Bulk vulnerability fix - Lockfile fix

[debricked]

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2020–28500

• Description

  NVD

  Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	Low

• References

      CONFIRM
      perf: improve performance of toNumber, trim and trimEnd on large input strings by falsyvalues · Pull Request #5065 · lodash/lodash · GitHub
      February 2021 Lodash Vulnerabilities in NetApp Products | NetApp Product Security
      Improve performance of toNumber, trim and trimEnd on large inpu… · lodash/lodash@c4847eb · GitHub

CVE–2021–23337

• Description

  Improper Neutralization of Special Elements used in a Command ('Command Injection')

  The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

  GitHub

  Command Injection in lodash

  lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

  NVD

  Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

• CVSS details - 7.2

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	High
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      MISC
      February 2021 Lodash Vulnerabilities in NetApp Products | NetApp Product Security
      lodash/lodash.js at ddfd9b11a0126db2302cb70ec9973b66baec0975 · lodash/lodash · GitHub
      NVD - CVE-2021-23337
      Prevent command injection through _.template's variable option · lodash/lodash@3469357 · GitHub
      Command Injection in lodash · CVE-2021-23337 · GitHub Advisory Database · GitHub

CVE–2021–23364

• Description

  GitHub

  Regular Expression Denial of Service in browserslist

  The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

  NVD

  The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	Low

• References

      Fix unsafe regexp · browserslist/browserslist@c091916 · GitHub
      Fix ReDoS by yetingli · Pull Request #593 · browserslist/browserslist · GitHub
      MISC
      Regular Expression Denial of Service in browserslist · CVE-2021-23364 · GitHub Advisory Database · GitHub
      browserslist/index.js at e82f32d1d4100d6bc79ea0b6b6a2d281a561e33c · browserslist/browserslist · GitHub
      NVD - CVE-2021-23364

CVE–2021–23343

• Description

  NVD

  All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      ReDoS in path-parse · Issue #8 · jbgutierrez/path-parse · GitHub
      Pony Mail!
      fixed regexes to avoid ReDoS attacks by jeffrey-pinyan-ithreat · Pull Request #10 · jbgutierrez/path-parse · GitHub

CVE–2021–27515

• Description

  GitHub

  Path traversal in url-parse

  url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

  NVD

  url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	Low
  Availability	None

• References

      [security] More backslash fixes (#197) · unshiftio/url-parse@d1e7e88 · GitHub
      Comparing 1.4.7...1.5.0 · unshiftio/url-parse · GitHub
      [security] More backslash fixes by 3rd-Eden · Pull Request #197 · unshiftio/url-parse · GitHub
      MISC
      NVD - CVE-2021-27515
      Path traversal in url-parse · CVE-2021-27515 · GitHub Advisory Database · GitHub

CVE–2020–7793

• Description

  Uncontrolled Resource Consumption

  The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  NVD

  The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      Fix ReDoS vulnerabilities reported by Snyk · faisalman/ua-parser-js@6d1f26d · GitHub
      GitHub - faisalman/ua-parser-js: UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.
      GitHub - faisalman/ua-parser-js: UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.

CVE–2021–27292

• Description

  GitHub

  Regular Expression Denial of Service (ReDoS) in ua-parser-js

  ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

  NVD

  ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      cve-2021-27292 · GitHub
      Fix several exponential/cubic complexity regexes found by Ben Caller/… · pygments/pygments@2e7e8c4 · GitHub
      Fix potential ReDoS vulnerability as reported by Doyensec · faisalman/ua-parser-js@809439e · GitHub
      Regular Expression Denial of Service (ReDoS) in ua-parser-js · CVE-2021-27292 · GitHub Advisory Database · GitHub
      NVD - CVE-2021-27292

CVE–2021–21366

• Description

  Interpretation Conflict

  Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

  GitHub

  Misinterpretation of malicious XML input

  Impact

  xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

  This may lead to unexpected syntactic changes during XML processing in some downstream applications.

  Patches

  Update to 0.5.0 (once it is released)

  Workarounds

  Downstream applications can validate the input and reject the maliciously crafted documents.

  References

  Similar to this one reported on the Go standard library:

  • https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

  For more information

  If you have any questions or comments about this advisory:

  • Open an issue in xmldom/xmldom
  • Email us: send an email to all addresses that are shown by npm owner ls xmldom

  NVD

  xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

• CVSS details - 4.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	Required
  Scope	Unchanged
  Confidentiality	None
  Integrity	Low
  Availability	None

• References

      Merge pull request from GHSA-h6q6-9hqw-rwfv · xmldom/xmldom@d4201b9 · GitHub
      Release 0.5.0 · xmldom/xmldom · GitHub
      Misinterpretation of malicious XML input · Advisory · xmldom/xmldom · GitHub
      xmldom - npm
      NVD - CVE-2021-21366
      GitHub - xmldom/xmldom: A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.
      Misinterpretation of malicious XML input · CVE-2021-21366 · GitHub Advisory Database · GitHub
      xmldom/LICENSE at dc429ae2ebd09e2fa3380c4a9b292d1164898f02 · xmldom/xmldom · GitHub
      Issues · xmldom/xmldom · GitHub
      GitHub - jindw/xmldom: A PURE JS W3C Standard based(XML DOM Level2 CORE) DOMParser and XMLSerializer.
      Issues · xmldom/xmldom · GitHub

CVE–2021–29060

• Description

  Allocation of Resources Without Limits or Throttling

  The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

  GitHub

  Regular Expression Denial of Service (ReDOS)

  In the npm package color-string, there is a ReDos (Regular Expression Denial of Service) vulnerability regarding an exponential time complexity for
  linearly increasing input lengths for hwb() color strings.

  Strings reaching more than 5000 characters would see several
  milliseconds of processing time; strings reaching more than
  50,000 characters began seeing 1500ms (1.5s) of processing time.

  The cause was due to a the regular expression that parses
  hwb() strings - specifically, the hue value - where
  the integer portion of the hue value used a 0-or-more quantifier
  shortly thereafter followed by a 1-or-more quantifier.

  This caused excessive backtracking and a cartesian scan,
  resulting in exponential time complexity given a linear
  increase in input length.

  NVD

  A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	Low

• References

      SaveResults/color-string.js at main · yetingli/SaveResults · GitHub
      PoCs/Color-String.md at main · yetingli/PoCs · GitHub
      fix ReDos in hwb() parser (low-severity) · Qix-/color-string@0789e21 · GitHub
      color-string - npm
      GitHub - Qix-/color-string: Parser and generator for CSS color strings
      Regular Expression Denial of Service (ReDOS) · CVE-2021-29060 · GitHub Advisory Database · GitHub
      GitHub - Qix-/color-string: Parser and generator for CSS color strings
      NVD - CVE-2021-29060

CVE–2021–33502

• Description

  GitHub

  ReDoS in normalize-url

  The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

  NVD

  The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      Release v6.0.1 · sindresorhus/normalize-url · GitHub
      NVD - CVE-2021-33502
      ReDoS in normalize-url · CVE-2021-33502 · GitHub Advisory Database · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked