Vulnerable Library - cryptiles-2.0.5.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/cryptiles/package.json

Dependency Hierarchy:

• node-sass-4.9.1.tgz (Root Library)
  • node-gyp-3.7.0.tgz
    • request-2.81.0.tgz
      • hawk-3.1.3.tgz
        • ❌ cryptiles-2.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000620

Release Date: 2019-04-08

Fix Resolution: 4.1.2

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.

Publish Date: 2018-12-04

URL: CVE-2018-19839

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19839

Release Date: 2020-03-20

Fix Resolution: LibSass - 3.5.5

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz

Found in HEAD commit: 41ac70765868c413b9cb16c47af3948f68d4f4cd

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.2

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.

Publish Date: 2019-01-14

URL: CVE-2019-6286

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6286

Release Date: 2019-08-06

Fix Resolution: LibSass - 3.6.0

Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/set-value@95e9d99

Release Date: 2019-07-24

Fix Resolution: 2.0.1,3.0.1

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6283

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284

Release Date: 2019-08-06

Fix Resolution: LibSass - 3.6.0

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp.

Publish Date: 2019-11-06

URL: CVE-2019-18797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18797

Release Date: 2019-11-06

Fix Resolution: LibSass - 3.6.3

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11697

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11697

Release Date: 2019-09-01

Fix Resolution: LibSass - 3.6.0

Vulnerable Library - hoek-2.16.3.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/hoek/package.json

Dependency Hierarchy:

• node-sass-4.9.1.tgz (Root Library)
  • node-gyp-3.7.0.tgz
    • request-2.81.0.tgz
      • hawk-3.1.3.tgz
        • ❌ hoek-2.16.3.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3728

Release Date: 2018-03-30

Fix Resolution: 4.2.1,5.0.3

Vulnerable Libraries - jquery-1.8.2.min.js, jquery-2.1.4.min.js

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11698

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11698

Release Date: 2019-08-06

Fix Resolution: LibSass - 3.6.0

Vulnerable Library - undefsafe-2.0.2.tgz

Undefined safe way of extracting object properties

Library home page: https://registry.npmjs.org/undefsafe/-/undefsafe-2.0.2.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/undefsafe/package.json

Dependency Hierarchy:

• nodemon-1.17.5.tgz (Root Library)
  • ❌ undefsafe-2.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' function could be tricked into adding or modifying properties of Object.prototype using a proto payload.

Publish Date: 2020-02-18

URL: CVE-2019-10795

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10795

Release Date: 2020-02-18

Fix Resolution: 2.0.3

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().

Publish Date: 2018-12-04

URL: CVE-2018-19838

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/blob/3.6.0/src/ast.cpp

Release Date: 2019-07-01

Fix Resolution: LibSass - 3.6.0

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20821

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20821

Release Date: 2019-04-23

Fix Resolution: LibSass - 3.6.0

Vulnerable Library - ecstatic-3.2.0.tgz

A simple static file server middleware that works with both Express and Flatiron

Library home page: https://registry.npmjs.org/ecstatic/-/ecstatic-3.2.0.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/ecstatic/package.json

Dependency Hierarchy:

• http-server-0.11.1.tgz (Root Library)
  • ❌ ecstatic-3.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

Versions of ecstatic prior to 4.1.2 fails to validate redirects, allowing attackers to craft requests that result in an HTTP 301 redirect to any other domains.

Publish Date: 2019-05-02

URL: WS-2019-0066

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/830/versions

Release Date: 2019-05-02

Fix Resolution: 4.1.2

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

An issue was discovered in LibSass through 3.5.2. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11695

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11695

Release Date: 2018-06-04

Fix Resolution: LibSass - 3.6.0

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-12-03

URL: CVE-2018-19827

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: sass/libsass#2784

Release Date: 2019-08-29

Fix Resolution: LibSass - 3.6.0

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11693

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11693

Release Date: 2018-06-04

Fix Resolution: LibSass - 3.5.5

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/mem/package.json

Dependency Hierarchy:

• htmllint-cli-0.0.7.tgz (Root Library)
  • yargs-11.1.0.tgz
    • os-locale-2.1.0.tgz
      • ❌ mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

In nodejs-mem before version 4.0.0 there is a memory leak due to old results not being removed from the cache despite reaching maxAge. Exploitation of this can lead to exhaustion of memory and subsequent denial of service.

Publish Date: 2019-05-30

URL: WS-2018-0236

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1623744

Release Date: 2019-05-30

Fix Resolution: 4.0.0

Vulnerable Libraries - axios-0.16.2.tgz, axios-0.15.3.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Publish Date: 2019-05-07

URL: CVE-2019-10742

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: axios/axios#1098

Release Date: 2019-05-31

Fix Resolution: 0.19.0

Vulnerable Library - timespan-2.3.0.tgz

A JavaScript TimeSpan library for node.js (and soon the browser)

Library home page: https://registry.npmjs.org/timespan/-/timespan-2.3.0.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/timespan/package.json

Dependency Hierarchy:

• karma-2.0.4.tgz (Root Library)
  • log4js-2.10.0.tgz
    • loggly-1.1.1.tgz
      • ❌ timespan-2.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

Publish Date: 2018-06-07

URL: CVE-2017-16115

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - yargs-parser-9.0.2.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-9.0.2.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-src/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-src/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• postcss-cli-5.0.1.tgz (Root Library)
  • yargs-11.1.1.tgz
    • ❌ yargs-parser-9.0.2.tgz (Vulnerable Library)

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/mixin-deep/package.json

Dependency Hierarchy:

• core-7.0.0-beta.52.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • base-0.11.2.tgz
        • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-07-11

Fix Resolution: 1.3.2,2.0.1

Vulnerable Libraries - braces-0.1.5.tgz, braces-1.8.5.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-03-25

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11694

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11694

Release Date: 2018-06-04

Fix Resolution: LibSass - 3.6.0

Vulnerable Library - lodash.mergewith-4.6.1.tgz

The Lodash method `_.mergeWith` exported as a module.

Library home page: https://registry.npmjs.org/lodash.mergewith/-/lodash.mergewith-4.6.1.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/lodash.mergewith/package.json

Dependency Hierarchy:

• node-sass-4.9.1.tgz (Root Library)
  • ❌ lodash.mergewith-4.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

lodash.mergewith before 4.6.2 is vulnerable to prototype pollution. The function mergeWith() may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2019-08-14

URL: WS-2019-0180

CVSS 2 Score Details (4.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1071

Release Date: 2019-08-14

Fix Resolution: 4.6.2

Vulnerable Library - jquery-1.8.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/errors/doc/html/errors.html

Path to vulnerable library: /Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/errors/doc/html/errors.html,/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/errors/doc/html/errors.html

Dependency Hierarchy:

• ❌ jquery-1.8.2.min.js (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Library - qs-6.2.3.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/loggly/node_modules/qs/package.json

Dependency Hierarchy:

• karma-2.0.4.tgz (Root Library)
  • log4js-2.10.0.tgz
    • loggly-1.1.1.tgz
      • request-2.75.0.tgz
        • ❌ qs-6.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: ljharb/qs@c709f6e

Release Date: 2017-03-06

Fix Resolution: Replace or update the following files: parse.js, parse.js, utils.js

Vulnerable Libraries - kind-of-4.0.0.tgz, kind-of-6.0.2.tgz, kind-of-3.2.2.tgz, kind-of-5.1.0.tgz

Found in HEAD commit: 78787abe8b64d5652b0bd7f9142b2caa4140e668

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: None

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/form-data2/node_modules/lodash/package.json

Dependency Hierarchy:

• broken-link-checker-0.7.8.tgz (Root Library)
  • bhttp-1.2.4.tgz
    • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

Vulnerable Libraries - tar-4.4.1.tgz, tar-2.2.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/344595

Release Date: 2019-04-30

Fix Resolution: v4.4.2

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6284

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284

Release Date: 2019-08-06

Fix Resolution: LibSass - 3.6.0

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-03

URL: CVE-2018-19797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19797

Release Date: 2019-09-01

Fix Resolution: LibSass - 3.6.0

Vulnerable Libraries - lodash-4.17.10.tgz, lodash-2.4.2.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2019-07-17

Fix Resolution: 4.17.11

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/dot-prop/package.json

Dependency Hierarchy:

• stylelint-9.3.0.tgz (Root Library)
  • postcss-selector-parser-3.1.1.tgz
    • ❌ dot-prop-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

Vulnerable Library - bootstrap-4.1.3.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/js/bootstrap.min.js

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-src/themes/tibcolabs/layouts/partials/scripts.html

Path to vulnerable library: /Augmented-Reality/docs-src/themes/tibcolabs/layouts/partials/scripts.html

Dependency Hierarchy:

• ❌ bootstrap-4.1.3.min.js (Vulnerable Library)

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#28236

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs/docs/explorations/spotfire-exploration/index.html

Path to vulnerable library: /Augmented-Reality/docs/docs/explorations/spotfire-exploration/index.html

Dependency Hierarchy:

• ❌ jquery-3.3.1.min.js (Vulnerable Library)

