alpersonalwebsite / erc721-smart-contract Goto Github PK

Vulnerable Library - mout-0.11.1.tgz

Modular Utilities

Library home page: https://registry.npmjs.org/mout/-/mout-0.11.1.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/mout/package.json

Dependency Hierarchy:

• truffle-hdwallet-provider-1.0.9.tgz (Root Library)
  • web3-1.0.0-beta.37.tgz
    • web3-bzz-1.0.0-beta.37.tgz
      • swarm-js-0.1.37.tgz
        • tar.gz-1.0.7.tgz
          • ❌ mout-0.11.1.tgz (Vulnerable Library)

Found in HEAD commit: 11b81b67d7da872135498e6394bdec16aded69ce

Vulnerability Details

This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.

Publish Date: 2020-12-11

URL: CVE-2020-7792

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7792

Release Date: 2020-12-11

Fix Resolution: mout - 1.2.3

Vulnerable Libraries - elliptic-6.3.3.tgz, elliptic-6.4.1.tgz

Found in HEAD commit: f7bd4ba207ff34cdf6389d4d146e37ea45b4ce9b

Vulnerability Details

The function getNAF() in elliptic library has information leakage. This issue is mitigated in version 6.5.2

Publish Date: 2019-11-22

URL: WS-2019-0427

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: indutny/elliptic@ec735ed

Release Date: 2019-11-22

Fix Resolution: v6.5.2

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json

Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/lodash/package.json

Dependency Hierarchy:

• node-server-screenshot-0.2.4.tgz (Root Library)
  • nightmare-3.0.2.tgz
    • deep-defaults-1.0.5.tgz
      • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 0936b120479c96383e43aa70451bc94ccb0d9381

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html

Path to vulnerable library: /erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html

Dependency Hierarchy:

• ❌ jquery-1.11.1.min.js (Vulnerable Library)

Found in HEAD commit: b9b69a78b2d694ad0343817209db815e1daab964

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: jquery/jquery@753d591

Release Date: 2019-03-25

Fix Resolution: Replace or update the following files: core.js, core.js

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json

Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/dot-prop/package.json

Dependency Hierarchy:

• nodemon-1.19.4.tgz (Root Library)
  • update-notifier-2.5.0.tgz
    • configstore-3.1.2.tgz
      • ❌ dot-prop-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 0bd9f5421327f7dfc93b48320caff131a442c1c3

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

Vulnerable Libraries - qs-6.5.2.tgz, qs-6.7.0.tgz

Found in HEAD commit: dd5f42086bee0771658914de31128ac49447cee9

Vulnerability Details

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.
WhiteSource Note: After conducting further research, WhiteSource has determined that versions 0.0.1--6.10.3 of qs are vulnerable to CVE-2021-44907.

Publish Date: 2022-03-17

URL: CVE-2021-44907

CVSS 3 Score Details (3.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Vulnerable Library - bl-1.2.2.tgz

Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!

Library home page: https://registry.npmjs.org/bl/-/bl-1.2.2.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/bl/package.json

Dependency Hierarchy:

• truffle-hdwallet-provider-1.0.17.tgz (Root Library)
  • web3-1.2.1.tgz
    • web3-bzz-1.2.1.tgz
      • swarm-js-0.1.39.tgz
        • decompress-4.2.0.tgz
          • decompress-tar-4.1.1.tgz
            • tar-stream-1.6.2.tgz
              • ❌ bl-1.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f

Vulnerability Details

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Publish Date: 2020-08-30

URL: CVE-2020-8244

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-pp7h-53gx-mx7r

Release Date: 2020-08-30

Fix Resolution: bl - 1.2.3,2.2.1,3.0.1,4.0.3

• ❌ WhiteSource Security Check: The Security Check found 3 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	6.1	CVE-2019-11358	#5
Medium	6.1	CVE-2015-9251	#4
Medium	4.3	WS-2016-0090	#6

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Library - elliptic-6.3.3.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.3.3.tgz

Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json

Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/ethers/node_modules/elliptic/package.json

Dependency Hierarchy:

• truffle-hdwallet-provider-1.0.17.tgz (Root Library)
  • web3-1.2.1.tgz
    • web3-eth-1.2.1.tgz
      • web3-eth-abi-1.2.1.tgz
        • ethers-4.0.0-beta.3.tgz
          • ❌ elliptic-6.3.3.tgz (Vulnerable Library)

Found in HEAD commit: 0936b120479c96383e43aa70451bc94ccb0d9381

Vulnerability Details

all versions before 6.5.2 of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/indutny/elliptic/pull/203/commits

Release Date: 2020-04-30

Fix Resolution: v6.5.2

• ❌ WhiteSource Security Check: The Security Check found 1 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0047	#2

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Library - deep-defaults-1.0.5.tgz

Recursive version of _.defaults

Library home page: https://registry.npmjs.org/deep-defaults/-/deep-defaults-1.0.5.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/deep-defaults/package.json

Dependency Hierarchy:

• node-server-screenshot-0.2.4.tgz (Root Library)
  • nightmare-3.0.2.tgz
    • ❌ deep-defaults-1.0.5.tgz (Vulnerable Library)

Found in HEAD commit: d00031b7be0677f4dd50b71e93d21ed2931d4038

Vulnerability Details

Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.

Publish Date: 2021-05-25

URL: CVE-2021-25944

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - tar-2.2.2.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.2.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/tar/package.json

Dependency Hierarchy:

• truffle-hdwallet-provider-1.0.9.tgz (Root Library)
  • web3-1.0.0-beta.37.tgz
    • web3-bzz-1.0.0-beta.37.tgz
      • swarm-js-0.1.37.tgz
        • tar.gz-1.0.7.tgz
          • ❌ tar-2.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 11b81b67d7da872135498e6394bdec16aded69ce

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

Publish Date: 2021-08-03

URL: CVE-2021-32804

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-3jfq-g458-7qm9

Release Date: 2021-08-03

Fix Resolution: tar - 3.2.2, 4.4.14, 5.0.6, 6.1.1

Vulnerable Library - electron-2.0.18.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-2.0.18.tgz

Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json

Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/electron/package.json

Dependency Hierarchy:

• node-server-screenshot-0.2.4.tgz (Root Library)
  • nightmare-3.0.2.tgz
    • ❌ electron-2.0.18.tgz (Vulnerable Library)

Found in HEAD commit: 1f363407df6443c97775b800e7a12eba65b56f99

Vulnerability Details

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Publish Date: 2020-07-07

URL: CVE-2020-4076

CVSS 3 Score Details (9.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-m93v-9qjc-3g79

Release Date: 2020-07-07

Fix Resolution: 7.2.4,8.2.4,9.0.0-beta.21

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json

Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/extract-zip/node_modules/minimist/package.json

Dependency Hierarchy:

• node-server-screenshot-0.2.4.tgz (Root Library)
  • nightmare-3.0.2.tgz
    • electron-2.0.18.tgz
      • extract-zip-1.6.7.tgz
        • mkdirp-0.5.1.tgz
          • ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: 0bd9f5421327f7dfc93b48320caff131a442c1c3

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.2

Vulnerable Library - trim-newlines-1.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/trim-newlines/package.json

Dependency Hierarchy:

• node-server-screenshot-0.2.4.tgz (Root Library)
  • nightmare-3.0.2.tgz
    • electron-2.0.18.tgz
      • electron-download-3.3.0.tgz
        • nugget-2.0.1.tgz
          • pretty-bytes-1.0.4.tgz
            • meow-3.7.0.tgz
              • ❌ trim-newlines-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: d00031b7be0677f4dd50b71e93d21ed2931d4038

Vulnerability Details

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Publish Date: 2021-05-28

URL: CVE-2021-33623

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623

Release Date: 2021-05-28

Fix Resolution: trim-newlines - 3.0.1, 4.0.1

Vulnerable Libraries - kind-of-3.2.2.tgz, kind-of-4.0.0.tgz, kind-of-5.1.0.tgz

Found in HEAD commit: 7236e90b1c6c757f2f249a0b7fe7d258e070a819

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Vulnerable Library - jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html

Path to vulnerable library: /erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html

Dependency Hierarchy:

• ❌ jquery-1.11.1.min.js (Vulnerable Library)

Found in HEAD commit: b9b69a78b2d694ad0343817209db815e1daab964

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Vulnerable Library - electron-2.0.18.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-2.0.18.tgz

Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json

Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/electron/package.json

Dependency Hierarchy:

• node-server-screenshot-0.2.4.tgz (Root Library)
  • nightmare-3.0.2.tgz
    • ❌ electron-2.0.18.tgz (Vulnerable Library)

Found in HEAD commit: 1f363407df6443c97775b800e7a12eba65b56f99

Vulnerability Details

In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.

