json-server-0.15.1.tgz: 6 vulnerabilities (highest severity is: 7.5) #8
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github.aaakk.us.kg
bot
added
the
Mend: dependency security vulnerability
mend-for-github.aaakk.us.kg
bot
changed the title
1 task
mend-for-github.aaakk.us.kg
bot
changed the title
mend-for-github.aaakk.us.kg
bot
changed the title
mend-for-github.aaakk.us.kg
bot
changed the title
mend-for-github.aaakk.us.kg
bot
changed the title
mend-for-github.aaakk.us.kg
bot
changed the title
mend-for-github.aaakk.us.kg
bot
changed the title
mend-for-github.aaakk.us.kg
bot
changed the title
mend-for-github.aaakk.us.kg
bot
changed the title
mend-for-github.aaakk.us.kg
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /prod-sample/api/package.json
Path to vulnerable library: /prod-sample/api/node_modules/nanoid/package.json
Found in HEAD commit: 94ad2e3336af4c582bc2e70545a1de93015767e5
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - tough-cookie-2.5.0.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Path to dependency file: /prod-sample/api/package.json
Path to vulnerable library: /prod-sample/api/node_modules/tough-cookie/package.json
Dependency Hierarchy:
Found in HEAD commit: 94ad2e3336af4c582bc2e70545a1de93015767e5
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.4%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (json-server): 0.16.2
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /prod-sample/api/package.json
Path to vulnerable library: /prod-sample/api/node_modules/request/package.json
Dependency Hierarchy:
Found in HEAD commit: 94ad2e3336af4c582bc2e70545a1de93015767e5
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
Vulnerable Library - got-9.6.0.tgz
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz
Path to dependency file: /prod-sample/api/package.json
Path to vulnerable library: /prod-sample/api/node_modules/got/package.json
Dependency Hierarchy:
Found in HEAD commit: 94ad2e3336af4c582bc2e70545a1de93015767e5
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution (got): 11.8.6
Direct dependency fix Resolution (json-server): 0.17.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - path-to-regexp-0.1.10.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz
Path to dependency file: /prod-sample/api/package.json
Path to vulnerable library: /prod-sample/api/node_modules/path-to-regexp/package.json
Dependency Hierarchy:
Found in HEAD commit: 94ad2e3336af4c582bc2e70545a1de93015767e5
Found in base branch: main
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.
Publish Date: 2024-12-05
URL: CVE-2024-52798
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rhx6-c78j-4q9w
Release Date: 2024-12-05
Fix Resolution: path-to-regexp - 0.1.12
Vulnerable Library - cross-spawn-5.1.0.tgz
Cross platform child_process#spawn and child_process#spawnSync
Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-5.1.0.tgz
Path to dependency file: /prod-sample/api/package.json
Path to vulnerable library: /prod-sample/api/node_modules/cross-spawn/package.json
Dependency Hierarchy:
Found in HEAD commit: 94ad2e3336af4c582bc2e70545a1de93015767e5
Found in base branch: main
Vulnerability Details
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Publish Date: 2024-11-08
URL: CVE-2024-21538
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.0%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21538
Release Date: 2024-11-08
Fix Resolution: cross-spawn - 7.0.5
Vulnerable Library - nanoid-2.1.11.tgz
A tiny (119 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-2.1.11.tgz
Path to dependency file: /prod-sample/api/package.json
Path to vulnerable library: /prod-sample/api/node_modules/nanoid/package.json
Dependency Hierarchy:
Found in HEAD commit: 94ad2e3336af4c582bc2e70545a1de93015767e5
Found in base branch: main
Vulnerability Details
nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
Publish Date: 2024-12-09
URL: CVE-2024-55565
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-55565
Release Date: 2024-12-09
Fix Resolution (nanoid): 3.3.8
Direct dependency fix Resolution (json-server): 0.16.3
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: