Giter Site home page Giter Site logo

nodeserver's Introduction

halidcisse

My personal blog

nodeserver's People

Contributors

halidcisse avatar

Stargazers

avatar avatar

Watchers

avatar

nodeserver's Issues

WS-2017-0247 (Low) detected in ms-0.7.1.tgz

WS-2017-0247 - Low Severity Vulnerability

Vulnerable Library - ms-0.7.1.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz

Path to dependency file: /NodeServer/package.json

Path to vulnerable library: /tmp/git/NodeServer/node_modules/ms/package.json

Dependency Hierarchy:

  • express-4.13.3.tgz (Root Library)
    • debug-2.2.0.tgz
      • ms-0.7.1.tgz (Vulnerable Library)

Found in HEAD commit: fa133e03329a64397844c4874edcc1e40f443ebd

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-05-15

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: vercel/ms@305f2dd

Release Date: 2017-04-12

Fix Resolution: Replace or update the following file: index.js

Step up your Open Source Security Game with WhiteSource here

CVE-2016-10539 (High) detected in negotiator-0.5.3.tgz

CVE-2016-10539 - High Severity Vulnerability

Vulnerable Library - negotiator-0.5.3.tgz

HTTP content negotiation

Library home page: https://registry.npmjs.org/negotiator/-/negotiator-0.5.3.tgz

Path to dependency file: /NodeServer/package.json

Path to vulnerable library: /tmp/git/NodeServer/node_modules/negotiator/package.json

Dependency Hierarchy:

  • express-4.13.3.tgz (Root Library)
    • accepts-1.2.13.tgz
      • negotiator-0.5.3.tgz (Vulnerable Library)

Found in HEAD commit: fa133e03329a64397844c4874edcc1e40f443ebd

Vulnerability Details

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Publish Date: 2018-05-31

URL: CVE-2016-10539

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/106

Release Date: 2016-06-16

Fix Resolution: Upgrade to at least version 0.6.1

Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the acceptsLanguages function call in your application will tell you if you are using this functionality.

Step up your Open Source Security Game with WhiteSource here

WS-2017-0330 (Medium) detected in mime-1.3.4.tgz

WS-2017-0330 - Medium Severity Vulnerability

Vulnerable Library - mime-1.3.4.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz

Path to dependency file: /NodeServer/package.json

Path to vulnerable library: /tmp/git/NodeServer/node_modules/mime/package.json

Dependency Hierarchy:

  • express-4.13.3.tgz (Root Library)
    • send-0.13.0.tgz
      • mime-1.3.4.tgz (Vulnerable Library)

Found in HEAD commit: fa133e03329a64397844c4874edcc1e40f443ebd

Vulnerability Details

Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.

Publish Date: 2017-09-27

URL: WS-2017-0330

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: broofa/mime@1df903f

Release Date: 2019-04-03

Fix Resolution: 1.4.1,2.0.3

Step up your Open Source Security Game with WhiteSource here

CVE-2017-16138 (High) detected in mime-1.3.4.tgz

CVE-2017-16138 - High Severity Vulnerability

Vulnerable Library - mime-1.3.4.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz

Path to dependency file: /NodeServer/package.json

Path to vulnerable library: /tmp/git/NodeServer/node_modules/mime/package.json

Dependency Hierarchy:

  • express-4.13.3.tgz (Root Library)
    • send-0.13.0.tgz
      • mime-1.3.4.tgz (Vulnerable Library)

Found in HEAD commit: fa133e03329a64397844c4874edcc1e40f443ebd

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2017-16119 (High) detected in fresh-0.3.0.tgz

CVE-2017-16119 - High Severity Vulnerability

Vulnerable Library - fresh-0.3.0.tgz

HTTP response freshness testing

Library home page: https://registry.npmjs.org/fresh/-/fresh-0.3.0.tgz

Path to dependency file: /NodeServer/package.json

Path to vulnerable library: /tmp/git/NodeServer/node_modules/fresh/package.json

Dependency Hierarchy:

  • express-4.13.3.tgz (Root Library)
    • fresh-0.3.0.tgz (Vulnerable Library)

Found in HEAD commit: fa133e03329a64397844c4874edcc1e40f443ebd

Vulnerability Details

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16119

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2017-16137 (Medium) detected in debug-2.2.0.tgz

CVE-2017-16137 - Medium Severity Vulnerability

Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: /NodeServer/package.json

Path to vulnerable library: /tmp/git/NodeServer/node_modules/debug/package.json

Dependency Hierarchy:

  • express-4.13.3.tgz (Root Library)
    • debug-2.2.0.tgz (Vulnerable Library)

Found in HEAD commit: fa133e03329a64397844c4874edcc1e40f443ebd

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: debug-js/debug@42a6ae0

Release Date: 2017-09-21

Fix Resolution: Replace or update the following file: node.js

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.