demo-mcw-update-type's People
demo-mcw-update-type's Issues
renovate-34.152.2.tgz: 3 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - renovate-34.152.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fast-xml-parser/package.json
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (renovate version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-34104 | High | 7.5 | fast-xml-parser-4.0.11.tgz | Transitive | 35.113.2 | ✅ |
CVE-2023-26920 | High | 7.5 | fast-xml-parser-4.0.11.tgz | Transitive | 34.154.6 | ✅ |
CVE-2023-41037 | Medium | 4.3 | openpgp-5.5.0.tgz | Transitive | 35.60.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-34104
Vulnerable Library - fast-xml-parser-4.0.11.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fast-xml-parser/package.json
Dependency Hierarchy:
- renovate-34.152.2.tgz (Root Library)
- client-ec2-3.256.0.tgz
- ❌ fast-xml-parser-4.0.11.tgz (Vulnerable Library)
- client-ec2-3.256.0.tgz
Found in base branch: main
Vulnerability Details
fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denial of service (DoS) attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time. This problem has been resolved in v4.2.4. Users are advised to upgrade. Users unable to upgrade should avoid using DOCTYPE parsing by setting the processEntities: false
option.
Publish Date: 2023-06-06
URL: CVE-2023-34104
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6w63-h3fj-q4vw
Release Date: 2023-06-06
Fix Resolution (fast-xml-parser): 4.2.4
Direct dependency fix Resolution (renovate): 35.113.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-26920
Vulnerable Library - fast-xml-parser-4.0.11.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fast-xml-parser/package.json
Dependency Hierarchy:
- renovate-34.152.2.tgz (Root Library)
- client-ec2-3.256.0.tgz
- ❌ fast-xml-parser-4.0.11.tgz (Vulnerable Library)
- client-ec2-3.256.0.tgz
Found in base branch: main
Vulnerability Details
fast-xml-parser prior to 4.1.2 is vulnerable to Prototype Pollution through tag or attribute name.
Publish Date: 2023-02-27
URL: CVE-2023-26920
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-x3cc-x39p-42qx
Release Date: 2023-02-27
Fix Resolution (fast-xml-parser): 4.1.2
Direct dependency fix Resolution (renovate): 34.154.6
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-41037
Vulnerable Library - openpgp-5.5.0.tgz
OpenPGP.js is a Javascript implementation of the OpenPGP protocol. This is defined in RFC 4880.
Library home page: https://registry.npmjs.org/openpgp/-/openpgp-5.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/openpgp/package.json
Dependency Hierarchy:
- renovate-34.152.2.tgz (Root Library)
- ❌ openpgp-5.5.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. In affected versions OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools. These messages typically contain a "Hash: ..." header declaring the hash algorithm used to compute the signature digest. OpenPGP.js up to v5.9.0 ignored any data preceding the "Hash: ..." texts when verifying the signature. As a result, malicious parties could add arbitrary text to a third-party Cleartext Signed Message, to lead the victim to believe that the arbitrary text was signed. A user or application is vulnerable to said attack vector if it verifies the CleartextMessage by only checking the returned verified
property, discarding the associated data
information, and instead visually trusting the contents of the original message. Since verificationResult.data
would always contain the actual signed data, users and apps that check this information are not vulnerable. Similarly, given a CleartextMessage object, retrieving the data using getText()
or the text
field returns only the contents that are considered when verifying the signature. Finally, re-armoring a CleartextMessage object (using armor()
will also result in a "sanitised" version, with the extraneous text being removed. This issue has been addressed in version 5.10.1 (current stable version) which will reject messages when calling openpgp.readCleartextMessage()
and in version 4.10.11 (legacy version) which will will reject messages when calling openpgp.cleartext.readArmored()
. Users are advised to upgrade. Users unable to upgrade should check the contents of verificationResult.data
to see what data was actually signed, rather than visually trusting the contents of the armored message.
Publish Date: 2023-08-29
URL: CVE-2023-41037
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-ch3c-v47x-4pgp
Release Date: 2023-08-29
Fix Resolution (openpgp): 5.10.1
Direct dependency fix Resolution (renovate): 35.60.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Dependency Dashboard
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
Open
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
- Update minor and patch - high confidence (
@jest/globals
,@types/eslint
,@types/jest
,@types/node
,@typescript-eslint/eslint-plugin
,@typescript-eslint/parser
,eslint
,eslint-config-prettier
,eslint-formatter-gha
,eslint-import-resolver-typescript
,eslint-plugin-import
,eslint-plugin-jest
,eslint-plugin-promise
,husky
,jest
,jest-extended
,jest-mock-extended
,prettier
,ts-jest
,typescript
) - Update minor and patch - low/neutral confidence (
@jest/reporters
,@jest/test-result
,@types/shelljs
,expect-more-jest
) - Update major - high confidence (major) (
@ls-lint/ls-lint
,eslint-config-prettier
,jest-junit
) - Update major - low/neutral confidence (major) (
@types/node
,@typescript-eslint/eslint-plugin
,@typescript-eslint/parser
,jest-extended
,prettier
,renovate
,typescript
) - Click on this checkbox to rebase all open PRs at once
Detected dependencies
npm
package.json
renovate 34.152.2
@jest/globals 29.3.1
@jest/reporters 29.3.1
@jest/test-result 29.3.1
@ls-lint/ls-lint 1.11.2
@renovate/eslint-plugin v0.0.5
@types/eslint 8.21.0
@types/jest 29.2.4
@types/node 16.18.12
@types/shelljs 0.8.11
@typescript-eslint/eslint-plugin 5.51.0
@typescript-eslint/parser 5.51.0
cross-env 7.0.3
eslint 8.33.0
eslint-config-prettier 8.5.0
eslint-formatter-gha 1.4.1
eslint-import-resolver-typescript 3.5.1
eslint-plugin-import 2.26.0
eslint-plugin-jest 27.1.6
eslint-plugin-jest-formatting 3.1.0
eslint-plugin-promise 6.0.1
eslint-plugin-typescript-enum 2.1.0
expect-more-jest 5.4.1
husky 8.0.2
jest 29.3.1
jest-extended 3.2.0
jest-junit 15.0.0
jest-mock-extended 3.0.1
npm-run-all 4.1.5
prettier 2.7.1
pretty-quick ^3.1.3
shelljs 0.8.5
ts-jest 29.0.3
ts-node 10.9.1
tsconfig-paths ^4.1.1
typescript 4.8.4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.