Vulnerable Library - underscore.string-2.3.3.tgz

String manipulation extensions for Underscore.js javascript library.

Library home page: https://registry.npmjs.org/underscore.string/-/underscore.string-2.3.3.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/underscore.string/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • component-resolver-1.3.0.tgz
    • component-downloader-1.2.0.tgz
      • decompress-0.2.5.tgz
        • ext-name-1.0.1.tgz
          • ❌ underscore.string-2.3.3.tgz (Vulnerable Library)

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

Underscore.string, before 3.3.5, is vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2018-12-30

URL: WS-2018-0232

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/745

Release Date: 2018-12-30

Fix Resolution: 3.3.5

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json

Dependency Hierarchy:

• karma-coverage-istanbul-reporter-2.0.5.tgz (Root Library)
  • istanbul-api-2.1.6.tgz
    • istanbul-reports-2.2.6.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 2 Score Details (7.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1164

Release Date: 2019-12-20

Fix Resolution: 4.3.0

Vulnerable Library - minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Path to dependency file: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/optimist/node_modules/minimist/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/optimist/node_modules/minimist/package.json

Dependency Hierarchy:

• karma-4.2.0.tgz (Root Library)
  • optimist-0.6.1.tgz
    • ❌ minimist-0.0.10.tgz (Vulnerable Library)

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.2

Vulnerable Library - moment-2.13.0.min.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.min.js

Path to dependency file: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/scales/time/line-point-data.html

Path to vulnerable library: /labs-air/uiupgrade/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/scales/time/line-point-data.html,/labs-air/ui/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/scales/time/combo.html

Dependency Hierarchy:

• ❌ moment-2.13.0.min.js (Vulnerable Library)

Found in HEAD commit: 2b36f19c6531f1a3964d83923e752838cd9d62cb

Vulnerability Details

Regular expression denial of service vulnerability in the moment package, by using a specific 40 characters long string in the "format" method.

Publish Date: 2016-10-24

URL: WS-2016-0075

CVSS 2 Score Details (5.8)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: moment/moment@663f33e

Release Date: 2016-10-24

Fix Resolution: Replace or update the following files: month.js, lt.js

Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz

Found in HEAD commit: 9a56920c214f3897ed1b4c3cc8f0913cb4ca3485

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/set-value@95e9d99

Release Date: 2019-07-24

Fix Resolution: 2.0.1,3.0.1

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-08

URL: WS-2020-0042

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-08

Fix Resolution: 7.1.1

Vulnerable Library - tree-kill-1.2.1.tgz

kill trees of processes

Library home page: https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.1.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/tree-kill/package.json,/tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/tree-kill/package.json,/tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/tree-kill/package.json

Dependency Hierarchy:

• build-angular-0.801.1.tgz (Root Library)
  • ❌ tree-kill-1.2.1.tgz (Vulnerable Library)

Vulnerability Details

A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.

Publish Date: 2019-12-18

URL: CVE-2019-15599

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/701183

Release Date: 2019-12-18

Fix Resolution: tree-kill - 1.2.2

Vulnerable Library - https-proxy-agent-2.2.2.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.2.2.tgz

Path to dependency file: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/https-proxy-agent/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/https-proxy-agent/package.json

Dependency Hierarchy:

• protractor-5.4.2.tgz (Root Library)
  • browserstack-1.5.2.tgz
    • ❌ https-proxy-agent-2.2.2.tgz (Vulnerable Library)

Vulnerability Details

There is a Machine-In-The-Middle vulnerability found in https-proxy-agent before 2.2.3. There is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.

Publish Date: 2019-12-01

URL: WS-2019-0310

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1184

Release Date: 2019-12-01

Fix Resolution: https-proxy-agent - 2.2.3

Vulnerable Library - debug-0.7.4.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-0.7.4.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/superagent/node_modules/debug/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • tiny-lr-fork-0.0.5.tgz
    • ❌ debug-0.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16137

Release Date: 2019-06-05

Fix Resolution: 2.6.9,3.1.0

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json

Dependency Hierarchy:

• karma-coverage-istanbul-reporter-2.0.5.tgz (Root Library)
  • istanbul-api-2.1.6.tgz
    • istanbul-reports-2.2.6.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-12-05

URL: WS-2019-0331

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.2

Vulnerable Library - tar-0.1.20.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/decompress/node_modules/tar/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • component-resolver-1.3.0.tgz
    • component-downloader-1.2.0.tgz
      • decompress-0.2.5.tgz
        • ❌ tar-0.1.20.tgz (Vulnerable Library)

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

The tar module earlier than version 2.0.0 allow for archives to contain symbolic links that will overwrite targets outside the expected path for extraction.

Publish Date: 2015-11-03

URL: WS-2015-0025

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/57

Release Date: 2015-11-03

Fix Resolution: Update to a version 2.0.0 or greater

Vulnerable Libraries - qs-0.6.5.tgz, qs-0.5.6.tgz

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

Publish Date: 2018-05-31

URL: CVE-2014-10064

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/28

Release Date: 2014-08-06

Fix Resolution: Update to version 1.0.0 or later

Vulnerable Library - superagent-0.17.0.tgz

elegant & feature rich browser / node HTTP with a fluent API

Library home page: https://registry.npmjs.org/superagent/-/superagent-0.17.0.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/superagent/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • ❌ superagent-0.17.0.tgz (Vulnerable Library)

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.

Publish Date: 2018-06-07

URL: CVE-2017-16129

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16129

Release Date: 2019-04-08

Fix Resolution: 3.7.0

Vulnerable Library - serialize-javascript-1.7.0.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.7.0.tgz

Path to dependency file: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/serialize-javascript/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• build-angular-0.801.1.tgz (Root Library)
  • copy-webpack-plugin-5.0.3.tgz
    • ❌ serialize-javascript-1.7.0.tgz (Vulnerable Library)

Vulnerability Details

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Publish Date: 2019-12-05

URL: CVE-2019-16769

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769

Release Date: 2019-12-05

Fix Resolution: v2.1.1

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Vulnerable Library - https-proxy-agent-0.3.6.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-0.3.6.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/proxy-agent/node_modules/https-proxy-agent/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • component-remotes-1.2.0.tgz
    • cogent-0.4.3-fix-redirects.tgz
      • proxy-agent-1.1.1.tgz
        • ❌ https-proxy-agent-0.3.6.tgz (Vulnerable Library)

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).

Publish Date: 2018-06-07

URL: CVE-2018-3739

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3739

Release Date: 2018-06-07

Fix Resolution: 2.1.1

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json

Dependency Hierarchy:

• karma-coverage-istanbul-reporter-2.0.5.tgz (Root Library)
  • istanbul-api-2.1.6.tgz
    • istanbul-reports-2.2.6.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

Prototype Pollution vulnerability found in handlebars.js before 4.5.3. Attacker may use Remote-Code-Execution exploits.

Publish Date: 2020-01-08

URL: WS-2019-0369

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://github.com/wycats/handlebars.js/blob/master/release-notes.md#v453---november-18th-2019

Release Date: 2020-01-08

Fix Resolution: handlebars - 4.5.3

Vulnerable Library - fstream-0.1.31.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-0.1.31.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/fstream/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • component-resolver-1.3.0.tgz
    • component-downloader-1.2.0.tgz
      • decompress-0.2.5.tgz
        • tar-0.1.20.tgz
          • ❌ fstream-0.1.31.tgz (Vulnerable Library)

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Publish Date: 2019-07-02

URL: CVE-2019-13173

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173

Release Date: 2019-07-02

Fix Resolution: 1.0.12

Vulnerable Library - extend-1.2.1.tgz

Port of jQuery.extend for Node.js

Library home page: https://registry.npmjs.org/extend/-/extend-1.2.1.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/superagent/node_modules/extend/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • superagent-0.17.0.tgz
    • ❌ extend-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16492

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/381185

Release Date: 2019-02-01

Fix Resolution: extend - v3.0.2,v2.0.2

Vulnerable Library - mime-1.2.5.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.2.5.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/superagent/node_modules/mime/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • superagent-0.17.0.tgz
    • ❌ mime-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.

