Giter Site home page Giter Site logo

alexrogalskiy / sputnik Goto Github PK

View Code? Open in Web Editor NEW
0.0 3.0 1.0 436 KB

πŸ›°οΈ Sputnik/Asteroid devbot platform

License: GNU General Public License v3.0

Shell 16.46% Vim Script 0.14% JavaScript 13.23% TypeScript 70.17%
sputnik sputnik-messenger asteroids

sputnik's Introduction

Sputnik

management: perfektπŸ‘Œ code style: prettier

GitHub tag (latest by date) GitHub Release Date Lines of code GitHub closed issues GitHub closed pull requests GitHub repo size GitHub last commit GitHub GitHub language count GitHub search hit counter GitHub Repository branches GitHub Repository dependents

DeepSource DeepScan grade Tokei Mergify Status Reviewed by Hound DOI dependencies Status devDependencies Status

License: MIT Issue Forks Stars code style Maintainability Total alerts Language grade: JavaScript

Renovatebot Dependabot NewReleases Hits-of-Code ComVer

codecov Build Status CI Commitizen friendly GitHub Super-Linter Mega-Linter BCH compliance

Gitpod Ready-to-Code Chat Open questions Open bugs

Table of contents

Description

Typescript Project Status: Active – The project has reached a stable, usable state and is being actively developed. Project created status Project updated status

Modular development bot platform for streaming and media communications.

Example

This is example of using Sputnik:

Result:

Visitor stats

GitHub page hits

GitHub stars GitHub forks GitHub watchers

Licensing

Sputnik is distributed under LGPL version 3 or later, [License]. LGPLv3 is additional permissions on top of GPLv3.

license

Authors

Sputnik is maintained by the following GitHub team-members:

  • Author

with community support please contact with us if you have some question or proposition.

Versioning

The project uses SemVer for versioning. For the versions available, see the tags on this repository.

Contribution

Contributors Display

Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us (emoji key).

This project follows the all-contributors specification. Contributions of any kind are welcome!

PRs Welcome Github contributors

See also the list of contributors who participated in this project.

Acknowledgement

Stargazers repo roster for @AlexRogalskiy/sputnik

Forks

Forkers repo roster for @AlexRogalskiy/sputnik

Issues

issuehunt-to-marktext

Team Tools

alt tag

Sputnik Team would like inform that JetBrains is helping by provided IDE to develop the application. Thanks to its support program for an Open Source projects!

Edit with Gitpod

Sputnik has experimental support for Gitpod, a pre-configured development environment that runs in your browser. To use Gitpod, click the button below and sign in with GitHub. Gitpod also offers a browser add-on, though it is not required.

OpenGraph Card

OpenGraph card

Development Support

Like Sputnik ? Consider buying me a coffee :)

Become a Patron Buy Me A Coffee KoFi

forthebadge forthebadge forthebadge

sputnik's People

Contributors

renovate-bot avatar renovate[bot] avatar

Watchers

avatar avatar avatar

sputnik's Issues

CVE-2015-9251 (Medium) detected in jquery-1.8.1.min.js, jquery-1.9.1.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.8.1.min.js, jquery-1.9.1.js

jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)
jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: f41a0273dd446f2cf57ca79aaaf5dbbeebc78359

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7789 (Medium) detected in node-notifier-6.0.0.tgz

CVE-2020-7789 - Medium Severity Vulnerability

Vulnerable Library - node-notifier-6.0.0.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-6.0.0.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/tsdx/node_modules/node-notifier/package.json

Dependency Hierarchy:

  • tsdx-0.14.1.tgz (Root Library)
    • jest-25.5.4.tgz
      • core-25.5.4.tgz
        • reporters-25.5.1.tgz
          • ❌ node-notifier-6.0.0.tgz (Vulnerable Library)

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789

Release Date: 2020-12-11

Fix Resolution: 9.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.9.1.js, jquery-1.8.1.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.9.1.js, jquery-1.8.1.min.js

jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 2e839f88bfb4b215ac54a4618832df56607f77b3

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7774 (High) detected in y18n-4.0.0.tgz

CVE-2020-7774 - High Severity Vulnerability

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/npm/node_modules/y18n/package.json

Dependency Hierarchy:

  • npm-7.0.10.tgz (Root Library)
    • npm-6.14.11.tgz
      • libnpx-10.2.4.tgz
        • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774

