Skip to content

@neftie/backend-0.0.0.tgz: 22 vulnerabilities (highest severity is: 9.8) #29

Open
Open
@neftie/backend-0.0.0.tgz: 22 vulnerabilities (highest severity is: 9.8)#29
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on May 26, 2022
Vulnerable Library - @neftie/backend-0.0.0.tgz

Path to dependency file: /package.json

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (@neftie/backend version) Remediation Possible**
CVE-2022-2216 Critical 9.8 parse-url-5.0.7.tgz Transitive N/A*
CVE-2022-27140 Critical 9.8 express-fileupload-1.3.1.tgz Transitive N/A*
CVE-2022-2900 Critical 9.1 parse-url-5.0.7.tgz Transitive N/A*
CVE-2022-46175 High 8.8 json5-2.2.1.tgz Transitive N/A*
CVE-2022-23539 High 8.1 jsonwebtoken-8.5.1.tgz Transitive N/A*
CVE-2022-23540 High 7.6 jsonwebtoken-8.5.1.tgz Transitive N/A*
CVE-2022-0722 High 7.5 parse-url-5.0.7.tgz Transitive N/A*
CVE-2023-26920 High 7.5 fast-xml-parser-3.19.0.tgz Transitive N/A*
CVE-2022-31129 High 7.5 moment-2.29.3.tgz Transitive N/A*
CVE-2022-38900 High 7.5 decode-uri-component-0.2.0.tgz Transitive N/A*
CVE-2022-24434 High 7.5 dicer-0.3.0.tgz Transitive N/A*
CVE-2023-34104 High 7.5 fast-xml-parser-3.19.0.tgz Transitive N/A*
WS-2022-0237 High 7.5 parse-url-5.0.7.tgz Transitive N/A*
WS-2022-0238 High 7.5 parse-url-5.0.7.tgz Transitive N/A*
CVE-2022-27261 High 7.5 express-fileupload-1.3.1.tgz Transitive N/A*
CVE-2022-0624 High 7.3 parse-path-4.0.3.tgz Transitive N/A*
CVE-2022-23541 Medium 6.3 jsonwebtoken-8.5.1.tgz Transitive N/A*
CVE-2022-3224 Medium 6.1 parse-url-5.0.7.tgz Transitive N/A*
CVE-2022-2217 Medium 6.1 parse-url-5.0.7.tgz Transitive N/A*
CVE-2022-2218 Medium 6.1 parse-url-5.0.7.tgz Transitive N/A*
WS-2022-0239 Medium 6.1 parse-url-5.0.7.tgz Transitive N/A*
CVE-2022-36313 Medium 5.5 file-type-16.5.3.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-2216

Vulnerable Library - parse-url-5.0.7.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.7.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • parse-url-5.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Publish Date: 2022-06-27

URL: CVE-2022-2216

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/505a3d39-2723-4a06-b1f7-9b2d133c92e1/

Release Date: 2022-06-27

Fix Resolution: parse-url - 6.0.1

Step up your Open Source Security Game with Mend here

CVE-2022-27140

Vulnerable Library - express-fileupload-1.3.1.tgz

Simple express file upload middleware that wraps around Busboy

Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-1.3.1.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • express-fileupload-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

** DISPUTED ** An arbitrary file upload vulnerability in the file upload module of express-fileupload 1.3.1 allows attackers to execute arbitrary code via a crafted PHP file. NOTE: the vendor's position is that the observed behavior can only occur with "intentional misusing of the API": the express-fileupload middleware is not responsible for an application's business logic (e.g., determining whether or how a file should be renamed).

Publish Date: 2022-04-12

URL: CVE-2022-27140

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-2900

Vulnerable Library - parse-url-5.0.7.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.7.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • parse-url-5.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.

Publish Date: 2022-09-14

URL: CVE-2022-2900

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-09-14

Fix Resolution: parse-url - 8.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-46175

Vulnerable Library - json5-2.2.1.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-2.2.1.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • tsconfig-paths-4.0.0.tgz
      • json5-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution: json5 - 2.2.2

Step up your Open Source Security Game with Mend here

CVE-2022-23539

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

Publish Date: 2022-12-23

URL: CVE-2022-23539

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cf7-32gw-wr33

Release Date: 2022-12-23

Fix Resolution: jsonwebtoken - 9.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-23540

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Publish Date: 2022-12-22

URL: CVE-2022-23540

CVSS 3 Score Details (7.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23540

Release Date: 2022-12-22

Fix Resolution: jsonwebtoken - 9.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-0722

Vulnerable Library - parse-url-5.0.7.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.7.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • parse-url-5.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Publish Date: 2022-06-27

URL: CVE-2022-0722

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/2490ef6d-5577-4714-a4dd-9608251b4226

Release Date: 2022-06-27

Fix Resolution: parse-url - 6.0.1

Step up your Open Source Security Game with Mend here

CVE-2023-26920

Vulnerable Library - fast-xml-parser-3.19.0.tgz

Validate XML or Parse XML to JS/JSON very fast without C/C++ based libraries

Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-3.19.0.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • client-s3-3.83.0.tgz
      • fast-xml-parser-3.19.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

fast-xml-parser prior to 4.1.2 is vulnerable to Prototype Pollution through tag or attribute name.

