harkishen-singh / dendrite-server-base Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
General purpose crypto utilities
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/cryptiles/package.json
Library home page: http://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz
Dependency Hierarchy:
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
A comprehensive library for mime-type mapping
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/mime/package.json
Library home page: http://registry.npmjs.org/mime/-/mime-1.2.11.tgz
Dependency Hierarchy:
Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.
Publish Date: 2017-09-27
URL: WS-2017-0330
Step up your Open Source Security Game with WhiteSource here
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/ruglify/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz
Dependency Hierarchy:
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/browserify-istanbul/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Dependency Hierarchy:
UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification.
Publish Date: 2015-08-24
URL: WS-2015-0024
Type: Upgrade version
Origin: mishoo/UglifyJS@905b601
Release Date: 2017-01-31
Fix Resolution: v2.4.24
Step up your Open Source Security Game with WhiteSource here
High performance middleware framework
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/connect/package.json
Library home page: http://registry.npmjs.org/connect/-/connect-2.7.11.tgz
Dependency Hierarchy:
Connect is a stack of middleware that is executed in order in each request.
The "methodOverride" middleware allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override".
Publish Date: 2013-07-01
URL: CVE-2013-7370
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
Release Date: 2013-07-01
Fix Resolution: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.
Step up your Open Source Security Game with WhiteSource here
quote and parse shell commands
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/shell-quote/package.json
Library home page: http://registry.npmjs.org/shell-quote/-/shell-quote-0.0.1.tgz
Dependency Hierarchy:
The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.
Publish Date: 2018-05-31
URL: CVE-2016-10541
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10541
Release Date: 2018-12-15
Fix Resolution: 1.6.1
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/tutorial/js/tutorial.html
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/test/index.html
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
Dependency Hierarchy:
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@b078a62#diff-bee4304906ea68bebadfc11be4368419
Release Date: 2015-10-12
Fix Resolution: Replace or update the following files: script.js, ajax.js, ajax.js
Step up your Open Source Security Game with WhiteSource here
a glob matcher in javascript
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/tape/node_modules/minimatch/package.json
Library home page: http://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz
Dependency Hierarchy:
a glob matcher in javascript
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/browserify-istanbul/node_modules/minimatch/package.json
Library home page: http://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz
Dependency Hierarchy:
a glob matcher in javascript
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/minimatch/package.json
Library home page: http://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz
Dependency Hierarchy:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern
parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Update to version 3.0.2 or later.
Step up your Open Source Security Game with WhiteSource here
small debugging utility
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/extract-zip/node_modules/debug/package.json
Library home page: http://registry.npmjs.org/debug/-/debug-0.7.4.tgz
Dependency Hierarchy:
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/534
Release Date: 2017-09-27
Fix Resolution: Version 2.x.x: Update to version 2.6.9 or later. Version 3.x.x: Update to version 3.1.0 or later.
Step up your Open Source Security Game with WhiteSource here
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/ws/package.json
Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Dependency Hierarchy:
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a ws
server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
Publish Date: 2018-05-31
URL: CVE-2016-10542
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-12-15
Fix Resolution: v2.4.24
Step up your Open Source Security Game with WhiteSource here
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/ruglify/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz
Dependency Hierarchy:
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/umd/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.4.24.tgz
Dependency Hierarchy:
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/browserify-istanbul/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Dependency Hierarchy:
Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().
Publish Date: 2015-10-24
URL: WS-2015-0017
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/48
Release Date: 2015-10-24
Fix Resolution: Update to version 2.6.0 or later
Step up your Open Source Security Game with WhiteSource here
RFC6265 Cookies and Cookie Jar for node.js
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/tough-cookie/package.json
Library home page: http://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz
Dependency Hierarchy:
A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.
Publish Date: 2017-10-04
URL: CVE-2017-15010
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15010
Release Date: 2017-10-04
Fix Resolution: 2.3.3
Step up your Open Source Security Game with WhiteSource here
High performance middleware framework
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/connect/package.json
Library home page: http://registry.npmjs.org/connect/-/connect-2.7.11.tgz
Dependency Hierarchy:
connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.
Publish Date: 2018-06-07
URL: CVE-2018-3717
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3717
Release Date: 2018-06-07
Fix Resolution: 2.14.0
Step up your Open Source Security Game with WhiteSource here
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/ws/package.json
Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Dependency Hierarchy:
Affected version of ws (0.2.6--3.3.0) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.
Publish Date: 2017-11-08
URL: WS-2017-0421
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/550/versions
Release Date: 2019-01-24
Fix Resolution: 3.3.1
Step up your Open Source Security Game with WhiteSource here
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/ws/package.json
Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Dependency Hierarchy:
A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.
Publish Date: 2018-05-31
URL: CVE-2016-10518
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10518
Release Date: 2018-05-31
Fix Resolution: 1.0.0
Step up your Open Source Security Game with WhiteSource here
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Guava has two code dependencies - javax.annotation
per the JSR-305 spec and javax.inject per the JSR-330 spec.</p>
path: 2/repository/com/google/guava/guava/14.0.1/guava-14.0.1.jar
Library home page: http://code.google.com/p/guava-libraries/guava
Dependency Hierarchy:
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Publish Date: 2018-04-26
URL: CVE-2018-10237
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Release Date: 2018-04-26
Fix Resolution: 24.1.1
Step up your Open Source Security Game with WhiteSource here
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
path: 2/repository/org/codehaus/plexus/plexus-utils/3.0.14/plexus-utils-3.0.14.jar
Dependency Hierarchy:
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
Publish Date: 2018-01-03
URL: CVE-2017-1000487
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1000487
Release Date: 2018-01-03
Fix Resolution: 3.0.16
Step up your Open Source Security Game with WhiteSource here
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/browserify-istanbul/node_modules/handlebars/package.json
Library home page: http://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz
Dependency Hierarchy:
Quoteless Attributes in Templates can lead to Content Injection
Publish Date: 2015-12-14
URL: WS-2015-0003
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/61
Release Date: 2015-12-14
Fix Resolution: If you are unable to upgrade to version 4.0.0 or greater you can add quotes to your attributes in your handlebar templates.
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/tutorial/js/tutorial.html
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js
Dependency Hierarchy:
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: 1.9.0
Step up your Open Source Security Game with WhiteSource here
quote and parse shell commands
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/shell-quote/package.json
Library home page: http://registry.npmjs.org/shell-quote/-/shell-quote-0.0.1.tgz
Dependency Hierarchy:
The npm module "shell-quote" cannot correctly escape "greater than" and "lower than" operator used for redirection in shell. This might be possible vulnerability for many application which depends on shell-quote.
Publish Date: 2016-06-21
URL: WS-2016-0039
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/117
Release Date: 2016-06-21
Fix Resolution: Upgrade to at least version 1.6.1
Step up your Open Source Security Game with WhiteSource here
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/ruglify/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz
Dependency Hierarchy:
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/umd/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.4.24.tgz
Dependency Hierarchy:
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/browserify-istanbul/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Dependency Hierarchy:
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8858
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-12-15
Fix Resolution: v2.6.0
Step up your Open Source Security Game with WhiteSource here
querystring parser
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/qs/package.json
Library home page: http://registry.npmjs.org/qs/-/qs-0.6.5.tgz
Dependency Hierarchy:
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Publish Date: 2014-10-19
URL: CVE-2014-7191
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191
Release Date: 2014-10-19
Fix Resolution: 1.0.0
Step up your Open Source Security Game with WhiteSource here
Apache Thrift
Library home page: https://github.com/apache/thrift.git
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
Publish Date: 2019-01-07
URL: CVE-2018-1320
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320
Release Date: 2019-01-07
Fix Resolution: 0.12.0
Step up your Open Source Security Game with WhiteSource here
writable stream that concatenates strings or binary data and calls a callback with the result
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/extract-zip/node_modules/concat-stream/package.json
Library home page: http://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz
Dependency Hierarchy:
writable stream that concatenates strings or binary data and calls a callback with the result
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/concat-stream/package.json
Library home page: https://registry.npmjs.org/concat-stream/-/concat-stream-1.4.11.tgz
Dependency Hierarchy:
Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write()
Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.
