amirping / happy-service-dao Goto Github PK

Vulnerable Library - mpath-0.3.0.tgz

{G,S}et object values using MongoDB-like path notation

path: /tmp/git/Happy-service-dao/node_modules/mpath/package.json

Library home page: https://registry.npmjs.org/mpath/-/mpath-0.3.0.tgz

Dependency Hierarchy:

• mongoose-5.0.7.tgz (Root Library)
  • ❌ mpath-0.3.0.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16490

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/390860

Release Date: 2019-02-01

Fix Resolution: 0.5.1

Vulnerable Library - lodash-4.17.5.tgz

Lodash modular utilities.

path: /tmp/git/Happy-service-dao/node_modules/lodash/package.json

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz

Dependency Hierarchy:

• mongoose-5.0.7.tgz (Root Library)
  • async-2.1.4.tgz
    • ❌ lodash-4.17.5.tgz (Vulnerable Library)

Vulnerability Details

In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2018-11-25

URL: WS-2018-0210

CVSS 2 Score Details (3.5)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: lodash/lodash@90e6199

Release Date: 2018-08-31

Fix Resolution: Replace or update the following files: lodash.js, test.js

Vulnerable Library - lodash-4.17.5.tgz

Lodash modular utilities.

path: /tmp/git/Happy-service-dao/node_modules/lodash/package.json

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz

Dependency Hierarchy:

• mongoose-5.0.7.tgz (Root Library)
  • async-2.1.4.tgz
    • ❌ lodash-4.17.5.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11