Publish Date: 2023-02-27

URL: CVE-2023-26920

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x3cc-x39p-42qx

Release Date: 2023-02-27

Fix Resolution: fast-xml-parser - 4.1.2

Step up your Open Source Security Game with Mend here

CVE-2022-31129

Vulnerable Library - moment-2.29.3.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.29.3.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • winston-daily-rotate-file-4.6.1.tgz
      • file-stream-rotator-0.6.1.tgz
        • moment-2.29.3.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Publish Date: 2022-07-06

URL: CVE-2022-31129

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wc69-rhjr-hc9g

Release Date: 2022-07-06

Fix Resolution: moment - 2.29.4

Step up your Open Source Security Game with Mend here

CVE-2022-38900

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • parse-url-5.0.7.tgz
      • parse-path-4.0.3.tgz
        • query-string-6.14.1.tgz
          • decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution: decode-uri-component - 0.2.1

Step up your Open Source Security Game with Mend here

CVE-2022-24434

Vulnerable Library - dicer-0.3.0.tgz

A very fast streaming multipart parser for node.js

Library home page: https://registry.npmjs.org/dicer/-/dicer-0.3.0.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • express-fileupload-1.3.1.tgz
      • busboy-0.3.1.tgz
        • dicer-0.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.

Publish Date: 2022-05-20

URL: CVE-2022-24434

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2023-34104

Vulnerable Library - fast-xml-parser-3.19.0.tgz

Validate XML or Parse XML to JS/JSON very fast without C/C++ based libraries

Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-3.19.0.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • client-s3-3.83.0.tgz
      • fast-xml-parser-3.19.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denial of service (DoS) attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time. This problem has been resolved in v4.2.4. Users are advised to upgrade. Users unable to upgrade should avoid using DOCTYPE parsing by setting the processEntities: false option.

Publish Date: 2023-06-06

URL: CVE-2023-34104

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6w63-h3fj-q4vw

Release Date: 2023-06-06

Fix Resolution: fast-xml-parser - 4.2.4

Step up your Open Source Security Game with Mend here

WS-2022-0237

Vulnerable Library - parse-url-5.0.7.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.7.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • parse-url-5.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

Regular Expression Denial of Service (ReDoS) in ionicabizau/parse-url before 8.0.0.
It allows cause a denial of service when calling function parse-url

Publish Date: 2022-07-04

URL: WS-2022-0237

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-07-04

Fix Resolution: parse-url - 8.0.0

Step up your Open Source Security Game with Mend here

WS-2022-0238

Vulnerable Library - parse-url-5.0.7.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.7.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • parse-url-5.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

File Protocol Spoofing in parse-url before 8.0.0 can lead to attacks, such as XSS, Arbitrary Read/Write File, and Remote Code Execution.

Publish Date: 2022-06-30

URL: WS-2022-0238

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/52060edb-e426-431b-a0d0-e70407e44f18/

Release Date: 2022-06-30

Fix Resolution: parse-url - 8.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-27261

Vulnerable Library - express-fileupload-1.3.1.tgz

Simple express file upload middleware that wraps around Busboy

Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-1.3.1.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • express-fileupload-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

An arbitrary file write vulnerability in Express-FileUpload v1.3.1 allows attackers to upload multiple files with the same name, causing an overwrite of files in the web application server.

Publish Date: 2022-04-12

URL: CVE-2022-27261

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-0624

Vulnerable Library - parse-path-4.0.3.tgz

Parse paths (local paths, urls: ssh/git/etc)

Library home page: https://registry.npmjs.org/parse-path/-/parse-path-4.0.3.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • parse-url-5.0.7.tgz
      • parse-path-4.0.3.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.

Publish Date: 2022-06-28

URL: CVE-2022-0624

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0624

Release Date: 2022-06-28

Fix Resolution: parse-path - 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-23541

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.

Publish Date: 2022-12-22

URL: CVE-2022-23541

CVSS 3 Score Details (6.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hjrf-2m68-5959

Release Date: 2022-12-22

Fix Resolution: jsonwebtoken - 9.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-3224

Vulnerable Library - parse-url-5.0.7.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.7.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • parse-url-5.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

Misinterpretation of Input in GitHub repository ionicabizau/parse-url prior to 8.1.0.

Publish Date: 2022-09-15

URL: CVE-2022-3224

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3224

Release Date: 2022-09-15

Fix Resolution: parse-url - 8.1.0

Step up your Open Source Security Game with Mend here

CVE-2022-2217

Vulnerable Library - parse-url-5.0.7.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.7.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • parse-url-5.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Publish Date: 2022-06-27

URL: CVE-2022-2217

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/4e046c63-b1ca-4bcc-b418-29796918a71b/

Release Date: 2022-06-27

Fix Resolution: parse-url - 6.0.1

Step up your Open Source Security Game with Mend here

CVE-2022-2218

Vulnerable Library - parse-url-5.0.7.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.7.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • parse-url-5.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

Cross-site Scripting (XSS) - Stored in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Publish Date: 2022-06-27

URL: CVE-2022-2218

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/024912d3-f103-4daf-a1d0-567f4d9f2bf5/

Release Date: 2022-06-27

Fix Resolution: parse-url - 6.0.1

Step up your Open Source Security Game with Mend here

WS-2022-0239

Vulnerable Library - parse-url-5.0.7.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.7.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • parse-url-5.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

Cross-Site Scripting via Improper Input Validation (parser differential) in parse-url before 8.0.0.
Through this vulnerability, an attacker is capable to execute malicious JS codes.

Publish Date: 2022-07-02

URL: WS-2022-0239

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5fa3115f-5c97-4928-874c-3cc6302e154e

Release Date: 2022-07-02

Fix Resolution: parse-url - 8.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-36313

Vulnerable Library - file-type-16.5.3.tgz

Detect the file type of a Buffer/Uint8Array/ArrayBuffer

Library home page: https://registry.npmjs.org/file-type/-/file-type-16.5.3.tgz

Dependency Hierarchy:

  • @neftie/backend-0.0.0.tgz (Root Library)
    • file-type-16.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.

Publish Date: 2022-07-21

URL: CVE-2022-36313

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-07-21

Fix Resolution: file-type - 16.5.4,17.1.3

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions