product-os / jellyfish-action-library Goto Github PK

Vulnerable Library - minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Dependency Hierarchy:

• lint-5.4.2.tgz (Root Library)
  • coffeelint-1.16.2.tgz
    • optimist-0.6.1.tgz
      • ❌ minimist-0.0.10.tgz (Vulnerable Library)

Found in HEAD commit: 33e782a5528260d6da2529fbaac8bc5bb429d0f6

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Vulnerable Library - redis-3.1.0.tgz

A high performance Redis client.

Library home page: https://registry.npmjs.org/redis/-/redis-3.1.0.tgz

Dependency Hierarchy:

• @balena/jellyfish-core-2.12.51.tgz (Root Library)
  • ❌ redis-3.1.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Node-redis is a Node.js Redis client. Before version 3.1.1, when a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. The issue is patched in version 3.1.1.

Publish Date: 2021-04-23

URL: CVE-2021-29469

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-35q2-47q7-3pc3

Release Date: 2021-04-23

Fix Resolution: redis - 3.1.1

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Dependency Hierarchy:

• ❌ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 0ce26dddff1e9a4acbc935faa89ee844717e2c83

Found in base branch: master

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Vulnerable Library - glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz

Dependency Hierarchy:

• @balena/jellyfish-queue-1.0.169.tgz (Root Library)
  • graphile-worker-0.11.3.tgz
    • chokidar-3.4.3.tgz
      • ❌ glob-parent-5.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 9a6e249d0d9bdcf7c72028b1fdf371eb3329cbeb

Found in base branch: master

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.

Publish Date: 2021-01-27

URL: WS-2021-0154

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2

Release Date: 2021-01-27

Fix Resolution: glob-parent - 5.1.2

Vulnerable Library - postcss-8.2.10.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-8.2.10.tgz

Dependency Hierarchy:

• depcheck-1.4.0.tgz (Root Library)
  • compiler-sfc-3.0.11.tgz
    • ❌ postcss-8.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 33e782a5528260d6da2529fbaac8bc5bb429d0f6

Found in base branch: master

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution: postcss - 8.2.13

Vulnerable Library - ws-7.4.4.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.4.4.tgz

Dependency Hierarchy:

• @balena/jellyfish-plugin-default-12.0.11.tgz (Root Library)
  • @balena/jellyfish-client-sdk-4.4.25.tgz
    • socket.io-client-2.4.0.tgz
      • engine.io-client-3.5.2.tgz
        • ❌ ws-7.4.4.tgz (Vulnerable Library)

Found in HEAD commit: c7b2973ebc958c354dc949c96b27375b0c7f5775

Found in base branch: master

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution: ws - 7.4.6

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Dependency Hierarchy:

• @balena/jellyfish-plugin-base-1.1.0.tgz (Root Library)
  • @balena/jellyfish-logger-0.0.217.tgz
    • le_node-1.8.0.tgz
      • ❌ lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: c64fd6878c6954771e46a21ad3f537f26dfbfec5

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-23

Fix Resolution: lodash - 4.17.19

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Dependency Hierarchy:

• depcheck-1.4.1.tgz (Root Library)
  • resolve-1.20.0.tgz
    • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 33e782a5528260d6da2529fbaac8bc5bb429d0f6

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jbgutierrez/path-parse#8

Release Date: 2021-05-04

Fix Resolution: path-parse - 1.0.7

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Dependency Hierarchy:

• @balena/jellyfish-plugin-base-1.1.0.tgz (Root Library)
  • @balena/jellyfish-logger-0.0.217.tgz
    • le_node-1.8.0.tgz
      • ❌ lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: c64fd6878c6954771e46a21ad3f537f26dfbfec5

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-08

Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0

Vulnerable Library - underscore-1.10.2.tgz

JavaScript's functional programming helper library.

