-
Notifications
You must be signed in to change notification settings - Fork 7
/
yarn-audit-known-issues
2 lines (2 loc) · 3.7 KB
/
yarn-audit-known-issues
1
2
{"type":"auditAdvisory","data":{"resolution":{"id":1096366,"path":"email-templates>preview-email>mailparser>nodemailer","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.7.3","paths":["email-templates>preview-email>mailparser>nodemailer"]}],"found_by":null,"deleted":null,"references":"- https://github.com/nodemailer/nodemailer/security/advisories/GHSA-9h6g-pr28-7cqp\n- https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6\n- https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698\n- https://github.com/nodemailer/nodemailer/commit/dd8f5e8a4ddc99992e31df76bcff9c590035cd4a\n- https://github.com/advisories/GHSA-9h6g-pr28-7cqp","created":"2024-01-31T22:42:54.000Z","id":1096366,"npm_advisory_id":null,"overview":"### Summary\nA ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter `attachDataUrls` set, causing the stuck of event loop. \nAnother flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop. \n\n### Details\n\nRegex: /^data:((?:[^;]*;)*(?:[^,]*)),(.*)$/\n\nPath: compile -> getAttachments -> _processDataUrl\n\nRegex: /(<img\\b[^>]* src\\s*=[\\s\"']*)(data:([^;]+);[^\"'>\\s]+)/\n\nPath: _convertDataImages\n\n### PoC\n\nhttps://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6\nhttps://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698\n\n### Impact\n\nReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.\n","reported_by":null,"title":"nodemailer ReDoS when trying to send a specially crafted email","metadata":null,"cves":[],"access":"public","severity":"moderate","module_name":"nodemailer","vulnerable_versions":"<=6.9.8","github_advisory_id":"GHSA-9h6g-pr28-7cqp","recommendation":"Upgrade to version 6.9.9 or later","patched_versions":">=6.9.9","updated":"2024-02-01T17:58:50.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-9h6g-pr28-7cqp"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1100467,"path":"email-templates>preview-email>display-notification>run-applescript>execa>cross-spawn","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.0.5","paths":["email-templates>preview-email>display-notification>run-applescript>execa>cross-spawn"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-21538\n- https://github.com/moxystudio/node-cross-spawn/pull/160\n- https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff\n- https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f\n- https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230\n- https://github.com/advisories/GHSA-3xgq-45jj-v275","created":"2024-11-08T06:30:47.000Z","id":1100467,"npm_advisory_id":null,"overview":"Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in cross-spawn","metadata":null,"cves":["CVE-2024-21538"],"access":"public","severity":"high","module_name":"cross-spawn","vulnerable_versions":"<7.0.5","github_advisory_id":"GHSA-3xgq-45jj-v275","recommendation":"Upgrade to version 7.0.5 or later","patched_versions":">=7.0.5","updated":"2024-11-15T22:25:54.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-3xgq-45jj-v275"}}}