configit-open-source / build-radiator Goto Github PK

Vulnerable Libraries - lodash-1.0.2.tgz, lodash-4.17.11.tgz

Found in HEAD commit: f6e16803f364a3e6314ded5c9604a87d9ed25997

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@a01e4fa

Release Date: 2019-07-08

Fix Resolution: 4.17.12

Vulnerable Library - clean-css-4.1.7.tgz

A well-tested CSS minifier

path: /tmp/git/build-radiator/BuildRadiator/node_modules/clean-css/package.json

Library home page: https://registry.npmjs.org/clean-css/-/clean-css-4.1.7.tgz

Dependency Hierarchy:

• gulp-clean-css-3.7.0.tgz (Root Library)
  • ❌ clean-css-4.1.7.tgz (Vulnerable Library)

Vulnerability Details

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-02-21

URL: WS-2019-0017

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/785

Release Date: 2019-02-21

Fix Resolution: v4.1.11

Vulnerable Library - jquery.1.12.3.nupkg

jQuery is a new kind of JavaScript Library. jQuery is a fast and concise JavaScript Library ...

Library home page: https://api.nuget.org/packages/jquery.1.12.3.nupkg

Path to dependency file: /build-radiator/BuildRadiator/packages.config

Path to vulnerable library: /build-radiator/BuildRadiator/packages.config

Dependency Hierarchy:

• ❌ jquery.1.12.3.nupkg (Vulnerable Library)

Found in HEAD commit: 902a6f653c688f0ea82fb1fb85a872d455226672

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /tmp/ws-scm/build-radiator/BuildRadiator/package.json

Path to vulnerable library: /tmp/ws-scm/build-radiator/BuildRadiator/node_modules/mixin-deep/package.json

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • liftoff-2.5.0.tgz
    • findup-sync-2.0.0.tgz
      • micromatch-3.1.10.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: f6e16803f364a3e6314ded5c9604a87d9ed25997

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-07-11

Fix Resolution: 1.3.2,2.0.1

Vulnerable Library - hoek-2.16.3.tgz

General purpose node utilities

path: /tmp/git/build-radiator/BuildRadiator/node_modules/hoek/package.json

Library home page: http://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz

Dependency Hierarchy:

• gulp-less-3.3.2.tgz (Root Library)
  • less-2.7.3.tgz
    • request-2.81.0.tgz
      • hawk-3.1.3.tgz
        • ❌ hoek-2.16.3.tgz (Vulnerable Library)

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: hapijs/hoek@623667e

Release Date: 2018-02-15

Fix Resolution: Replace or update the following files: index.js, index.js

Vulnerable Library - jquery.1.12.3.nupkg

jQuery is a new kind of JavaScript Library. jQuery is a fast and concise JavaScript Library ...

path: /build-radiator/BuildRadiator/packages.config

Library home page: https://api.nuget.org/packages/jquery.1.12.3.nupkg

Dependency Hierarchy:

• ❌ jquery.1.12.3.nupkg (Vulnerable Library)

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: jquery/jquery@b078a62#diff-bee4304906ea68bebadfc11be4368419

Release Date: 2015-10-12

Fix Resolution: Replace or update the following files: script.js, ajax.js, ajax.js

Vulnerable Library - lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

path: /tmp/git/build-radiator/BuildRadiator/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • vinyl-fs-0.3.14.tgz
    • glob-watcher-0.0.6.tgz
      • gaze-0.5.2.tgz
        • globule-0.1.0.tgz
          • ❌ lodash-1.0.2.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Vulnerable Library - lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

path: /tmp/git/build-radiator/BuildRadiator/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • vinyl-fs-0.3.14.tgz
    • glob-watcher-0.0.6.tgz
      • gaze-0.5.2.tgz
        • globule-0.1.0.tgz
          • ❌ lodash-1.0.2.tgz (Vulnerable Library)

Vulnerability Details

In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2018-11-25

URL: WS-2018-0210

CVSS 2 Score Details (3.5)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: lodash/lodash@90e6199

Release Date: 2018-08-31

Fix Resolution: Replace or update the following files: lodash.js, test.js

Vulnerable Library - lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

path: /tmp/git/build-radiator/BuildRadiator/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • vinyl-fs-0.3.14.tgz
    • glob-watcher-0.0.6.tgz
      • gaze-0.5.2.tgz
        • globule-0.1.0.tgz
          • ❌ lodash-1.0.2.tgz (Vulnerable Library)

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

Vulnerable Libraries - kind-of-3.2.2.tgz, kind-of-4.0.0.tgz, kind-of-6.0.2.tgz, kind-of-5.1.0.tgz

Found in HEAD commit: f6e16803f364a3e6314ded5c9604a87d9ed25997

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Path to dependency file: /build-radiator/BuildRadiator/package.json

Path to vulnerable library: /tmp/git/build-radiator/BuildRadiator/node_modules/merge/package.json

Dependency Hierarchy:

• gulp-ng-annotate-2.0.0.tgz (Root Library)
  • ❌ merge-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 902a6f653c688f0ea82fb1fb85a872d455226672

Vulnerability Details

The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.

Publish Date: 2018-10-30

URL: CVE-2018-16469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - cryptiles-2.0.5.tgz

General purpose crypto utilities

path: /tmp/git/build-radiator/BuildRadiator/node_modules/cryptiles/package.json

Library home page: http://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Dependency Hierarchy:

• gulp-less-3.3.2.tgz (Root Library)
  • less-2.7.3.tgz
    • request-2.81.0.tgz
      • hawk-3.1.3.tgz
        • ❌ cryptiles-2.0.5.tgz (Vulnerable Library)

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Path to dependency file: /tmp/ws-scm/build-radiator/BuildRadiator/package.json

Path to vulnerable library: /tmp/ws-scm/build-radiator/BuildRadiator/node_modules/lodash/package.json

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • vinyl-fs-0.3.14.tgz
    • glob-watcher-0.0.6.tgz
      • gaze-0.5.2.tgz
        • globule-0.1.0.tgz
          • ❌ lodash-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: f6e16803f364a3e6314ded5c9604a87d9ed25997

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2019-07-17

Fix Resolution: 4.17.11

Vulnerable Library - jquery.1.12.3.nupkg

jQuery is a new kind of JavaScript Library. jQuery is a fast and concise JavaScript Library ...

path: /build-radiator/BuildRadiator/packages.config

Library home page: https://api.nuget.org/packages/jquery.1.12.3.nupkg

Dependency Hierarchy:

• ❌ jquery.1.12.3.nupkg (Vulnerable Library)

Vulnerability Details

In v2.2.4 and previous, a lowercasing logic was used on the attribute names and was removed in v3.0.0.
Because of this, boolean attributes whose names were not all lowercase cause infinite recursion, and will exceed the stack call limit.

Publish Date: 2017-04-15

URL: WS-2017-0195

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: jquery/jquery@d12e13d

Release Date: 2016-05-29

Fix Resolution: Replace or update the following files: attr.js, attributes.js

Vulnerable Library - lodash.merge-4.6.1.tgz

The Lodash method `_.merge` exported as a module.

Library home page: https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.1.tgz

Path to dependency file: /tmp/ws-scm/build-radiator/BuildRadiator/package.json

Path to vulnerable library: /tmp/ws-scm/build-radiator/BuildRadiator/node_modules/lodash.merge/package.json

Dependency Hierarchy:

• gulp-less-3.3.2.tgz (Root Library)
  • accord-0.27.3.tgz
    • ❌ lodash.merge-4.6.1.tgz (Vulnerable Library)

Found in HEAD commit: f6e16803f364a3e6314ded5c9604a87d9ed25997

Vulnerability Details

lodash.merge before 4.6.2 is vulnerable to prototype pollution. The function merge() may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2019-08-14

URL: WS-2019-0185

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1066

Release Date: 2019-08-14

Fix Resolution: 4.6.2

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

path: /tmp/git/build-radiator/BuildRadiator/node_modules/gulp-typescript/node_modules/braces/package.json

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Dependency Hierarchy:

• gulp-typescript-3.2.1.tgz (Root Library)
  • vinyl-fs-2.4.4.tgz
    • glob-stream-5.3.5.tgz
      • micromatch-2.3.11.tgz
        • ❌ braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-03-25

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Vulnerable Library - jquery.1.12.3.nupkg

jQuery is a new kind of JavaScript Library. jQuery is a fast and concise JavaScript Library ...

Library home page: https://api.nuget.org/packages/jquery.1.12.3.nupkg

Path to dependency file: /tmp/ws-scm/build-radiator/BuildRadiator/packages.config

Path to vulnerable library: /build-radiator/BuildRadiator/packages.config

Dependency Hierarchy:

• ❌ jquery.1.12.3.nupkg (Vulnerable Library)

Found in HEAD commit: f6e16803f364a3e6314ded5c9604a87d9ed25997

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Vulnerable Library - angularjs.core.1.5.5.nupkg

See the AngularJS.* packages for other Angular modules

path: /build-radiator/BuildRadiator/packages.config

Library home page: https://api.nuget.org/packages/angularjs.core.1.5.5.nupkg

Dependency Hierarchy:

• ❌ angularjs.core.1.5.5.nupkg (Vulnerable Library)

Vulnerability Details

Extension URIs (resource://...) bypass Content-Security-Policy in Chrome and
Firefox and can always be loaded. Now if a site already has a XSS bug, and uses
CSP to protect itself, but the user has an extension installed that uses
Angular, an attacked can load Angular from the extension, and Angular's
auto-bootstrapping can be used to bypass the victim site's CSP protection.

Publish Date: 2017-01-20

URL: WS-2017-0113

CVSS 2 Score Details (5.2)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: angular/angular.js@0ff10e1

Release Date: 2016-11-02

Fix Resolution: Replace or update the following files: Angular.js, .eslintrc.json, AngularSpec.js

Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz

Found in HEAD commit: f6e16803f364a3e6314ded5c9604a87d9ed25997

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/set-value@95e9d99

Release Date: 2019-07-24

Fix Resolution: 2.0.1,3.0.1