Library home page: https://registry.npmjs.org/underscore/-/underscore-1.10.2.tgz

Dependency Hierarchy:

• typed-errors-1.1.0.tgz (Root Library)
  • ❌ underscore-1.10.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Publish Date: 2021-03-29

URL: CVE-2021-23358

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

Release Date: 2021-03-29

Fix Resolution: underscore - 1.12.1,1.13.0-2

Vulnerable Library - marked-0.8.2.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.8.2.tgz

Dependency Hierarchy:

• jsdoc-to-markdown-7.0.1.tgz (Root Library)
  • jsdoc-api-7.0.0.tgz
    • jsdoc-3.6.6.tgz
      • ❌ marked-0.8.2.tgz (Vulnerable Library)

Found in HEAD commit: c64fd6878c6954771e46a21ad3f537f26dfbfec5

Found in base branch: master

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/v1.1.1

Release Date: 2020-07-02

Fix Resolution: marked - 1.1.1

Vulnerable Library - hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Dependency Hierarchy:

• jest-26.6.3.tgz (Root Library)
  • core-26.6.3.tgz
    • jest-resolve-26.6.2.tgz
      • read-pkg-up-7.0.1.tgz
        • read-pkg-5.2.0.tgz
          • normalize-package-data-2.5.0.tgz
            • ❌ hosted-git-info-2.8.8.tgz (Vulnerable Library)

Found in HEAD commit: e55d78ea8e1ce11448292cff8f347f089b5ea58b

Found in base branch: master

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution: hosted-git-info - 2.8.9,3.0.8

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Dependency Hierarchy:

• ❌ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 0ce26dddff1e9a4acbc935faa89ee844717e2c83

Found in base branch: master

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz

Dependency Hierarchy:

• @balena/jellyfish-queue-1.0.169.tgz (Root Library)
  • graphile-worker-0.11.3.tgz
    • chokidar-3.4.3.tgz
      • ❌ glob-parent-5.1.1.tgz (Vulnerable Library)

Found in HEAD commit: dd8603fedb1d40a9f57f32071ff290401d30809f

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Dependency Hierarchy:

• ava-3.15.0.tgz (Root Library)
  • update-notifier-5.0.1.tgz
    • latest-version-5.1.0.tgz
      • package-json-6.5.0.tgz
        • registry-auth-token-4.2.1.tgz
          • rc-1.2.8.tgz
            • ❌ ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: c64fd6878c6954771e46a21ad3f537f26dfbfec5

Found in base branch: master

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution: v1.3.6

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Dependency Hierarchy:

• @balena/jellyfish-plugin-default-9.2.15.tgz (Root Library)
  • @balena/jellyfish-client-sdk-2.19.1.tgz
    • socket.io-client-2.4.0.tgz
      • engine.io-client-3.5.1.tgz
        • ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in HEAD commit: 33e782a5528260d6da2529fbaac8bc5bb429d0f6

Found in base branch: master

Vulnerability Details

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Publish Date: 2021-04-23

URL: CVE-2021-31597

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597

Release Date: 2021-04-23

Fix Resolution: xmlhttprequest-ssl - 1.6.1

Vulnerable Library - marked-1.2.9.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-1.2.9.tgz

Dependency Hierarchy:

• @balena/jellyfish-plugin-default-14.0.22.tgz (Root Library)
  • ❌ marked-1.2.9.tgz (Vulnerable Library)

Found in HEAD commit: 9e11e937bf348c6d8a4a3f6dfb573113995fb93f

Found in base branch: master

Vulnerability Details

Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0.

Publish Date: 2021-02-08

URL: CVE-2021-21306

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-4r62-v4vq-hr96

Release Date: 2021-02-08

Fix Resolution: v2.0.0

Vulnerable Library - browserslist-4.16.4.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.4.tgz

Dependency Hierarchy:

• @balena/jellyfish-queue-1.0.132.tgz (Root Library)
  • jest-cli-26.6.3.tgz
    • jest-config-26.6.3.tgz
      • core-7.13.15.tgz
        • helper-compilation-targets-7.13.13.tgz
          • ❌ browserslist-4.16.4.tgz (Vulnerable Library)

Found in HEAD commit: 33e782a5528260d6da2529fbaac8bc5bb429d0f6

Found in base branch: master

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Dependency Hierarchy:

• @balena/jellyfish-plugin-default-9.2.15.tgz (Root Library)
  • @balena/jellyfish-client-sdk-2.19.1.tgz
    • socket.io-client-2.4.0.tgz
      • engine.io-client-3.5.1.tgz
        • ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in HEAD commit: 33e782a5528260d6da2529fbaac8bc5bb429d0f6

Found in base branch: master

Vulnerability Details

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Publish Date: 2021-03-05

URL: CVE-2020-28502

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4j5-c7cj-74xg

Release Date: 2021-03-05

Fix Resolution: xmlhttprequest - 1.7.0,xmlhttprequest-ssl - 1.6.2