Publish Date: 2020-07-07

URL: CVE-2020-15096

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-6vrv-94jv-crrg

Release Date: 2020-07-07

Fix Resolution: electron - 6.1.11,8.2.4,9.0.0-beta.21

• ❌ WhiteSource Security Check: The Security Check found 3 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	6.1	CVE-2019-11358	#5
Medium	6.1	CVE-2015-9251	#4
Medium	4.3	WS-2016-0090	#6

1.19.3 (2019-09-29)

Bug Fixes

• to avoid confusion like in #1528, always report used extension (eead311)

The new version differs by 1 commits.

• eead311 fix: to avoid confusion like in #1528, always report used extension

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/lodash/package.json

Dependency Hierarchy:

• node-server-screenshot-0.2.4.tgz (Root Library)
  • nightmare-3.0.2.tgz
    • deep-defaults-1.0.5.tgz
      • ❌ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
WhiteSource Note: After conducting further research, WhiteSource has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

• ❌ WhiteSource Security Check: The Security Check found 5 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
High	9.8	CVE-2020-7598	#11
High	7.5	CVE-2020-8116	#13
High	7.5	WS-2020-0044	#12
Medium	6.1	CVE-2019-11358	#5
Medium	6.1	CVE-2015-9251	#4

The new version differs by 3 commits.

• 28d82bf 0.2.4
• 3a39fd6 update(deps): nightmare from ^3.0.1 to ^3.0.2
• b09a7aa fix: disable window frame for the requested sizes to be accurate

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Libraries - elliptic-6.3.3.tgz, elliptic-6.4.1.tgz

Found in HEAD commit: f7bd4ba207ff34cdf6389d4d146e37ea45b4ce9b

Vulnerability Details

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Publish Date: 2021-02-02

URL: CVE-2020-28498

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498

Release Date: 2021-02-02

Fix Resolution: v6.5.4

Vulnerable Library - hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/hosted-git-info/package.json

Dependency Hierarchy:

• node-server-screenshot-0.2.4.tgz (Root Library)
  • nightmare-3.0.2.tgz
    • electron-2.0.18.tgz
      • electron-download-3.3.0.tgz
        • nugget-2.0.1.tgz
          • pretty-bytes-1.0.4.tgz
            • meow-3.7.0.tgz
              • normalize-package-data-2.5.0.tgz
                • ❌ hosted-git-info-2.8.8.tgz (Vulnerable Library)

Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution: hosted-git-info - 2.8.9,3.0.8

Vulnerable Library - decompress-4.2.0.tgz

Extracting archives made easy

Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/decompress/package.json

Dependency Hierarchy:

• truffle-hdwallet-provider-1.0.17.tgz (Root Library)
  • web3-1.2.1.tgz
    • web3-bzz-1.2.1.tgz
      • swarm-js-0.1.39.tgz
        • ❌ decompress-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f

Vulnerability Details

The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.

Publish Date: 2020-04-26

URL: CVE-2020-12265

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12265

Release Date: 2020-04-26

Fix Resolution: 4.2.1

Vulnerable Library - elliptic-6.3.3.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.3.3.tgz

Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json

Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/ethers/node_modules/elliptic/package.json

Dependency Hierarchy:

• truffle-hdwallet-provider-1.0.17.tgz (Root Library)
  • web3-1.2.1.tgz
    • web3-eth-1.2.1.tgz
      • web3-eth-abi-1.2.1.tgz
        • ethers-4.0.0-beta.3.tgz
          • ❌ elliptic-6.3.3.tgz (Vulnerable Library)

Found in HEAD commit: 1f363407df6443c97775b800e7a12eba65b56f99

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/indutny/elliptic/tree/v6.5.3

Release Date: 2020-06-04

Fix Resolution: v6.5.3

Vulnerable Library - ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/ansi-regex/package.json

Dependency Hierarchy:

• nodemon-1.19.4.tgz (Root Library)
  • update-notifier-2.5.0.tgz
    • boxen-1.3.0.tgz
      • string-width-2.1.1.tgz
        • strip-ansi-4.0.0.tgz
          • ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: d00031b7be0677f4dd50b71e93d21ed2931d4038

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (nodemon): 2.0.3

Vulnerable Library - electron-2.0.18.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-2.0.18.tgz

Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json

Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/electron/package.json

Dependency Hierarchy:

• node-server-screenshot-0.2.4.tgz (Root Library)
  • nightmare-3.0.2.tgz
    • ❌ electron-2.0.18.tgz (Vulnerable Library)

Found in HEAD commit: 1f363407df6443c97775b800e7a12eba65b56f99

Vulnerability Details

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both contextIsolation and contextBridge are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Publish Date: 2020-07-07

URL: CVE-2020-4077

CVSS 3 Score Details (9.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h9jc-284h-533g

Release Date: 2020-07-07

Fix Resolution: 7.2.4,8.2.4,9.0.0-beta.21

Vulnerable Library - simple-get-2.8.1.tgz

Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.