Publish Date: 2017-09-27

URL: WS-2017-0330

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: broofa/mime@1df903f

Release Date: 2019-04-03

Fix Resolution: 1.4.1,2.0.3

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/handlebars/package.json

Dependency Hierarchy:

• karma-coverage-istanbul-reporter-2.0.5.tgz (Root Library)
  • istanbul-api-2.1.6.tgz
    • istanbul-reports-2.2.6.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 9a56920c214f3897ed1b4c3cc8f0913cb4ca3485

Vulnerability Details

handlebars before 4.3.0 is vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-10-06

URL: WS-2019-0291

CVSS 2 Score Details (7.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1164

Release Date: 2019-10-06

Fix Resolution: 4.3.0

Vulnerable Libraries - qs-0.6.5.tgz, qs-0.5.6.tgz

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.

Publish Date: 2014-10-19

URL: CVE-2014-7191

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191

Release Date: 2014-10-19

Fix Resolution: 1.0.0

Vulnerable Libraries - qs-0.6.5.tgz, qs-0.5.6.tgz

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time

Publish Date: 2014-08-06

URL: WS-2014-0005

CVSS 2 Score Details (6.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking

Release Date: 2014-08-06

Fix Resolution: Update qs to version 1.0.0 or greater

Vulnerable Libraries - minimatch-0.3.0.tgz, minimatch-0.2.14.tgz

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json

Dependency Hierarchy:

• karma-coverage-istanbul-reporter-2.0.5.tgz (Root Library)
  • istanbul-api-2.1.6.tgz
    • istanbul-reports-2.2.6.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

Prototype Pollution vulnerability found in handlebars 1.0.6 before 4.5.3. It is possible to add or modify properties to the Object prototype through a malicious template. Attacker may crash the application or execute Arbitrary Code in specific conditions.

Publish Date: 2019-12-05

URL: WS-2019-0333

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1325

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Vulnerable Library - mime-1.2.5.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.2.5.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/superagent/node_modules/mime/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • superagent-0.17.0.tgz
    • ❌ mime-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Libraries - jquery-1.7.1.min.js, jquery-1.4.4.min.js

Found in HEAD commit: 9a56920c214f3897ed1b4c3cc8f0913cb4ca3485

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/docs-preview/node_modules/kind-of/package.json,/tmp/ws-scm/labs-air/docs-preview/node_modules/kind-of/package.json,/tmp/ws-scm/labs-air/docs-preview/node_modules/kind-of/package.json,/tmp/ws-scm/labs-air/docs-preview/node_modules/kind-of/package.json,/tmp/ws-scm/labs-air/docs-preview/node_modules/kind-of/package.json

Dependency Hierarchy:

• postcss-cli-5.0.1.tgz (Root Library)
  • chokidar-2.1.8.tgz
    • anymatch-2.0.0.tgz
      • micromatch-3.1.10.tgz
        • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Vulnerability Details

Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

Publish Date: 2020-03-18

URL: WS-2019-0381

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/kind-of@975c13a

Release Date: 2020-03-18

Fix Resolution: kind-of - 6.0.3

Vulnerable Libraries - jquery-1.7.1.min.js, jquery-1.4.4.min.js

Found in HEAD commit: 9a56920c214f3897ed1b4c3cc8f0913cb4ca3485

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json

Dependency Hierarchy:

• karma-coverage-istanbul-reporter-2.0.5.tgz (Root Library)
  • istanbul-api-2.1.6.tgz
    • istanbul-reports-2.2.6.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.

Publish Date: 2019-12-05

URL: WS-2019-0332

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Vulnerability Details

The Easy Digital Downloads (EDD) Pushover Notifications extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.

Publish Date: 2019-10-23

URL: CVE-2015-9521

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-10-23

Fix Resolution: 2.2.0

Vulnerable Library - bootstrap-4.1.3.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/js/bootstrap.min.js

Path to dependency file: /tmp/ws-scm/labs-air/docs-preview/themes/tibcolabs/layouts/partials/scripts.html

Path to vulnerable library: /labs-air/docs-preview/themes/tibcolabs/layouts/partials/scripts.html

Dependency Hierarchy:

• ❌ bootstrap-4.1.3.min.js (Vulnerable Library)

Found in HEAD commit: 7e3ff745e3d3ce709bff2a22ad9d393314e7f1fd

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#28236

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/mixin-deep/package.json

Dependency Hierarchy:

• build-angular-0.801.1.tgz (Root Library)
  • webpack-4.35.2.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 9a56920c214f3897ed1b4c3cc8f0913cb4ca3485

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-07-11

Fix Resolution: 1.3.2

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json

Dependency Hierarchy:

• karma-coverage-istanbul-reporter-2.0.5.tgz (Root Library)
  • istanbul-api-2.1.6.tgz
    • istanbul-reports-2.2.6.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

A Denial of Service vulnerability found in handlebars 4.x before 4.4.5.While processing specially-crafted templates, the parser may be forced into endless loop. Attackers may exhaust system resources.

Publish Date: 2019-12-01

URL: WS-2019-0318

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2019-12-01

Fix Resolution: handlebars - 4.4.5

Vulnerable Library - jquery-1.4.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/selenium-webdriver/lib/test/data/selectableItems.html

Path to vulnerable library: /labs-air/ui/IoTCloudStarter/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js

Dependency Hierarchy:

• ❌ jquery-1.4.4.min.js (Vulnerable Library)

Found in HEAD commit: 9a56920c214f3897ed1b4c3cc8f0913cb4ca3485

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Publish Date: 2013-03-08

URL: CVE-2011-4969

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969

Release Date: 2013-03-08

Fix Resolution: 1.6.3

Vulnerable Library - semver-2.3.2.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-2.3.2.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/component-resolver/node_modules/semver/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • ❌ semver-2.3.2.tgz (Vulnerable Library)

Vulnerability Details

The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8855

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8855

Release Date: 2017-01-23

Fix Resolution: semver (Npm package) - 4.3.2;Npm (NuGet package) - 2.14.14

Vulnerable Library - tree-kill-1.2.1.tgz

kill trees of processes

Library home page: https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.1.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/tree-kill/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/tree-kill/package.json

Dependency Hierarchy:

• build-angular-0.801.1.tgz (Root Library)
  • ❌ tree-kill-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 2b36f19c6531f1a3964d83923e752838cd9d62cb

Vulnerability Details

A Command Injection vulnerability found in tree-kill before 1.2.2. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems.

Publish Date: 2020-01-15

URL: WS-2020-0005

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/701183

Release Date: 2020-01-15

Fix Resolution: tree-kill - 1.2.2

Vulnerable Library - decompress-0.2.5.tgz

Easily extract zip, tar and tar.gz archives

Library home page: https://registry.npmjs.org/decompress/-/decompress-0.2.5.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/decompress/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • component-resolver-1.3.0.tgz
    • component-downloader-1.2.0.tgz
      • ❌ decompress-0.2.5.tgz (Vulnerable Library)

Vulnerability Details

decompress in all its versions is vulnerable to arbitrary file write. the package fails to prevent an extraction of files with relative paths which allows attackers to write to any folder in the system.

Publish Date: 2020-03-08

URL: WS-2020-0044

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Vulnerable Libraries - jquery-1.7.1.min.js, jquery-1.4.4.min.js

Found in HEAD commit: 9a56920c214f3897ed1b4c3cc8f0913cb4ca3485

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Vulnerable Library - jquery-2.1.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js

Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/tooltips/custom-points.html

Path to vulnerable library: /labs-air/ui/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/tooltips/custom-points.html,/labs-air/uiupgrade/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/tooltips/custom-points.html

Dependency Hierarchy:

• ❌ jquery-2.1.3.min.js (Vulnerable Library)

Found in HEAD commit: 2b36f19c6531f1a3964d83923e752838cd9d62cb

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Vulnerable Library - https-proxy-agent-0.3.6.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-0.3.6.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/proxy-agent/node_modules/https-proxy-agent/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • component-remotes-1.2.0.tgz
    • cogent-0.4.3-fix-redirects.tgz
      • proxy-agent-1.1.1.tgz
        • ❌ https-proxy-agent-0.3.6.tgz (Vulnerable Library)

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

Versions of https-proxy-agent before 2.2.0 are vulnerable to a denial of service. This is due to unsanitized options (proxy.auth) being passed to Buffer().