Found in HEAD commit: 78787abe8b64d5652b0bd7f9142b2caa4140e668

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Vulnerable Library - js-yaml-3.12.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/js-yaml/package.json

Dependency Hierarchy:

• coveralls-3.0.2.tgz (Root Library)
  • ❌ js-yaml-3.12.0.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-26

URL: WS-2019-0032

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-26

Fix Resolution: 3.13.0

Vulnerable Library - js-yaml-3.12.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/js-yaml/package.json

Dependency Hierarchy:

• coveralls-3.0.2.tgz (Root Library)
  • ❌ js-yaml-3.12.0.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-30

URL: WS-2019-0063

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-30

Fix Resolution: 3.13.1

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/mem/package.json

Dependency Hierarchy:

• htmllint-cli-0.0.7.tgz (Root Library)
  • yargs-11.1.0.tgz
    • os-locale-2.1.0.tgz
      • ❌ mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

Denial of Service (DoS) vulnerability found in mem before 4.0.0. There is a failure in removal of old values from the cache. As a result, attacker may exhaust the system's memory.

Publish Date: 2019-12-01

URL: WS-2019-0307

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1084

Release Date: 2019-12-01

Fix Resolution: mem - 4.0.0

Vulnerable Libraries - lodash-4.17.10.tgz, lodash-2.4.2.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@a01e4fa

Release Date: 2019-07-08

Fix Resolution: 4.17.12

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters. NOTE: Upstream comments indicate this issue is closed as "won't fix" and "works as intended" by design.

Publish Date: 2018-12-03

URL: CVE-2018-19826

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19826

Release Date: 2019-09-01

Fix Resolution: LibSass - 3.6.0

Vulnerable Library - fstream-1.0.11.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/fstream/package.json

Dependency Hierarchy:

• node-sass-4.9.1.tgz (Root Library)
  • node-gyp-3.7.0.tgz
    • ❌ fstream-1.0.11.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Publish Date: 2019-07-02

URL: CVE-2019-13173

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173

Release Date: 2019-07-02

Fix Resolution: 1.0.12

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20822

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20822

Release Date: 2019-08-06

Fix Resolution: LibSass - 3.6.0

Vulnerable Library - just-extend-1.1.27.tgz

extend an object

Library home page: https://registry.npmjs.org/just-extend/-/just-extend-1.1.27.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/just-extend/package.json

Dependency Hierarchy:

• sinon-6.1.2.tgz (Root Library)
  • nise-1.4.2.tgz
    • ❌ just-extend-1.1.27.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions.

Publish Date: 2019-02-01

URL: CVE-2018-16489

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/430291

Release Date: 2019-02-01

Fix Resolution: 4.0.0

Vulnerable Library - tunnel-agent-0.4.3.tgz

HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.

Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-preview/themes/tibcolabs/assets/vendor/bootstrap/node_modules/loggly/node_modules/tunnel-agent/package.json

Dependency Hierarchy:

• karma-2.0.4.tgz (Root Library)
  • log4js-2.10.0.tgz
    • loggly-1.1.1.tgz
      • request-2.75.0.tgz
        • ❌ tunnel-agent-0.4.3.tgz (Vulnerable Library)

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure.

This is exploitable if user supplied input is provided to the auth value and is a number.

Publish Date: 2018-04-25

URL: WS-2018-0076

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/598

Release Date: 2018-01-27

Fix Resolution: 0.6.0

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.

Publish Date: 2018-05-26

URL: CVE-2018-11499

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499

Release Date: 2018-05-26

Fix Resolution: LibSass - 3.6.0

Vulnerable Libraries - node-sass-4.9.1.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-17

URL: CVE-2018-20190

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20190

Release Date: 2018-12-17

Fix Resolution: LibSass - 3.6.0

Vulnerable Libraries - lodash-4.17.10.tgz, lodash-2.4.2.tgz

Found in HEAD commit: 3b129d3d72caa37ab245e5b9a857f0d0697c5d97

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /tmp/ws-scm/Augmented-Reality/docs-src/package.json

Path to vulnerable library: /tmp/ws-scm/Augmented-Reality/docs-src/node_modules/kind-of/package.json

Dependency Hierarchy:

• postcss-cli-5.0.1.tgz (Root Library)
  • chokidar-2.1.8.tgz
    • anymatch-2.0.0.tgz
      • micromatch-3.1.10.tgz
        • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Vulnerability Details

Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

Publish Date: 2020-03-18

URL: WS-2019-0381

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/kind-of@975c13a

Release Date: 2020-03-18

Fix Resolution: kind-of - 6.0.3