osgirl / asos Goto Github PK

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

path: /tmp/git/ASOS/node_modules/braces/package.json

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Dependency Hierarchy:

• jest-expo-31.0.0.tgz (Root Library)
  • jest-23.6.0.tgz
    • jest-cli-23.6.0.tgz
      • micromatch-2.3.11.tgz
        • ❌ braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-02-21

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Vulnerable Library - ws-1.1.5.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

path: /tmp/git/ASOS/node_modules/ws/package.json

Library home page: https://registry.npmjs.org/ws/-/ws-1.1.5.tgz

Dependency Hierarchy:

• react-native-0.57.1.tgz (Root Library)
  • ❌ ws-1.1.5.tgz (Vulnerable Library)

Vulnerability Details

Affected version of ws (0.2.6--3.3.0) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.

Publish Date: 2017-11-08

URL: WS-2017-0421

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/550/versions

Release Date: 2019-01-24

Fix Resolution: 3.3.1

Vulnerable Library - expoios/1.19.1

The Expo platform for making cross-platform mobile apps

Library home page: https://github.com/expo/expo.git

Library Source Files (7)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /ASOS/node_modules/react-native-svg/ios/Elements/RNSVGSymbol.h
• /ASOS/node_modules/react-native-branch/ios/RNBranchAgingDictionary.m
• /ASOS/node_modules/react-native-branch/ios/NSObject+RNBranch.m
• /ASOS/node_modules/react-native-svg/ios/ViewManagers/RNSVGSymbolManager.m
• /ASOS/node_modules/react-native-branch/ios/BranchLinkProperties+RNBranch.m
• /ASOS/node_modules/expo-gl-cpp/cpp/stb_image.h
• /ASOS/node_modules/react-native-branch/ios/RNBranchProperty.m

Vulnerability Details

There is a heap-based buffer over-read at stb_image.h (function: stbi__tga_load) in libsixel 1.8.2 that will cause a denial of service.

Publish Date: 2018-11-30

URL: CVE-2018-19756

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High