Publish Date: 2018-04-25

URL: WS-2018-0072

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/593

Release Date: 2018-01-27

Fix Resolution: 2.2.0

Vulnerable Library - semver-2.3.2.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-2.3.2.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/component-resolver/node_modules/semver/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • ❌ semver-2.3.2.tgz (Vulnerable Library)

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

Semver is vulnerable to regular expression denial of service (ReDoS) when extremely long version strings are parsed.

Publish Date: 2015-04-04

URL: WS-2015-0018

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/31

Release Date: 2015-04-04

Fix Resolution: Update to a version 4.3.2 or greater

Vulnerable Libraries - moment-2.18.1.min.js, moment-2.13.0.min.js

Found in HEAD commit: 2b36f19c6531f1a3964d83923e752838cd9d62cb

Vulnerability Details

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.

Publish Date: 2018-03-04

URL: CVE-2017-18214

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18214

Release Date: 2018-03-04

Fix Resolution: 2.19.3

Vulnerable Library - tar-0.1.20.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/decompress/node_modules/tar/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • component-resolver-1.3.0.tgz
    • component-downloader-1.2.0.tgz
      • decompress-0.2.5.tgz
        • ❌ tar-0.1.20.tgz (Vulnerable Library)

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.

Publish Date: 2017-01-23

URL: CVE-2015-8860

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8860

Release Date: 2017-01-23

Fix Resolution: 2.0.0

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json

Dependency Hierarchy:

• karma-coverage-istanbul-reporter-2.0.5.tgz (Root Library)
  • istanbul-api-2.1.6.tgz
    • istanbul-reports-2.2.6.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

Security vulnerability found in handlebars.js before 4.3.0.

Publish Date: 2020-01-08

URL: WS-2019-0368

CVSS 2 Score Details (3.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: handlebars-lang/handlebars.js@2078c72

Release Date: 2020-01-08

Fix Resolution: handlebars - 4.3.0

Vulnerable Library - http-proxy-agent-0.2.7.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTP

Library home page: https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-0.2.7.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/proxy-agent/node_modules/http-proxy-agent/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • component-remotes-1.2.0.tgz
    • cogent-0.4.3-fix-redirects.tgz
      • proxy-agent-1.1.1.tgz
        • ❌ http-proxy-agent-0.2.7.tgz (Vulnerable Library)

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

Versions of http-proxy-agent before 2.1.0 are vulnerable to denial of service and uninitialized memory leak when unsanitized options are passed to Buffer.

Publish Date: 2018-04-25

URL: WS-2018-0085

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/607

Release Date: 2018-01-27

Fix Resolution: 2.1.0

Vulnerable Library - tar-0.1.20.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/decompress/node_modules/tar/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • component-resolver-1.3.0.tgz
    • component-downloader-1.2.0.tgz
      • decompress-0.2.5.tgz
        • ❌ tar-0.1.20.tgz (Vulnerable Library)

Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/344595

Release Date: 2019-04-30

Fix Resolution: v4.4.2

Vulnerable Library - component-flatten-1.0.1.tgz

flatten a resolved component tree

Library home page: https://registry.npmjs.org/component-flatten/-/component-flatten-1.0.1.tgz

Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json

Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/component-flatten/package.json

Dependency Hierarchy:

• component-1.1.0.tgz (Root Library)
  • ❌ component-flatten-1.0.1.tgz (Vulnerable Library)

Vulnerability Details

All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a proto payload.

Publish Date: 2020-02-18

URL: CVE-2019-10794

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10794

Release Date: 2020-02-18

Fix Resolution: 2.0.3

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1