Publish Date: 2018-04-25
URL: WS-2018-0075
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/597
Release Date: 2018-01-27
Fix Resolution: 1.5.2
Step up your Open Source Security Game with WhiteSource here
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/ws/package.json
Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Dependency Hierarchy:
DoS in ws module due to excessively large websocket message.
Publish Date: 2016-06-24
URL: WS-2016-0031
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/120
Release Date: 2016-06-24
Fix Resolution: Update to version 1.1.1 of ws, or if that is not possible, set the `maxpayload` option for the `ws` server - make sure the value is less than 256MB.
Step up your Open Source Security Game with WhiteSource here
querystring parser
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/qs/package.json
Library home page: http://registry.npmjs.org/qs/-/qs-0.6.5.tgz
Dependency Hierarchy:
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
Publish Date: 2018-05-31
URL: CVE-2014-10064
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/28
Release Date: 2014-08-06
Fix Resolution: Update to version 1.0.0 or later
Step up your Open Source Security Game with WhiteSource here
HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/tunnel-agent/package.json
Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz
Dependency Hierarchy:
Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure.
This is exploitable if user supplied input is provided to the auth value and is a number.
Publish Date: 2018-04-25
URL: WS-2018-0076
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/598
Release Date: 2018-01-27
Fix Resolution: 0.6.0
Step up your Open Source Security Game with WhiteSource here
High performance middleware framework
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/connect/package.json
Library home page: http://registry.npmjs.org/connect/-/connect-2.7.11.tgz
Dependency Hierarchy:
The "methodOverride" middleware in Connect before 2.8.1 allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override". Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot [method] [url]" content. The method was not properly encoded for output in the browser.
Publish Date: 2014-04-21
URL: CVE-2013-7371
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/3
Release Date: 2013-07-01
Fix Resolution: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/tutorial/js/tutorial.html
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js
Dependency Hierarchy:
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Publish Date: 2013-03-08
URL: CVE-2011-4969
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969
Release Date: 2013-03-08
Fix Resolution: 1.6.3
Step up your Open Source Security Game with WhiteSource here
General purpose node utilities
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/hoek/package.json
Library home page: http://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz
Dependency Hierarchy:
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-03-30
URL: CVE-2018-3728
Base Score Metrics:
Type: Change files
Origin: hapijs/hoek@623667e
Release Date: 2018-02-15
Fix Resolution: Replace or update the following files: index.js, index.js
Step up your Open Source Security Game with WhiteSource here
High performance middleware framework
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/connect/package.json
Library home page: http://registry.npmjs.org/connect/-/connect-2.7.11.tgz
Dependency Hierarchy:
Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot [method] [url]" content. The method was not properly encoded for output in the browser.
Publish Date: 2013-07-01
URL: WS-2013-0003
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
Release Date: 2013-07-01
Fix Resolution: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.
Step up your Open Source Security Game with WhiteSource here
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/ws/package.json
Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Dependency Hierarchy:
By sending an overly long websocket payload to a ws server, it is possible to crash the node process.
Publish Date: 2016-06-24
URL: WS-2016-0040
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/120
Release Date: 2016-06-24
Fix Resolution: Update to version 1.1.1 of ws, or if that is not possible, set the `maxpayload` option for the `ws` server - make sure the value is less than 256MB.
Step up your Open Source Security Game with WhiteSource here
Better streaming static file server with Range and conditional-GET support
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/send/package.json
Library home page: http://registry.npmjs.org/send/-/send-0.1.1.tgz
Dependency Hierarchy:
visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.
Publish Date: 2014-10-08
URL: CVE-2014-6394
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-6394
Release Date: 2014-10-08
Fix Resolution: 0.8.4
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/tutorial/js/tutorial.html
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/test/index.html
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
Dependency Hierarchy:
In v2.2.4 and previous, a lowercasing logic was used on the attribute names and was removed in v3.0.0.
Because of this, boolean attributes whose names were not all lowercase cause infinite recursion, and will exceed the stack call limit.
Publish Date: 2017-04-15
URL: WS-2017-0195
Type: Change files
Origin: jquery/jquery@d12e13d
Release Date: 2016-05-29
Fix Resolution: Replace or update the following files: attr.js, attributes.js
Step up your Open Source Security Game with WhiteSource here
Simplified HTTP request client.
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/request/package.json
Library home page: http://registry.npmjs.org/request/-/request-2.67.0.tgz
Dependency Hierarchy:
Request is an http client. If a request is made using multipart
, and the body type is a number
, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.
Publish Date: 2018-06-04
URL: CVE-2017-16026
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16026
Release Date: 2018-06-04
Fix Resolution: 2.47.1,2.67.1
Step up your Open Source Security Game with WhiteSource here
querystring parser
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/qs/package.json
Library home page: http://registry.npmjs.org/qs/-/qs-0.6.5.tgz
Dependency Hierarchy:
Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time
Publish Date: 2014-08-06
URL: WS-2014-0005
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking
Release Date: 2014-08-06
Fix Resolution: Update qs to version 1.0.0 or greater
Step up your Open Source Security Game with WhiteSource here
Better streaming static file server with Range and conditional-GET support
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/send/package.json
Library home page: http://registry.npmjs.org/send/-/send-0.1.1.tgz
Dependency Hierarchy:
The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.
Publish Date: 2017-01-23
URL: CVE-2015-8859
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8859
Release Date: 2017-01-23
Fix Resolution: 0.11.1
Step up your Open Source Security Game with WhiteSource here
HTTP response freshness testing
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/fresh/package.json
Library home page: http://registry.npmjs.org/fresh/-/fresh-0.1.0.tgz
Dependency Hierarchy:
Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Publish Date: 2018-06-07
URL: CVE-2017-16119
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
RFC6265 Cookies and Cookie Jar for node.js
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/tough-cookie/package.json
Library home page: http://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz
Dependency Hierarchy:
NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.
Publish Date: 2018-09-05
URL: CVE-2016-1000232
Base Score Metrics:
Type: Change files
Origin: salesforce/tough-cookie@6156272
Release Date: 2016-07-21
Fix Resolution: Replace or update the following files: parsing_test.js, cookie.js
Step up your Open Source Security Game with WhiteSource here
High performance middleware framework
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/connect/package.json
Library home page: http://registry.npmjs.org/connect/-/connect-2.7.11.tgz
Dependency Hierarchy:
The "methodOverride" middleware allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override".
Publish Date: 2013-07-01
URL: WS-2013-0004
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
Release Date: 2013-07-01
Fix Resolution: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.
Step up your Open Source Security Game with WhiteSource here
Sign and unsign cookies
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/cookie-signature/package.json
Library home page: http://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.1.tgz
Dependency Hierarchy:
Cookie-signature before 1.0.4 allows attackers to guess the secret token one character at a time via a timing attack.
Publish Date: 2016-08-29
URL: WS-2016-0056
Type: Upgrade version
Origin: tj/node-cookie-signature@3979108
Release Date: 2017-01-31
Fix Resolution: 1.0.4
Step up your Open Source Security Game with WhiteSource here
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
path: /dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/ws/package.json
Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Dependency Hierarchy:
Depending on the JavaScript engine, Math.random can be anywhere between extremely insecure and cryptographically pseudo-random.
Versions which use Math.random can produce predictable values, thus shall not be used.
Publish Date: 2016-09-20
URL: WS-2017-0107
Type: Change files
Origin: websockets/ws@7253f06
Release Date: 2016-11-25
Fix Resolution: Replace or update the following file: Sender.js
Step up your Open Source Security Game with WhiteSource here
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/ruglify/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz
Dependency Hierarchy:
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/browserify-istanbul/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Dependency Hierarchy:
The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.
Publish Date: 2017-01-23
URL: CVE-2015-8857
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-12-15
Fix Resolution: v2.4.24
Step up your Open Source Security Game with WhiteSource here
A comprehensive library for mime-type mapping
path: /tmp/git/dendrite-server-base/vendor/src/github.com/apache/thrift/node_modules/mime/package.json
Library home page: http://registry.npmjs.org/mime/-/mime-1.2.11.tgz
Dependency Hierarchy:
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.