Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

13 vulnerabilities in an indirect dependency uri-js #293

Open
josecelano opened this issue Jul 26, 2022 · 1 comment
Open

13 vulnerabilities in an indirect dependency uri-js #293

josecelano opened this issue Jul 26, 2022 · 1 comment
Labels

Comments

@josecelano
Copy link
Member

josecelano commented Jul 26, 2022

ajv uses uri-js.

the new Megalinter linter Trivy found them.

Some of the vulnerabilities are already opened issues in the uri-js repo.

node_modules/uri-js/yarn.lock (yarn)
  ====================================
  Total: 13 (UNKNOWN: 0, LOW: 2, MEDIUM: 5, HIGH: 5, CRITICAL: 1)
  
  ┌─────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────────┬─────────────────────────────────────────────────────────────┐
  │   Library   │    Vulnerability    │ Severity │ Installed Version │       Fixed Version        │                            Title                            │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ ansi-regex  │ CVE-2021-3807       │ HIGH     │ 3.0.03.0.1, 4.1.1, 5.0.1, 6.0.1 │ nodejs-ansi-regex: Regular expression denial of service     │
  │             │                     │          │                   │                            │ (ReDoS) matching ANSI escape codes                          │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-3807                   │
  │             │                     │          ├───────────────────┤                            │                                                             │
  │             │                     │          │ 4.1.0             │                            │                                                             │
  │             │                     │          │                   │                            │                                                             │
  │             │                     │          │                   │                            │                                                             │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ braces      │ CVE-2018-1109       │ LOW      │ 1.8.52.3.1                      │ nodejs-braces: Regular Expression Denial of Service (ReDoS) │
  │             │                     │          │                   │                            │ in lib/parsers.js                                           │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2018-1109                   │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ braces      │ GHSA-g95f-p29q-9xw4 │ LOW      │ 1.8.52.3.1                      │ Regular Expression Denial of Service in braces              │
  │             │                     │          │                   │                            │ https://github.com/advisories/GHSA-g95f-p29q-9xw4           │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ glob-parent │ CVE-2020-28469      │ HIGH     │ 2.0.05.1.2                      │ nodejs-glob-parent: Regular expression denial of service    │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2020-28469                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ glob-parent │ CVE-2021-35065      │ MEDIUM   │ 2.0.05.1.2, 6.0.1               │ glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular    │
  │             │                     │          │                   │                            │ Expression Denial of Service...                             │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-35065                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ glob-parent │ CVE-2020-28469      │ HIGH     │ 5.1.15.1.2                      │ nodejs-glob-parent: Regular expression denial of service    │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2020-28469                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ glob-parent │ CVE-2021-35065      │ MEDIUM   │ 5.1.15.1.2, 6.0.1               │ glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular    │
  │             │                     │          │                   │                            │ Expression Denial of Service...                             │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-35065                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ lodash      │ CVE-2021-23337      │ HIGH     │ 4.17.204.17.21                    │ nodejs-lodash: command injection via template               │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-23337                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ lodash      │ CVE-2020-28500      │ MEDIUM   │ 4.17.204.17.21                    │ nodejs-lodash: ReDoS via the toNumber, trim and trimEnd     │
  │             │                     │          │                   │                            │ functions                                                   │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2020-28500                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ minimist    │ CVE-2021-44906      │ CRITICAL │ 1.2.51.2.6                      │ minimist: prototype pollution                               │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-44906                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ nanoid      │ CVE-2021-23566      │ MEDIUM   │ 3.1.123.1.31                     │ nanoid: Information disclosure via valueOf() function       │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-23566                  │
  ├─────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
  │ path-parse  │ CVE-2021-23[343]    │ MEDIUM   │ 1.0.51.0.7                      │ nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and │
  │             │                     │          │                   │                            │ splitPathRe                                                 │
  │             │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-23343                  │
  └─────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────────┴─────────────────────────────────────────────────────────────┘
josecelano added a commit to josecelano/git-queue that referenced this issue Jul 26, 2022
It shows some vulnerabilities we cannot fix immediately.
There is a transitive vulneravility.
I have created an issue:

nautilus-cyberneering#293
@Veerander
Copy link

I'm facing the same issue, when this will be resolved?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants