Vulnerable Library - express-fileupload-0.4.0.tgz
Simple express file upload middleware that wraps around Busboy
Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-0.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-27261
Vulnerable Library - express-fileupload-0.4.0.tgz
Simple express file upload middleware that wraps around Busboy
Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-0.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Dependency Hierarchy:
- ❌ express-fileupload-0.4.0.tgz (Vulnerable Library)
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
dvna-0.0.1/server.js (Application)
-> ❌ express-fileupload-0.4.0/lib/index.js (Vulnerable Component)
Vulnerability Details
An arbitrary file write vulnerability in Express-FileUpload v1.3.1 allows attackers to upload multiple files with the same name, causing an overwrite of files in the web application server.
Publish Date: 2022-04-12
URL: CVE-2022-27261
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
CVE-2022-24434
Vulnerable Library - dicer-0.2.5.tgz
A very fast streaming multipart parser for node.js
Library home page: https://registry.npmjs.org/dicer/-/dicer-0.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dicer/package.json
Dependency Hierarchy:
- express-fileupload-0.4.0.tgz (Root Library)
- busboy-0.2.14.tgz
- ❌ dicer-0.2.5.tgz (Vulnerable Library)
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
dvna-0.0.1/server.js (Application)
-> express-fileupload-0.4.0/lib/index.js (Extension)
-> busboy-0.2.14/lib/main.js (Extension)
-> busboy-0.2.14/lib/types/multipart.js (Extension)
-> dicer-0.2.5/lib/Dicer.js (Extension)
-> ❌ dicer-0.2.5/lib/HeaderParser.js (Vulnerable Component)
Vulnerability Details
This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.
Publish Date: 2022-05-20
URL: CVE-2022-24434
Threat Assessment
Exploit Maturity: Functional
EPSS: 2.0%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-24434
Release Date: 2022-05-20
Fix Resolution: no_fix,dicer - no_fix,org.webjars.npm:dicer:no_fix
CVE-2020-7699
Vulnerable Library - express-fileupload-0.4.0.tgz
Simple express file upload middleware that wraps around Busboy
Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-0.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Dependency Hierarchy:
- ❌ express-fileupload-0.4.0.tgz (Vulnerable Library)
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
dvna-0.0.1/server.js (Application)
-> ❌ express-fileupload-0.4.0/lib/index.js (Vulnerable Component)
Vulnerability Details
This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.
Publish Date: 2020-07-30
URL: CVE-2020-7699
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 4.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9wcg-jrwf-8gg7
Release Date: 2020-07-30
Fix Resolution: express-fileupload - 1.1.9
WS-2019-0314
Vulnerable Library - express-fileupload-0.4.0.tgz
Simple express file upload middleware that wraps around Busboy
Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-0.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Dependency Hierarchy:
- ❌ express-fileupload-0.4.0.tgz (Vulnerable Library)
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
dvna-0.0.1/server.js (Application)
-> ❌ express-fileupload-0.4.0/lib/index.js (Vulnerable Component)
Vulnerability Details
In "richardgirges/express-fileupload", versions prior to v1.1.6-alpha.6 are vulnerable to DOS, as a result of an unparsed file name.
Publish Date: 2019-10-18
URL: WS-2019-0314
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Simple express file upload middleware that wraps around Busboy
Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-0.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - express-fileupload-0.4.0.tgz
Simple express file upload middleware that wraps around Busboy
Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-0.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Dependency Hierarchy:
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
An arbitrary file write vulnerability in Express-FileUpload v1.3.1 allows attackers to upload multiple files with the same name, causing an overwrite of files in the web application server.
Publish Date: 2022-04-12
URL: CVE-2022-27261
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Vulnerable Library - dicer-0.2.5.tgz
A very fast streaming multipart parser for node.js
Library home page: https://registry.npmjs.org/dicer/-/dicer-0.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dicer/package.json
Dependency Hierarchy:
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.
Publish Date: 2022-05-20
URL: CVE-2022-24434
Threat Assessment
Exploit Maturity: Functional
EPSS: 2.0%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-24434
Release Date: 2022-05-20
Fix Resolution: no_fix,dicer - no_fix,org.webjars.npm:dicer:no_fix
Vulnerable Library - express-fileupload-0.4.0.tgz
Simple express file upload middleware that wraps around Busboy
Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-0.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Dependency Hierarchy:
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.
Publish Date: 2020-07-30
URL: CVE-2020-7699
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 4.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9wcg-jrwf-8gg7
Release Date: 2020-07-30
Fix Resolution: express-fileupload - 1.1.9
Vulnerable Library - express-fileupload-0.4.0.tgz
Simple express file upload middleware that wraps around Busboy
Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-0.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Dependency Hierarchy:
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
In "richardgirges/express-fileupload", versions prior to v1.1.6-alpha.6 are vulnerable to DOS, as a result of an unparsed file name.
Publish Date: 2019-10-18
URL: WS-2019-0314
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.