Release Date: 2020-11-17

Fix Resolution: 5.0.5

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7656 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: rails/jquery-rails@8f601cb

Release Date: 2020-05-19

Fix Resolution: jquery-rails - 2.2.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7753 (High) detected in trim-0.0.1.tgz

CVE-2020-7753 - High Severity Vulnerability

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/trim/package.json

Dependency Hierarchy:

  • remark-preset-davidtheclark-0.12.0.tgz (Root Library)
    • remark-cli-7.0.1.tgz
      • remark-11.0.2.tgz
        • remark-parse-7.0.2.tgz
          • ❌ trim-0.0.1.tgz (Vulnerable Library)

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

URL: CVE-2020-7753

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11022 (Medium) detected in jquery-1.9.1.js, jquery-1.8.1.min.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.9.1.js, jquery-1.8.1.min.js

jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2012-6708 (Medium) detected in jquery-1.8.1.min.js

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7656 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: f41a0273dd446f2cf57ca79aaaf5dbbeebc78359

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: rails/jquery-rails@8f601cb

Release Date: 2020-05-19

Fix Resolution: jquery-rails - 2.2.0

Step up your Open Source Security Game with WhiteSource here

WS-2020-0218 (High) detected in merge-1.2.1.tgz

WS-2020-0218 - High Severity Vulnerability

Vulnerable Library - merge-1.2.1.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.1.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/merge/package.json

Dependency Hierarchy:

  • cz-conventional-changelog-3.3.0.tgz (Root Library)
    • commitizen-4.2.3.tgz
      • find-node-modules-2.0.0.tgz
        • ❌ merge-1.2.1.tgz (Vulnerable Library)

Vulnerability Details

A Prototype Pollution vulnerability was found in merge before 2.1.0 via the merge.recursive function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2020-10-09

URL: WS-2020-0218

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: swordev/merge#38

Release Date: 2020-10-09

Fix Resolution: merge - 2.1.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11023 (Medium) detected in jquery-1.8.1.min.js, jquery-1.9.1.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.8.1.min.js, jquery-1.9.1.js

jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)
jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: f41a0273dd446f2cf57ca79aaaf5dbbeebc78359

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11022 (Medium) detected in jquery-1.9.1.js, jquery-1.8.1.min.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.9.1.js, jquery-1.8.1.min.js

jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2012-6708 (Medium) detected in jquery-1.8.1.min.js

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 2e839f88bfb4b215ac54a4618832df56607f77b3

Found in base branch: master

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-27290 (High) detected in ssri-6.0.1.tgz

CVE-2021-27290 - High Severity Vulnerability

Vulnerable Library - ssri-6.0.1.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/npm/node_modules/ssri/package.json

Dependency Hierarchy:

  • npm-7.0.10.tgz (Root Library)
    • npm-6.14.11.tgz
      • ❌ ssri-6.0.1.tgz (Vulnerable Library)

Found in HEAD commit: f41a0273dd446f2cf57ca79aaaf5dbbeebc78359

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290

Release Date: 2021-03-12

Fix Resolution: v8.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28499 (High) detected in merge-1.2.1.tgz

CVE-2020-28499 - High Severity Vulnerability

Vulnerable Library - merge-1.2.1.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.1.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/merge/package.json

Dependency Hierarchy:

  • cz-conventional-changelog-3.3.0.tgz (Root Library)
    • commitizen-4.2.3.tgz
      • find-node-modules-2.0.0.tgz
        • ❌ merge-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

Publish Date: 2021-02-18

URL: CVE-2020-28499

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11023 (Medium) detected in jquery-1.9.1.js, jquery-1.8.1.min.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.9.1.js, jquery-1.8.1.min.js

jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 2e839f88bfb4b215ac54a4618832df56607f77b3

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11023 (Medium) detected in jquery-1.9.1.js, jquery-1.8.1.min.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.9.1.js, jquery-1.8.1.min.js

jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7774 (High) detected in y18n-4.0.0.tgz

CVE-2020-7774 - High Severity Vulnerability

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/npm/node_modules/y18n/package.json

Dependency Hierarchy:

  • npm-7.0.10.tgz (Root Library)
    • npm-6.14.11.tgz
      • libnpx-10.2.4.tgz
        • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: f41a0273dd446f2cf57ca79aaaf5dbbeebc78359

Vulnerability Details

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774

Release Date: 2020-11-17

Fix Resolution: 5.0.5

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.9.1.js, jquery-1.8.1.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.9.1.js, jquery-1.8.1.min.js

jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11022 (Medium) detected in jquery-1.9.1.js, jquery-1.8.1.min.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.9.1.js, jquery-1.8.1.min.js

jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 2e839f88bfb4b215ac54a4618832df56607f77b3

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2019-11358 (Medium) detected in jquery-1.9.1.js

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7598 (Medium) detected in minimist-0.1.0.tgz

CVE-2020-7598 - Medium Severity Vulnerability

Vulnerable Library - minimist-0.1.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.1.0.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/strong-log-transformer/node_modules/minimist/package.json

Dependency Hierarchy:

  • lerna-2.11.0.tgz (Root Library)
    • strong-log-transformer-1.0.6.tgz
      • ❌ minimist-0.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7753 (High) detected in trim-0.0.1.tgz

CVE-2020-7753 - High Severity Vulnerability

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/trim/package.json

Dependency Hierarchy:

  • remark-preset-davidtheclark-0.12.0.tgz (Root Library)
    • remark-cli-7.0.1.tgz
      • remark-11.0.2.tgz
        • remark-parse-7.0.2.tgz
          • ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

URL: CVE-2020-7753

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7608 (Medium) detected in yargs-parser-7.0.0.tgz

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-7.0.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-7.0.0.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/lerna/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • lerna-2.11.0.tgz (Root Library)
    • yargs-8.0.2.tgz
      • ❌ yargs-parser-7.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: yargs/yargs-parser@63810ca

Release Date: 2020-06-05

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2019-11358 (Medium) detected in jquery-1.9.1.js

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Step up your Open Source Security Game with WhiteSource here

WS-2020-0218 (High) detected in merge-1.2.1.tgz

WS-2020-0218 - High Severity Vulnerability

Vulnerable Library - merge-1.2.1.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.1.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/merge/package.json

Dependency Hierarchy:

  • cz-conventional-changelog-3.3.0.tgz (Root Library)
    • commitizen-4.2.3.tgz
      • find-node-modules-2.0.0.tgz
        • ❌ merge-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: f41a0273dd446f2cf57ca79aaaf5dbbeebc78359

Vulnerability Details

A Prototype Pollution vulnerability was found in merge before 2.1.0 via the merge.recursive function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2020-10-09

URL: WS-2020-0218

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: swordev/merge#38

Release Date: 2020-10-09

Fix Resolution: merge - 2.1.0

Step up your Open Source Security Game with WhiteSource here

CVE-2012-6708 (Medium) detected in jquery-1.8.1.min.js

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11023 (Medium) detected in jquery-1.9.1.js, jquery-1.8.1.min.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.9.1.js, jquery-1.8.1.min.js

jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.9.1.js, jquery-1.8.1.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.9.1.js, jquery-1.8.1.min.js

jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7656 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: rails/jquery-rails@8f601cb

Release Date: 2020-05-19

Fix Resolution: jquery-rails - 2.2.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-27290 (High) detected in ssri-6.0.1.tgz

CVE-2021-27290 - High Severity Vulnerability

Vulnerable Library - ssri-6.0.1.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/npm/node_modules/ssri/package.json

Dependency Hierarchy:

  • npm-7.0.10.tgz (Root Library)
    • npm-6.14.11.tgz
      • ❌ ssri-6.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290

Release Date: 2021-03-12

Fix Resolution: v8.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11022 (Medium) detected in jquery-1.8.1.min.js, jquery-1.9.1.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.8.1.min.js, jquery-1.9.1.js

jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)
jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: f41a0273dd446f2cf57ca79aaaf5dbbeebc78359

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2019-11358 (Medium) detected in jquery-1.9.1.js

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: 2e839f88bfb4b215ac54a4618832df56607f77b3

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7608 (Medium) detected in yargs-parser-7.0.0.tgz

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-7.0.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-7.0.0.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/lerna/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • lerna-2.11.0.tgz (Root Library)
    • yargs-8.0.2.tgz
      • ❌ yargs-parser-7.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 2e839f88bfb4b215ac54a4618832df56607f77b3

Found in base branch: master

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: yargs/yargs-parser@63810ca

Release Date: 2020-06-05

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28499 (High) detected in merge-1.2.1.tgz

CVE-2020-28499 - High Severity Vulnerability

Vulnerable Library - merge-1.2.1.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.1.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/merge/package.json

Dependency Hierarchy:

  • cz-conventional-changelog-3.3.0.tgz (Root Library)
    • commitizen-4.2.3.tgz
      • find-node-modules-2.0.0.tgz
        • ❌ merge-1.2.1.tgz (Vulnerable Library)

Vulnerability Details

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

Publish Date: 2021-02-18

URL: CVE-2020-28499

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

WS-2019-0307 (Medium) detected in mem-1.1.0.tgz

WS-2019-0307 - Medium Severity Vulnerability

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/mem/package.json

Dependency Hierarchy:

  • lerna-2.11.0.tgz (Root Library)
    • yargs-8.0.2.tgz
      • os-locale-2.1.0.tgz
        • ❌ mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 2e839f88bfb4b215ac54a4618832df56607f77b3

Found in base branch: master

Vulnerability Details

In 'mem' before v4.0.0 there is a Denial of Service (DoS) vulnerability as a result of a failure in removal old values from the cache.

Publish Date: 2018-08-27

URL: WS-2019-0307

CVSS 3 Score Details (5.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1084

Release Date: 2019-12-01

Fix Resolution: mem - 4.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-27290 (High) detected in ssri-6.0.1.tgz

CVE-2021-27290 - High Severity Vulnerability

Vulnerable Library - ssri-6.0.1.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/npm/node_modules/ssri/package.json

Dependency Hierarchy:

  • npm-7.0.10.tgz (Root Library)
    • npm-6.14.11.tgz
      • ❌ ssri-6.0.1.tgz (Vulnerable Library)

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290

Release Date: 2021-03-12

Fix Resolution: v8.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28499 (High) detected in merge-1.2.1.tgz

CVE-2020-28499 - High Severity Vulnerability

Vulnerable Library - merge-1.2.1.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.1.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/merge/package.json

Dependency Hierarchy:

  • cz-conventional-changelog-3.3.0.tgz (Root Library)
    • commitizen-4.2.3.tgz
      • find-node-modules-2.0.0.tgz
        • ❌ merge-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 2e839f88bfb4b215ac54a4618832df56607f77b3

Found in base branch: master

Vulnerability Details

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

Publish Date: 2021-02-18

URL: CVE-2020-28499

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

WS-2019-0307 (Medium) detected in mem-1.1.0.tgz

WS-2019-0307 - Medium Severity Vulnerability

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/mem/package.json

Dependency Hierarchy:

  • lerna-2.11.0.tgz (Root Library)
    • yargs-8.0.2.tgz
      • os-locale-2.1.0.tgz
        • ❌ mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

In 'mem' before v4.0.0 there is a Denial of Service (DoS) vulnerability as a result of a failure in removal old values from the cache.

Publish Date: 2018-08-27

URL: WS-2019-0307

CVSS 3 Score Details (5.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1084

Release Date: 2019-12-01

Fix Resolution: mem - 4.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-27290 (High) detected in ssri-6.0.1.tgz

CVE-2021-27290 - High Severity Vulnerability

Vulnerable Library - ssri-6.0.1.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/npm/node_modules/ssri/package.json

Dependency Hierarchy:

  • npm-7.0.10.tgz (Root Library)
    • npm-6.14.11.tgz
      • ❌ ssri-6.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 2e839f88bfb4b215ac54a4618832df56607f77b3

Found in base branch: master

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290

Release Date: 2021-03-12

Fix Resolution: v8.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2012-6708 (Medium) detected in jquery-1.8.1.min.js

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: sputnik/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: sputnik/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: f41a0273dd446f2cf57ca79aaaf5dbbeebc78359

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with WhiteSource here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

  • ⬆️ Lock file maintenance

Edited/Blocked

These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

dockerfile
.gitpod.Dockerfile
github-actions
.github/workflows/add-labels.yml
.github/workflows/auto-merge.yml
  • ahmadnassri/action-dependabot-auto-merge v2.3
.github/workflows/backport.yml
  • tibdex/backport v1
  • ubuntu 18.04
.github/workflows/broken-links.yml
  • actions/checkout v2
  • actions/setup-node v2.1.4
.github/workflows/build.yml
  • actions/checkout v2
  • actions/setup-node v1
  • actions/cache v2
  • codecov/codecov-action v1
.github/workflows/changelog.yml
  • ruby/setup-ruby v1
  • actions/cache v2
.github/workflows/check-urls.yml
  • actions/checkout v2
  • trilom/file-changes-action v1.2.4
  • ruby/setup-ruby v1
  • actions/upload-artifact v2
.github/workflows/claim.yml
  • actions/github-script v3.1
.github/workflows/cleanup.yml
  • kolpav/purge-artifacts-action v1
.github/workflows/close-pending.yml
.github/workflows/close_pr.yml
  • superbrothers/close-pull-request v2
  • actions/github v1.0.0
.github/workflows/closing.yml
  • peter-evans/create-or-update-comment v1
  • peter-evans/create-or-update-comment v1
  • ubuntu 18.04
.github/workflows/codeowners-merge.yml
  • actions/checkout v1
  • OSS-Docs-Tools/code-owner-self-merge v1
.github/workflows/codeql-analysis.yml
  • actions/checkout v2
  • github/codeql-action v1
  • github/codeql-action v1
  • github/codeql-action v1
.github/workflows/codespell.yaml
  • actions/checkout v2
.github/workflows/comment_on_issue.yml
  • actions/github-script v3.1
.github/workflows/commitlint.yml
  • actions/checkout v2
  • wagoid/commitlint-github-action v2.1.7
.github/workflows/dependabot-validate.yml
  • actions/checkout v2
  • marocchino/validate-dependabot v1
  • marocchino/sticky-pull-request-comment v2
.github/workflows/label-sponsors.yml
  • JasonEtco/is-sponsor-label-action v1
.github/workflows/labels.yml
  • lannonbr/issue-label-manager-action 2.0.0
.github/workflows/labels2.yml
  • actions/checkout v2
  • crazy-max/ghaction-github-labeler v3
.github/workflows/linter.yml
  • actions/checkout v2
  • github/super-linter v3
.github/workflows/lock.yml
  • dessant/lock-threads v2.0.3
.github/workflows/markdown-lint.yml
  • actions/checkout v2
  • actions/setup-node v2
.github/workflows/mega-linter.yml
  • actions/checkout v2
  • nvuillam/mega-linter v4
  • actions/upload-artifact v2
  • peter-evans/create-pull-request v3
  • stefanzweifel/git-auto-commit-action v4
.github/workflows/modified_files.yml
  • actions/checkout v2
  • trilom/file-changes-action v1.0.0
  • lucaspinheirogit/list-from-string-array-action v1.4.3
.github/workflows/opengraph-card.yml
  • actions/checkout v2
  • stefanzweifel/git-auto-commit-action v4
.github/workflows/pr-helper.yml
  • Matticusau/pr-helper v1.3.3
.github/workflows/preview.yml
  • actions/checkout v2
  • actions/setup-node v2.1.4
  • actions/cache v2.1.4
  • 8398a7/action-slack v3
.github/workflows/project-card-moved.yml
  • technote-space/auto-card-labeler v1
.github/workflows/pull_request.yml
  • kentaro-m/auto-assign-action v1.1.2
.github/workflows/release-changelog.yml
.github/workflows/release-drafter.yml
  • release-drafter/release-drafter v5.7.0
.github/workflows/release-semantic.yml
  • actions/checkout v2
  • actions/setup-node v2
  • actions/cache v1
.github/workflows/release.yml
  • actions/checkout v2
  • haya14busa/action-bumpr v1
  • haya14busa/action-update-semver v1
  • haya14busa/action-cond v1
  • actions/create-release v1
  • actions/checkout v2
  • haya14busa/action-bumpr v1
.github/workflows/remove-labels.yml
  • mondeja/remove-labels-gh-action v1.0.0
  • mondeja/remove-labels-gh-action v1.0.0
  • mondeja/remove-labels-gh-action v1.0.0
.github/workflows/reviewdog.yml
  • actions/checkout v2
  • prologic/action-remark-lint v2
.github/workflows/set-milestone-on-pr.yml
  • actions/checkout v2
  • actions/github-script v3
  • ubuntu 20.04
.github/workflows/shiftleft-analysis.yml
  • actions/checkout v1
  • github/codeql-action v1
.github/workflows/spellcheck.yml
.github/workflows/stale.yml
  • actions/stale v3
.github/workflows/toc.yml
  • actions/checkout v2
  • stefanzweifel/git-auto-commit-action v4
.github/workflows/unlock-reopened-issues.yml
  • Dunning-Kruger/unlock-issues v1.1
.github/workflows/verify-license.yml
  • actions/checkout v2
.github/workflows/version-update.yml
  • actions/checkout v2
  • stefanzweifel/git-auto-commit-action v4
.github/workflows/versioning.yml
  • actions/checkout v2.3.4
  • Actions-R-Us/actions-tagger v2.0.1
.github/workflows/welcome_contributor.yml
  • actions/github-script v3.1
npm
api/github/package.json
  • es6-promisify 4.1.0
  • github 3.1.1
  • moment 2.29.1
  • chai 3.5.0
  • formatio 1.2.0
  • mocha 3.5.3
  • nock 8.2.2
  • rimraf 2.7.1
  • sinon 1.17.7
  • sinon-chai 2.14.0
  • typescript 2.9.2
  • typings 1.5.0
  • node >=4.0.0
package.json
  • concurrently 6.2.0
  • env-cmd 10.1.0
  • isomorphic-unfetch 3.1.0
  • lodash 4.17.21
  • @babel/preset-env 7.14.4
  • @babel/preset-typescript 7.13.0
  • @semantic-release/changelog 5.0.1
  • @semantic-release/commit-analyzer 8.0.1
  • @semantic-release/git 9.0.0
  • @semantic-release/github 7.2.3
  • @semantic-release/npm 7.1.3
  • @semantic-release/release-notes-generator 9.0.2
  • @types/jest 26.0.23
  • @types/lodash.mergewith 4.6.6
  • @types/parse-json 4.0.0
  • @types/prettier 2.2.3
  • @typescript-eslint/eslint-plugin 4.26.0
  • @typescript-eslint/parser 4.26.0
  • dateformat 4.5.1
  • boxen 5.0.1
  • chalk 2.4.2
  • cz-conventional-changelog 3.3.0
  • conventional-changelog-cli 2.1.1
  • del-cli 3.0.1
  • editorconfig-checker 3.3.0
  • eslint 7.28.0
  • eslint-plugin-unicorn 17.2.0
  • eslint-import-resolver-typescript 2.4.0
  • eslint-plugin-eslint-comments 3.2.0
  • eslint-config-prettier 6.15.0
  • eslint-plugin-github 4.1.3
  • eslint-plugin-import 2.23.4
  • eslint-plugin-jest 23.20.0
  • eslint-plugin-node 11.1.0
  • eslint-plugin-prettier 3.4.0
  • eslint-plugin-spellcheck 0.0.8
  • expect 26.6.2
  • folio 0.3.18
  • git-cz 4.7.6
  • gradient-string 1.2.0
  • husky 5.2.0
  • import-fresh 3.3.0
  • jest 26.6.3
  • jest-circus 26.6.3
  • lerna 2.11.0
  • coveralls 3.1.0
  • jsonlint 1.6.3
  • opener 1.5.2
  • license-checker 25.0.1
  • lint-staged 10.5.4
  • parse-json 5.2.0
  • path-type 4.0.0
  • prettier 2.3.0
  • pretty-quick 3.1.0
  • remark-cli 9.0.0
  • remark-lint-code-block-style 2.0.1
  • remark-lint-ordered-list-marker-value 2.0.1
  • remark-preset-davidtheclark 0.12.0
  • remark-preset-lint-recommended 5.0.0
  • remark-validate-links 10.0.4
  • semantic-release 17.4.3
  • markdown-link-check 3.8.7
  • randomcolor 0.5.4
  • ts-jest 26.5.6
  • ts-node 10.0.0
  • tsdx 0.14.1
  • typedoc 0.20.36
  • typescript 4.3.2
  • yaml 1.10.2
  • node >=10
travis
.travis.yml
  • node 12
  • Check this box to trigger a request for Renovate to run again on this repository