Library home page: https://registry.npmjs.org/simple-get/-/simple-get-2.8.1.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/simple-get/package.json

Dependency Hierarchy:

• truffle-hdwallet-provider-1.0.17.tgz (Root Library)
  • web3-1.2.1.tgz
    • web3-bzz-1.2.1.tgz
      • swarm-js-0.1.39.tgz
        • xhr-request-promise-0.1.2.tgz
          • xhr-request-1.1.0.tgz
            • ❌ simple-get-2.8.1.tgz (Vulnerable Library)

Found in HEAD commit: 11b81b67d7da872135498e6394bdec16aded69ce

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in NPM simple-get prior to 4.0.1.

Publish Date: 2022-01-26

URL: CVE-2022-0355

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0355

Release Date: 2022-01-26

Fix Resolution: simple-get - 4.0.1

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.5.tgz

Found in HEAD commit: dd5f42086bee0771658914de31128ac49447cee9

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-44906

Release Date: 2022-03-17

Fix Resolution: BumperLane.Public.Service.Contracts - 0.23.35.214-prerelease;cloudscribe.templates - 5.2.0;Virteom.Tenant.Mobile.Bluetooth - 0.21.29.159-prerelease;ShowingVault.DotNet.Sdk - 0.13.41.190-prerelease;Envisia.DotNet.Templates - 3.0.1;Yarnpkg.Yarn - 0.26.1;Virteom.Tenant.Mobile.Framework.UWP - 0.20.41.103-prerelease;Virteom.Tenant.Mobile.Framework.iOS - 0.20.41.103-prerelease;BumperLane.Public.Api.V2.ClientModule - 0.23.35.214-prerelease;VueJS.NetCore - 1.1.1;Dianoga - 4.0.0,3.0.0-RC02;Virteom.Tenant.Mobile.Bluetooth.iOS - 0.20.41.103-prerelease;Virteom.Public.Utilities - 0.23.37.212-prerelease;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;Virteom.Tenant.Mobile.Framework - 0.21.29.159-prerelease;Virteom.Tenant.Mobile.Bluetooth.Android - 0.20.41.103-prerelease;z4a-dotnet-scaffold - 1.0.0.2;Raml.Parser - 1.0.7;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;SitecoreMaster.TrueDynamicPlaceholders - 1.0.3;Virteom.Tenant.Mobile.Framework.Android - 0.20.41.103-prerelease;Fable.Template.Elmish.React - 0.1.6;BlazorPolyfill.Build - 6.0.100.2;Fable.Snowpack.Template - 2.1.0;BumperLane.Public.Api.Client - 0.23.35.214-prerelease;Yarn.MSBuild - 0.22.0,0.24.6;Blazor.TailwindCSS.BUnit - 1.0.2;Bridge.AWS - 0.3.30.36;tslint - 5.6.0;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Library - underscore-1.9.1.tgz

JavaScript's functional programming helper library.

Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/underscore/package.json

Dependency Hierarchy:

• truffle-hdwallet-provider-1.0.17.tgz (Root Library)
  • web3-1.2.1.tgz
    • web3-bzz-1.2.1.tgz
      • ❌ underscore-1.9.1.tgz (Vulnerable Library)

Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f

Vulnerability Details

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Publish Date: 2021-03-29

URL: CVE-2021-23358

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

Release Date: 2021-03-29

Fix Resolution: underscore - 1.12.1,1.13.0-2

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/glob-parent/package.json

Dependency Hierarchy:

• nodemon-1.19.4.tgz (Root Library)
  • chokidar-2.1.8.tgz
    • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: d00031b7be0677f4dd50b71e93d21ed2931d4038

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (nodemon): 2.0.0

Vulnerable Library - decompress-4.2.0.tgz

Extracting archives made easy

Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz

Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json

Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/decompress/package.json

Dependency Hierarchy:

• truffle-hdwallet-provider-1.0.17.tgz (Root Library)
  • web3-1.2.1.tgz
    • web3-bzz-1.2.1.tgz
      • swarm-js-0.1.39.tgz
        • ❌ decompress-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 0bd9f5421327f7dfc93b48320caff131a442c1c3

Vulnerability Details

decompress in all its versions is vulnerable to arbitrary file write. the package fails to prevent an extraction of files with relative paths which allows attackers to write to any folder in the system.

