │                     │          │                   │                            │ (ReDoS) matching ANSI escape codes                          │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-3807                   │
  │             │                     │          ├───────────────────┤                            │                                                             │
  │             │                     │          │ 4.1.0             │                            │                                                             │
  │             │                     │          │                   │                            │                                                             │
  │             │                     │          │                   │                            │                                                             │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ braces      │ CVE-2018-1109       │ LOW      │ 1.8.52.3.1                      │ nodejs-braces: Regular Expression Denial of Service (ReDoS) │
  │             │                     │          │                   │                            │ in lib/parsers.js                                           │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2018-1109                   │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ braces      │ GHSA-g95f-p29q-9xw4 │ LOW      │ 1.8.52.3.1                      │ Regular Expression Denial of Service in braces              │
  │             │                     │          │                   │                            │ https://github.com/advisories/GHSA-g95f-p29q-9xw4           │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ glob-parent │ CVE-2020-28469      │ HIGH     │ 2.0.05.1.2                      │ nodejs-glob-parent: Regular expression denial of service    │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2020-28469                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ glob-parent │ CVE-2021-35065      │ MEDIUM   │ 2.0.05.1.2, 6.0.1               │ glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular    │
  │             │                     │          │                   │                            │ Expression Denial of Service...                             │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-35065                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ glob-parent │ CVE-2020-28469      │ HIGH     │ 5.1.15.1.2                      │ nodejs-glob-parent: Regular expression denial of service    │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2020-28469                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ glob-parent │ CVE-2021-35065      │ MEDIUM   │ 5.1.15.1.2, 6.0.1               │ glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular    │
  │             │                     │          │                   │                            │ Expression Denial of Service...                             │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-35065                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ lodash      │ CVE-2021-23337      │ HIGH     │ 4.17.204.17.21                    │ nodejs-lodash: command injection via template               │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-23337                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ lodash      │ CVE-2020-28500      │ MEDIUM   │ 4.17.204.17.21                    │ nodejs-lodash: ReDoS via the toNumber, trim and trimEnd     │
  │             │                     │          │                   │                            │ functions                                                   │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2020-28500                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ minimist    │ CVE-2021-44906      │ CRITICAL │ 1.2.51.2.6                      │ minimist: prototype pollution                               │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-44906                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ nanoid      │ CVE-2021-23566      │ MEDIUM   │ 3.1.123.1.31                     │ nanoid: Information disclosure via valueOf() function       │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-23566                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ path-parse  │ CVE-2021-23[343]    │ MEDIUM   │ 1.0.51.0.7                      │ nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and │
  │             │                     │          │                   │                            │ splitPathRe                                                 │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-23343                  │
  └─────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────────┴─────────────────────────────────────────────────────────────┘
@josecelano josecelano mentioned this issue Jul 26, 2022
Merged
josecelano added a commit to josecelano/git-queue that referenced this issue Jul 26, 2022
@josecelano
fix: [nautilus-cyberneering#287] disable megalinter tool Trivy
c33816e 
It shows some vulnerabilities we cannot fix immediately.
There is a transitive vulneravility.
I have created an issue:

nautilus-cyberneering#293
@Veerander
Copy link

I'm facing the same issue, when this will be resolved?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@josecelano @Veerander