CVE-2019-11358 (Medium) detected in jquery-1.9.1.js

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: sputnik/node_modules/tinygradient/bower_components/tinycolor/index.html

Path to vulnerable library: sputnik/node_modules/tinygradient/bower_components/tinycolor/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • ❌ jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: f41a0273dd446f2cf57ca79aaaf5dbbeebc78359

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7774 (High) detected in y18n-4.0.0.tgz

CVE-2020-7774 - High Severity Vulnerability

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/npm/node_modules/y18n/package.json

Dependency Hierarchy:

  • npm-7.0.10.tgz (Root Library)
    • npm-6.14.11.tgz
      • libnpx-10.2.4.tgz
        • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Vulnerability Details

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774

Release Date: 2020-11-17

Fix Resolution: 5.0.5

Step up your Open Source Security Game with WhiteSource here

CVE-2020-8116 (High) detected in dot-prop-3.0.0.tgz

CVE-2020-8116 - High Severity Vulnerability

Vulnerable Library - dot-prop-3.0.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-3.0.0.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/conventional-changelog/node_modules/dot-prop/package.json,sputnik/node_modules/conventional-changelog-jshint/node_modules/dot-prop/package.json,sputnik/node_modules/conventional-changelog-core/node_modules/dot-prop/package.json

Dependency Hierarchy:

  • lerna-2.11.0.tgz (Root Library)
    • conventional-changelog-cli-1.3.22.tgz
      • conventional-changelog-1.1.24.tgz
        • conventional-changelog-core-2.0.11.tgz
          • conventional-changelog-writer-3.0.9.tgz
            • compare-func-1.3.4.tgz
              • ❌ dot-prop-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

Step up your Open Source Security Game with WhiteSource here

WS-2020-0218 (High) detected in merge-1.2.1.tgz

WS-2020-0218 - High Severity Vulnerability

Vulnerable Library - merge-1.2.1.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.1.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/merge/package.json

Dependency Hierarchy:

  • cz-conventional-changelog-3.3.0.tgz (Root Library)
    • commitizen-4.2.3.tgz
      • find-node-modules-2.0.0.tgz
        • ❌ merge-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

A Prototype Pollution vulnerability was found in merge before 2.1.0 via the merge.recursive function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2020-10-09

URL: WS-2020-0218

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: swordev/merge#38

Release Date: 2020-10-09

Fix Resolution: merge - 2.1.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7789 (Medium) detected in node-notifier-6.0.0.tgz

CVE-2020-7789 - Medium Severity Vulnerability

Vulnerable Library - node-notifier-6.0.0.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-6.0.0.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/tsdx/node_modules/node-notifier/package.json

Dependency Hierarchy:

  • tsdx-0.14.1.tgz (Root Library)
    • jest-25.5.4.tgz
      • core-25.5.4.tgz
        • reporters-25.5.1.tgz
          • ❌ node-notifier-6.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 160a6897f7ab4c245fb69270ea98cf1a04a452f5

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789

Release Date: 2020-12-11

Fix Resolution: 9.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7753 (High) detected in trim-0.0.1.tgz

CVE-2020-7753 - High Severity Vulnerability

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/trim/package.json

Dependency Hierarchy:

  • remark-preset-davidtheclark-0.12.0.tgz (Root Library)
    • remark-cli-7.0.1.tgz
      • remark-11.0.2.tgz
        • remark-parse-7.0.2.tgz
          • ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: f41a0273dd446f2cf57ca79aaaf5dbbeebc78359

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

URL: CVE-2020-7753

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7789 (Medium) detected in node-notifier-6.0.0.tgz

CVE-2020-7789 - Medium Severity Vulnerability

Vulnerable Library - node-notifier-6.0.0.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-6.0.0.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/tsdx/node_modules/node-notifier/package.json

Dependency Hierarchy:

  • tsdx-0.14.1.tgz (Root Library)
    • jest-25.5.4.tgz
      • core-25.5.4.tgz
        • reporters-25.5.1.tgz
          • ❌ node-notifier-6.0.0.tgz (Vulnerable Library)

Found in HEAD commit: f41a0273dd446f2cf57ca79aaaf5dbbeebc78359

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789

Release Date: 2020-12-11

Fix Resolution: 9.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28499 (High) detected in merge-1.2.1.tgz

CVE-2020-28499 - High Severity Vulnerability

Vulnerable Library - merge-1.2.1.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.1.tgz

Path to dependency file: sputnik/package.json

Path to vulnerable library: sputnik/node_modules/merge/package.json

Dependency Hierarchy:

  • cz-conventional-changelog-3.3.0.tgz (Root Library)
    • commitizen-4.2.3.tgz
      • find-node-modules-2.0.0.tgz
        • ❌ merge-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: f41a0273dd446f2cf57ca79aaaf5dbbeebc78359

Vulnerability Details

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

Publish Date: 2021-02-18

URL: CVE-2020-28499

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.