Publish Date: 2020-03-08

URL: WS-2020-0044

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /erc721-smart-contract/smart_contracts/package.json

Path to vulnerable library: /tmp/git/erc721-smart-contract/smart_contracts/node_modules/tar/package.json

Dependency Hierarchy:

• truffle-hdwallet-provider-1.0.7.tgz (Root Library)
  • web3-1.0.0-beta.37.tgz
    • web3-bzz-1.0.0-beta.37.tgz
      • swarm-js-0.1.37.tgz
        • tar.gz-1.0.7.tgz
          • ❌ tar-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: b080024d164cbbcc72560834dc5e39f291e6572e

Vulnerability Details

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Publish Date: 2019-04-05

URL: WS-2019-0047

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/803

Release Date: 2019-04-05

Fix Resolution: 4.4.2

Vulnerable Library - jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html

Path to vulnerable library: /erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html

Dependency Hierarchy:

• ❌ jquery-1.11.1.min.js (Vulnerable Library)

Found in HEAD commit: b9b69a78b2d694ad0343817209db815e1daab964

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - electron-2.0.18.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-2.0.18.tgz

Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json

Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/electron/package.json

Dependency Hierarchy:

• node-server-screenshot-0.2.4.tgz (Root Library)
  • nightmare-3.0.2.tgz
    • ❌ electron-2.0.18.tgz (Vulnerable Library)

Found in HEAD commit: 1f363407df6443c97775b800e7a12eba65b56f99

Vulnerability Details

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Publish Date: 2020-07-07

URL: CVE-2020-4075

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-f9mq-jph6-9mhm

Release Date: 2020-07-07

Fix Resolution: 7.2.4,8.2.4,9.0.0-beta.21

Vulnerable Library - jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html

Path to vulnerable library: /erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html

Dependency Hierarchy:

• ❌ jquery-1.11.1.min.js (Vulnerable Library)

Found in HEAD commit: 1f363407df6443c97775b800e7a12eba65b56f99

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/path-parse/package.json

Dependency Hierarchy:

• node-server-screenshot-0.2.4.tgz (Root Library)
  • nightmare-3.0.2.tgz
    • electron-2.0.18.tgz
      • electron-download-3.3.0.tgz
        • nugget-2.0.1.tgz
          • pretty-bytes-1.0.4.tgz
            • meow-3.7.0.tgz
              • normalize-package-data-2.5.0.tgz
                • resolve-1.17.0.tgz
                  • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jbgutierrez/path-parse#8

Release Date: 2021-05-04

Fix Resolution: path-parse - 1.0.7

Vulnerable Library - web3-1.2.1.tgz

Ethereum JavaScript API

Library home page: https://registry.npmjs.org/web3/-/web3-1.2.1.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/web3/package.json

Dependency Hierarchy:

• truffle-hdwallet-provider-1.0.17.tgz (Root Library)
  • ❌ web3-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: d00031b7be0677f4dd50b71e93d21ed2931d4038

Vulnerability Details

All versions of web3 are vulnerable to Insecure Credential Storage

Publish Date: 2019-05-15

URL: WS-2019-0075

CVSS 3 Score Details (3.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0075

Release Date: 2019-05-15

Fix Resolution: web3 - 1.5.3-rc.0

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/lodash/package.json

Dependency Hierarchy:

• node-server-screenshot-0.2.4.tgz (Root Library)
  • nightmare-3.0.2.tgz
    • deep-defaults-1.0.5.tgz
      • ❌ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /smart_contracts/package.json

Path to vulnerable library: /smart_contracts/node_modules/ini/package.json

Dependency Hierarchy:

• node-server-screenshot-0.2.4.tgz (Root Library)
  • nightmare-3.0.2.tgz
    • electron-2.0.18.tgz
      • electron-download-3.3.0.tgz
        • rc-1.2.8.tgz
          • ❌ ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution: v1.3.6

Vulnerable Library - jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html

Path to vulnerable library: /erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html

Dependency Hierarchy:

• ❌ jquery-1.11.1.min.js (Vulnerable Library)

Found in HEAD commit: 0936b120479c96383e43aa70451bc94ccb0d9381

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0