Bulk vulnerability fix - Lockfile fix

[debricked-staging]

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

debricked–245

• Description

      No information

• CVSS details

      No information

• References

      security fix for 6.x versions · Issue #929 · acornjs/acorn · GitHub
      Regular Expression Denial of Service in Acorn · GHSA-6chw-6frg-f759 · GitHub Advisory Database · GitHub

debricked–124

• Description

  GitHub

  Regular Expression Denial of Service in Acorn

  Affected versions of acorn are vulnerable to Regular Expression Denial of Service.
  A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop.
  The string is not valid UTF16 which usually results in it being sanitized before reaching the parser.
  If an application processes untrusted input and passes it directly to acorn,
  attackers may leverage the vulnerability leading to Denial of Service.

• CVSS details

      No information

• References

      Regular Expression Denial of Service in Acorn · GHSA-6chw-6frg-f759 · GitHub Advisory Database · GitHub
      security fix for 6.x versions · Issue #929 · acornjs/acorn · GitHub

CVE–2021–23362

• Description

  NVD

  The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via shortcutMatch in fromUrl().

  GitHub

  Regular Expression Denial of Service in hosted-git-info

  The npm package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	Low

• References

      Commits · npm/hosted-git-info · GitHub
      fix: backport regex fix from #76 · npm/hosted-git-info@29adfe5 · GitHub
      chore(release): 2.8.9 · npm/hosted-git-info@8d4b369 · GitHub
      fix: simplify the regular expression for shortcut matching · npm/hosted-git-info@bede0dc · GitHub
      NVD - CVE-2021-23362
      Regular Expression Denial of Service in hosted-git-info · CVE-2021-23362 · GitHub Advisory Database · GitHub

CVE–2020–7597

• Description

  Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

  NVD

  codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.

  GitHub

  codecov NPM module allows remote attackers to execute arbitrary commands

  codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.

• CVSS details - 8.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	Low
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      [CE-1330] Escaping args (#167) · codecov/codecov-node@02cf13d · GitHub
      NVD - CVE-2020-7597
      codecov NPM module allows remote attackers to execute arbitrary commands · CVE-2020-7597 · GitHub Advisory Database · GitHub

CVE–2020–15123

• Description

  Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

  NVD

  In codecov (npm package) before version 3.7.1 the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE (CVE-2020-7597 for GHSA-5q88-cjfq-g2mh) was issued but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer. The attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.

  GitHub

  Command injection in codecov (npm package)

  Impact

  The upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

  A similar CVE was issued: CVE-2020-7597, but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer.

  We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the codecov-node project here.

  Patches

  This has been patched in version 3.7.1

  Workarounds

  None, however, the attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.

  References

  • CVE-2020-7597

  For more information

  If you have any questions or comments about this advisory:

  • Contact us via our Security Email

• CVSS details - 9.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	Required
  Scope	Changed
  Confidentiality	High
  Integrity	High
  Availability	None

• References

      codecov NPM module allows remote attackers to execute arbitrary commands · CVE-2020-7597 · GitHub Advisory Database · GitHub
      Switch from execSync to execFileSync (#180) · codecov/codecov-node@c0711c6 · GitHub
      Switch from execSync to execFileSync by drazisil · Pull Request #180 · codecov/codecov-node · GitHub
      Command injection in upload method · Advisory · codecov/codecov-node · GitHub
      LGTM
      Command injection in codecov (npm package) · CVE-2020-15123 · GitHub Advisory Database · GitHub
      NVD - CVE-2020-15123

CVE–2019–20149

• Description

  Exposure of Resource to Wrong Sphere

  The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

  NVD

  ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

  GitHub

  Validation Bypass in kind-of

  Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

  Recommendation

  Upgrade to versions 6.0.3 or later.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	High
  Availability	None

• References

      type checking · Issue #30 · jonschlinkert/kind-of · GitHub
      fix type checking vul in ctorName by xiaofen9 · Pull Request #31 · jonschlinkert/kind-of · GitHub
      NVD - CVE-2019-20149
      Validation Bypass in kind-of · CVE-2019-20149 · GitHub Advisory Database · GitHub

CVE–2019–20922

• Description

  Loop with Unreachable Exit Condition ('Infinite Loop')

  The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

  NVD

  Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      fix: non-eager matching raw-block-contents · handlebars-lang/handlebars.js@8d5530e · GitHub
      npm

CVE–2019–20920

• Description

  Improper Control of Generation of Code ('Code Injection')

  The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  NVD

  Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

• CVSS details - 8.1

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	High
  Privileges Required	None
  User interaction	None
  Scope	Changed
  Confidentiality	High
  Integrity	Low
  Availability	Low

• References

      npm
      npm

CVE–2021–23369

• Description

  NVD

  The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

  GitHub

  Remote code execution in handlebars when compiling templates

  The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      CVE-2021-23369 Node.js Vulnerability in NetApp Products | NetApp Product Security
      fix: check prototype property access in strict-mode (#1736) · handlebars-lang/handlebars.js@b6d3de7 · GitHub
      fix: escape property names in compat mode (#1736) · handlebars-lang/handlebars.js@f058970 · GitHub

debricked–154311

• Description

      No information

• CVSS details

      No information

• References

      Skip sending the proxyReq event when the expect header is present by jsmylnycky · Pull Request #1447 · http-party/node-http-proxy · GitHub
      Denial of Service in http-proxy · GHSA-6x33-pw7p-hmpq · GitHub Advisory Database · GitHub

debricked–149740

• Description

  GitHub

  Denial of Service in http-proxy

  Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

  For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
  curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

  Recommendation

  Upgrade to version 1.18.1 or later

• CVSS details

      No information

• References

      Denial of Service in http-proxy · GHSA-6x33-pw7p-hmpq · GitHub Advisory Database · GitHub
      Skip sending the proxyReq event when the expect header is present by jsmylnycky · Pull Request #1447 · http-party/node-http-proxy · GitHub

CVE–2019–10747

• Description

  Uncontrolled Resource Consumption

  The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  NVD

  set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

  GitHub

  Prototype Pollution in set-value

  Versions of set-value prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

  Recommendation

  If you are using set-value 3.x, upgrade to version 3.0.1 or later.
  If you are using set-value 2.x, upgrade to version 2.0.1 or later.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      Pony Mail!
      disallow proto keys · jonschlinkert/set-value@95e9d99 · GitHub
      [SECURITY] Fedora 30 Update: nodejs-set-value-2.0.1-1.fc30 - package-announce - Fedora Mailing-Lists
      GitHub - jonschlinkert/set-value: Set nested properties on an object using dot-notation.
      NVD - CVE-2019-10747
      [SECURITY] Fedora 31 Update: nodejs-set-value-2.0.1-1.fc31 - package-announce - Fedora Mailing-Lists
      Prototype Pollution in set-value · CVE-2019-10747 · GitHub Advisory Database · GitHub

CVE–2020–13822

• Description

  Integer Overflow or Wraparound

  The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

  NVD

  The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

  GitHub

  Signature Malleabillity in elliptic

  The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

• CVSS details - 7.7

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	High
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	Low

• References

      Lack of encoding checks allows a certain degree of signature malleability in ECDSA signatures · Issue #226 · indutny/elliptic · GitHub
      Malleability-Attack: Why It Matters | by Herman Schoenfeld | Medium
      elliptic - npm
      How Not to Use ECDSA – Learning Words
      Signature Malleabillity in elliptic · CVE-2020-13822 · GitHub Advisory Database · GitHub
      NVD - CVE-2020-13822
      GitHub - indutny/elliptic: Fast Elliptic Curve Cryptography in plain javascript

CVE–2020–28498

• Description

  Use of a Broken or Risky Cryptographic Algorithm

  The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

  NVD

  All versions of package elliptic are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

  GitHub

  Use of a Broken or Risky Cryptographic Algorithm

  The npm package elliptic before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

• CVSS details - 6.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	High
  Privileges Required	None
  User interaction	None
  Scope	Changed
  Confidentiality	High
  Integrity	None
  Availability	None

• References

      blog/secp256k1_twist_attacks.md at master · christianlundkvist/blog · GitHub
      ec: validate that a point before deriving keys · indutny/elliptic@441b742 · GitHub
      Use of a Broken or Risky Cryptographic Algorithm · CVE-2020-28498 · GitHub Advisory Database · GitHub
      Private by kdenhartog · Pull Request #244 · indutny/elliptic · GitHub
      NVD - CVE-2020-28498

CVE–2020–7774

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  NVD

  This affects the package y18n before 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

• CVSS details - 7.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	Low
  Integrity	Low
  Availability	Low

• References

      Prototype pollution · Issue #96 · yargs/y18n · GitHub
      fix: address prototype pollution issue by bcoe · Pull Request #108 · yargs/y18n · GitHub
      Oracle Critical Patch Update Advisory - April 2021

CVE–2019–16769

• Description

  Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  NVD

  Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

  GitHub

  Cross-Site Scripting in serialize-javascript

  Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.

  Recommendation

  Upgrade to version 2.1.1 or later.

• CVSS details - 5.4

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	Low
  User interaction	Required
  Scope	Changed
  Confidentiality	Low
  Integrity	Low
  Availability	None

• References

      regular expressions Cross-Site Scripting (XSS) vulnerability · Advisory · yahoo/serialize-javascript · GitHub
      NVD - CVE-2019-16769
      Cross-Site Scripting in serialize-javascript · CVE-2019-16769 · GitHub Advisory Database · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked