📂 Vulnerable Library - download-7.1.0.tgz
Download and extract files
Path to dependency file: /script/vsts/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2020-12265 |
🟣 Critical |
9.3 |
Not Defined |
< 1% |
decompress-tar-4.1.1.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2022-38900 |
🔴 High |
8.7 |
Not Defined |
< 1% |
decode-uri-component-0.2.0.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2020-8244 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
bl-1.2.2.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2022-25881 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
http-cache-semantics-3.8.1.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2022-33987 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
got-8.3.2.tgz |
Transitive |
N/A |
❌ |
|
Details
🟣CVE-2020-12265
Vulnerable Library - decompress-tar-4.1.1.tgz
decompress tar plugin
Library home page: https://registry.npmjs.org/decompress-tar/-/decompress-tar-4.1.1.tgz
Path to dependency file: /script/vsts/package.json
Dependency Hierarchy:
- download-7.1.0.tgz (Root Library)
- decompress-4.2.1.tgz
- decompress-targz-4.1.1.tgz
- ❌ decompress-tar-4.1.1.tgz (Vulnerable Library)
Vulnerability Details
The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal. Decompress versions prior to 4.2.1 are vulnerable to CVE-2020-12265 which could lead to Path Traversal. decompress-tar is a tar plugin for decompress and is also vulnerable to CVE-2020-12265 and there is no fixed version for decompress-tar.
Publish Date: Apr 26, 2020 04:46 PM
URL: CVE-2020-12265
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-qgfr-5hqp-vrw9
Release Date: Apr 26, 2020 04:46 PM
Fix Resolution : decompress - 4.2.1
🔴CVE-2022-38900
Vulnerable Library - decode-uri-component-0.2.0.tgz
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /apm/package.json
Dependency Hierarchy:
-
stylelint-9.3.0.tgz (Root Library)
- globby-8.0.1.tgz
- fast-glob-2.2.2.tgz
- micromatch-3.1.10.tgz
- snapdragon-0.8.2.tgz
- source-map-resolve-0.5.2.tgz
- ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)
-
download-7.1.0.tgz (Root Library)
- got-8.3.2.tgz
- cacheable-request-2.1.4.tgz
- normalize-url-2.0.1.tgz
- query-string-5.1.1.tgz
- ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)
-
atom-package-manager-2.6.5.tgz (Root Library)
- npm-6.14.17.tgz
- query-string-6.8.2.tgz
- ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)
Vulnerability Details
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: Nov 28, 2022 12:00 AM
URL: CVE-2022-38900
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2020-8244
Vulnerable Library - bl-1.2.2.tgz
Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!
Library home page: https://registry.npmjs.org/bl/-/bl-1.2.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Publish Date: Aug 30, 2020 01:43 PM
URL: CVE-2020-8244
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pp7h-53gx-mx7r
Release Date: Aug 30, 2020 01:43 PM
Fix Resolution : bl - 4.0.3,bl - 2.2.1,bl - 1.2.3,bl - 3.0.1
🟠CVE-2022-25881
Vulnerable Library - http-cache-semantics-3.8.1.tgz
Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz
Path to dependency file: /script/vsts/package.json
Dependency Hierarchy:
Vulnerability Details
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: Jan 31, 2023 05:00 AM
URL: CVE-2022-25881
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-rc47-6667-2j5j
Release Date: Jan 31, 2023 05:00 AM
Fix Resolution : org.webjars.npm:http-cache-semantics:4.1.1,http-cache-semantics - 4.1.1
🟠CVE-2022-33987
Vulnerable Library - got-8.3.2.tgz
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-8.3.2.tgz
Path to dependency file: /script/vsts/package.json
Dependency Hierarchy:
- download-7.1.0.tgz (Root Library)
- ❌ got-8.3.2.tgz (Vulnerable Library)
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: Jun 18, 2022 08:51 PM
URL: CVE-2022-33987
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pfrx-2q88-qq97
Release Date: Jun 18, 2022 08:51 PM
Fix Resolution : got - 12.1.0,got - 11.8.5
📂 Vulnerable Library - download-7.1.0.tgz
Download and extract files
Path to dependency file: /script/vsts/package.json
Findings
Details
🟣CVE-2020-12265
Vulnerable Library - decompress-tar-4.1.1.tgz
decompress tar plugin
Library home page: https://registry.npmjs.org/decompress-tar/-/decompress-tar-4.1.1.tgz
Path to dependency file: /script/vsts/package.json
Dependency Hierarchy:
Vulnerability Details
The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal. Decompress versions prior to 4.2.1 are vulnerable to CVE-2020-12265 which could lead to Path Traversal. decompress-tar is a tar plugin for decompress and is also vulnerable to CVE-2020-12265 and there is no fixed version for decompress-tar.
Publish Date: Apr 26, 2020 04:46 PM
URL: CVE-2020-12265
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-qgfr-5hqp-vrw9
Release Date: Apr 26, 2020 04:46 PM
Fix Resolution : decompress - 4.2.1
🔴CVE-2022-38900
Vulnerable Library - decode-uri-component-0.2.0.tgz
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /apm/package.json
Dependency Hierarchy:
stylelint-9.3.0.tgz (Root Library)
download-7.1.0.tgz (Root Library)
atom-package-manager-2.6.5.tgz (Root Library)
Vulnerability Details
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: Nov 28, 2022 12:00 AM
URL: CVE-2022-38900
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2020-8244
Vulnerable Library - bl-1.2.2.tgz
Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!
Library home page: https://registry.npmjs.org/bl/-/bl-1.2.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
watcher-1.3.1.tgz (Root Library)
download-7.1.0.tgz (Root Library)
Vulnerability Details
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Publish Date: Aug 30, 2020 01:43 PM
URL: CVE-2020-8244
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pp7h-53gx-mx7r
Release Date: Aug 30, 2020 01:43 PM
Fix Resolution : bl - 4.0.3,bl - 2.2.1,bl - 1.2.3,bl - 3.0.1
🟠CVE-2022-25881
Vulnerable Library - http-cache-semantics-3.8.1.tgz
Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz
Path to dependency file: /script/vsts/package.json
Dependency Hierarchy:
download-7.1.0.tgz (Root Library)
atom-package-manager-2.6.5.tgz (Root Library)
Vulnerability Details
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: Jan 31, 2023 05:00 AM
URL: CVE-2022-25881
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-rc47-6667-2j5j
Release Date: Jan 31, 2023 05:00 AM
Fix Resolution : org.webjars.npm:http-cache-semantics:4.1.1,http-cache-semantics - 4.1.1
🟠CVE-2022-33987
Vulnerable Library - got-8.3.2.tgz
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-8.3.2.tgz
Path to dependency file: /script/vsts/package.json
Dependency Hierarchy:
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: Jun 18, 2022 08:51 PM
URL: CVE-2022-33987
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pfrx-2q88-qq97
Release Date: Jun 18, 2022 08:51 PM
Fix Resolution : got - 12.1.0,got - 11.8.5