You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/socket.io-client/node_modules/uglify-js/package.json
The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.
Path to dependency file: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/socket.io-client/node_modules/uglify-js/package.json
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a ws server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
Denial of Service vulnerability was found in ws npm package 0.2.6 through 1.1.4 and 2.0.0 through 3.3.0. ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names are sent.
websockets uses Math.random function to generate masking key. This function is not random enough allowing an attacker to easily guess the key. Having the key an attacker can read the payload causing potential information disclosure.
Real-time apps made cross-browser & easy with a WebSocket-like API
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-0.9.19.tgz
Path to dependency file: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/socket.io/package.json
Found in HEAD commit: 7aaeadfdb117b8d11abc3daa3966685de8860868
Vulnerabilities
Details
Vulnerable Library - uglify-js-1.2.5.tgz
JavaScript parser and compressor/beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.2.5.tgz
Path to dependency file: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/socket.io-client/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in HEAD commit: 7aaeadfdb117b8d11abc3daa3966685de8860868
Found in base branch: master
Vulnerability Details
The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.
Publish Date: 2017-01-23
URL: CVE-2015-8857
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2017-01-23
Fix Resolution (uglify-js): 2.4.24
Direct dependency fix Resolution (socket.io): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - xmlhttprequest-1.4.2.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest/-/xmlhttprequest-1.4.2.tgz
Path to dependency file: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/xmlhttprequest/package.json
Dependency Hierarchy:
Found in HEAD commit: 7aaeadfdb117b8d11abc3daa3966685de8860868
Found in base branch: master
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest): 1.7.0
Direct dependency fix Resolution (socket.io): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - ws-0.4.32.tgz
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Path to dependency file: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: 7aaeadfdb117b8d11abc3daa3966685de8860868
Found in base branch: master
Vulnerability Details
A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.
Publish Date: 2018-05-31
URL: CVE-2016-10518
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10518
Release Date: 2018-05-31
Fix Resolution (ws): 1.0.1
Direct dependency fix Resolution (socket.io): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - uglify-js-1.2.5.tgz
JavaScript parser and compressor/beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.2.5.tgz
Path to dependency file: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/socket.io-client/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in HEAD commit: 7aaeadfdb117b8d11abc3daa3966685de8860868
Found in base branch: master
Vulnerability Details
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8858
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2017-01-23
Fix Resolution (uglify-js): 2.6.0
Direct dependency fix Resolution (socket.io): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - ws-0.4.32.tgz
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Path to dependency file: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: 7aaeadfdb117b8d11abc3daa3966685de8860868
Found in base branch: master
Vulnerability Details
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a
wsserver, it is possible to crash the node process. This affects ws 1.1.0 and earlier.Publish Date: 2018-05-31
URL: CVE-2016-10542
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-05-31
Fix Resolution (ws): 1.1.1
Direct dependency fix Resolution (socket.io): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - ws-0.4.32.tgz
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Path to dependency file: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: 7aaeadfdb117b8d11abc3daa3966685de8860868
Found in base branch: master
Vulnerability Details
Denial of Service vulnerability was found in ws npm package 0.2.6 through 1.1.4 and 2.0.0 through 3.3.0. ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names are sent.
Publish Date: 2017-11-08
URL: WS-2017-0421
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5v72-xg48-5rpm
Release Date: 2017-11-08
Fix Resolution (ws): 1.1.5
Direct dependency fix Resolution (socket.io): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - ws-0.4.32.tgz
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Path to dependency file: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: 7aaeadfdb117b8d11abc3daa3966685de8860868
Found in base branch: master
Vulnerability Details
websockets uses Math.random function to generate masking key. This function is not random enough allowing an attacker to easily guess the key. Having the key an attacker can read the payload causing potential information disclosure.
Publish Date: 2016-09-20
URL: WS-2017-0107
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2016-09-20
Fix Resolution (ws): 1.1.2
Direct dependency fix Resolution (socket.io): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - socket.io-0.9.19.tgz
Real-time apps made cross-browser & easy with a WebSocket-like API
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-0.9.19.tgz
Path to dependency file: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /files/slides-Search-A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/socket.io/package.json
Dependency Hierarchy:
Found in HEAD commit: 7aaeadfdb117b8d11abc3daa3966685de8860868
Found in base branch: master
Vulnerability Details
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Publish Date: 2021-01-19
URL: CVE-2020-28481
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481
Release Date: 2021-01-19
Fix Resolution: 2.4.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: