guillerbr / api-crud-adonisjs Goto Github PK

Vulnerable Library - knex-0.15.2.tgz

A batteries-included SQL query & schema builder for Postgres, MySQL and SQLite3 and the Browser

Library home page: https://registry.npmjs.org/knex/-/knex-0.15.2.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/knex/package.json

Dependency Hierarchy:

• lucid-6.1.3.tgz (Root Library)
  • ❌ knex-0.15.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

knex.js versions before 0.19.5 are vulnerable to SQL Injection attack. Identifiers are escaped incorrectly as part of the MSSQL dialect, allowing attackers to craft a malicious query to the host DB.

Publish Date: 2019-10-08

URL: CVE-2019-10757

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10757

Release Date: 2019-10-08

Fix Resolution (knex): 0.19.5

Direct dependency fix Resolution (@adonisjs/lucid): 6.3.0

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/make-iterator/node_modules/kind-of/package.json

Dependency Hierarchy:

• lucid-6.1.3.tgz (Root Library)
  • knex-0.15.2.tgz
    • liftoff-2.5.0.tgz
      • findup-sync-2.0.0.tgz
        • micromatch-3.1.10.tgz
          • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (@adonisjs/lucid): 6.1.4

Vulnerable Library - set-getter-0.1.0.tgz

Create nested getter properties and any intermediary dot notation (`'a.b.c'`) paths

Library home page: https://registry.npmjs.org/set-getter/-/set-getter-0.1.0.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/set-getter/package.json

Dependency Hierarchy:

• ace-5.0.8.tgz (Root Library)
  • enquirer-1.0.3.tgz
    • prompt-question-3.0.3.tgz
      • prompt-choices-3.0.6.tgz
        • lazy-cache-2.0.2.tgz
          • ❌ set-getter-0.1.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in 'set-getter' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.

Publish Date: 2021-06-10

URL: CVE-2021-25949

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-06-10

Fix Resolution (set-getter): 0.1.1

Direct dependency fix Resolution (@adonisjs/ace): 5.1.0

Vulnerable Libraries - set-value-3.0.1.tgz, set-value-1.0.0.tgz

Found in base branch: master

Vulnerability Details

Mend Note: After conducting further research, Mend has determined that all versions of set-value before versions 2.0.1, 4.0.1 are vulnerable to CVE-2021-23440.

Publish Date: 2021-09-12

URL: CVE-2021-23440

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/

Release Date: 2021-09-12

Fix Resolution (set-value): 3.0.3

Direct dependency fix Resolution (@adonisjs/ace): 5.1.0

Fix Resolution (set-value): 3.0.3

Direct dependency fix Resolution (@adonisjs/ace): 5.1.0

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 0.2.4

Direct dependency fix Resolution (@adonisjs/lucid): 6.1.4

Fix Resolution (minimist): 0.2.4

Direct dependency fix Resolution (@adonisjs/lucid): 6.1.4

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• auth-3.0.7.tgz (Root Library)
  • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.

Publish Date: 2022-12-22

URL: CVE-2022-23541

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-hjrf-2m68-5959

Release Date: 2022-12-22

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (@adonisjs/auth): 4.0.0

Vulnerable Library - moment-2.24.0.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.24.0.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

• lucid-6.1.3.tgz (Root Library)
  • ❌ moment-2.24.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Publish Date: 2022-07-06

URL: CVE-2022-31129

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-wc69-rhjr-hc9g

Release Date: 2022-07-06

Fix Resolution (moment): 2.29.4

Direct dependency fix Resolution (@adonisjs/lucid): 6.1.4

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• auth-3.0.7.tgz (Root Library)
  • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Publish Date: 2022-12-22

URL: CVE-2022-23540

CVSS 3 Score Details (7.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23540

Release Date: 2022-12-22

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (@adonisjs/auth): 4.0.0

Vulnerable Library - set-value-1.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-1.0.0.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/set-value/package.json

Dependency Hierarchy:

• ace-5.0.8.tgz (Root Library)
  • enquirer-1.0.3.tgz
    • ❌ set-value-1.0.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (@adonisjs/ace): 6.0.0

Vulnerable Library - knex-0.15.2.tgz

A batteries-included SQL query & schema builder for Postgres, MySQL and SQLite3 and the Browser

Library home page: https://registry.npmjs.org/knex/-/knex-0.15.2.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/knex/package.json

Dependency Hierarchy:

• lucid-6.1.3.tgz (Root Library)
  • ❌ knex-0.15.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Knex Knex.js through 2.3.0 has a limited SQL injection vulnerability that can be exploited to ignore the WHERE clause of a SQL query.

Publish Date: 2022-12-19

URL: CVE-2016-20018

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Vulnerable Library - edge.js-1.1.4.tgz

Node.js logical templating engine with fresh air

Library home page: https://registry.npmjs.org/edge.js/-/edge.js-1.1.4.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/edge.js/package.json

Dependency Hierarchy:

• framework-5.0.13.tgz (Root Library)
  • ❌ edge.js-1.1.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package edge.js before 5.3.2. A type confusion vulnerability can be used to bypass input sanitization when the input to be rendered is an array (instead of a string or a SafeValue), even if {{ }} are used.

Publish Date: 2021-09-21

URL: CVE-2021-23443

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23443

Release Date: 2021-09-21

Fix Resolution: edge.js - 5.3.2

Vulnerable Library - acorn-6.2.0.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-6.2.0.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/acorn/package.json

Dependency Hierarchy:

• fold-4.0.9.tgz (Root Library)
  • require-stack-1.0.2.tgz
    • syntax-error-1.4.0.tgz
      • acorn-node-1.7.0.tgz
        • ❌ acorn-6.2.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6chw-6frg-f759

Release Date: 2020-03-01

Fix Resolution (acorn): 6.4.1

Direct dependency fix Resolution (@adonisjs/fold): 4.1.0

Vulnerable Library - moment-2.24.0.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.24.0.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

• lucid-6.1.3.tgz (Root Library)
  • ❌ moment-2.24.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Publish Date: 2022-04-04

URL: CVE-2022-24785

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-8hfj-j24r-96c4

Release Date: 2022-04-04

Fix Resolution (moment): 2.29.2

Direct dependency fix Resolution (@adonisjs/lucid): 6.1.4

Vulnerable Library - useragent-2.3.0.tgz

Fastest, most accurate & effecient user agent string parser, uses Browserscope's research for parsing

Library home page: https://registry.npmjs.org/useragent/-/useragent-2.3.0.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/useragent/package.json

Dependency Hierarchy:

• framework-5.0.13.tgz (Root Library)
  • ❌ useragent-2.3.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in useragent through 2.3.0.

Publish Date: 2018-02-27

URL: WS-2018-0650

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0650

Release Date: 2018-02-27

Fix Resolution: NorDroN.AngularTemplate - 0.1.6;dotnetng.template - 1.0.0.4;JetBrains.Rider.Frontend5 - 213.0.20211008.154703-eap03;MIDIator.WebClient - 1.0.105

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• auth-3.0.7.tgz (Root Library)
  • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Vulnerability Details

node-jsonwebtoken is a JsonWebToken implementation for node.js. For versions <= 8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link of the jwt.verify() function, they can write arbitrary files on the host machine. Users are affected only if untrusted entities are allowed to modify the key retrieval parameter of the jwt.verify() on a host that you control. This issue has been fixed, please update to version 9.0.0.

Publish Date: 2022-12-21

URL: CVE-2022-23529

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-27h2-hvpr-p74q

Release Date: 2022-12-21

Fix Resolution: jsonwebtoken - 9.0.0

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• auth-3.0.7.tgz (Root Library)
  • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

Publish Date: 2022-12-23

URL: CVE-2022-23539

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cf7-32gw-wr33

Release Date: 2022-12-23

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (@adonisjs/auth): 4.0.0

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (@adonisjs/lucid): 6.1.4

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (@adonisjs/lucid): 6.1.4

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/async/package.json

Dependency Hierarchy:

• framework-5.0.13.tgz (Root Library)
  • winston-3.2.1.tgz
    • ❌ async-2.6.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution: async - 2.6.4,3.2.2

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/ini/package.json

Dependency Hierarchy:

• lucid-6.1.3.tgz (Root Library)
  • knex-0.15.2.tgz
    • liftoff-2.5.0.tgz
      • findup-sync-2.0.0.tgz
        • resolve-dir-1.0.1.tgz
          • global-modules-1.0.0.tgz
            • global-prefix-1.0.2.tgz
              • ❌ ini-1.3.5.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (@adonisjs/lucid): 6.1.4

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /api-crud-adonisjs/package.json

Path to vulnerable library: /node_modules/decode-uri-component/package.json

Dependency Hierarchy:

• lucid-6.1.3.tgz (Root Library)
  • knex-0.15.2.tgz
    • liftoff-2.5.0.tgz
      • findup-sync-2.0.0.tgz
        • micromatch-3.1.10.tgz
          • snapdragon-0.8.2.tgz
            • source-map-resolve-0.5.2.tgz
              • ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution (decode-uri-component): 0.2.1

Direct dependency fix Resolution (@adonisjs/lucid): 6.1.4