ilkeraltin / jsx-live-compiler Goto Github PK

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /jsx-live-compiler/package.json

Path to vulnerable library: /tmp/git/jsx-live-compiler/node_modules/lodash/package.json

Dependency Hierarchy:

• babel-core-6.4.0.tgz (Root Library)
  • ❌ lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: cabb23295d15128164c2a679f5d82bb08df083ea

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@a01e4fa

Release Date: 2019-07-08

Fix Resolution: 4.17.12

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /jsx-live-compiler/package.json

Path to vulnerable library: /tmp/git/jsx-live-compiler/node_modules/lodash/package.json

Dependency Hierarchy:

• babel-core-6.4.0.tgz (Root Library)
  • ❌ lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: cabb23295d15128164c2a679f5d82bb08df083ea

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2019-07-17

Fix Resolution: 4.17.11

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /jsx-live-compiler/package.json

Path to vulnerable library: /tmp/git/jsx-live-compiler/node_modules/lodash/package.json

Dependency Hierarchy:

• babel-core-6.4.0.tgz (Root Library)
  • ❌ lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: e46c9e999fee67f1f53f8c486f809dec41482377

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: /jsx-live-compiler/package.json

Path to vulnerable library: /tmp/git/jsx-live-compiler/node_modules/debug/package.json

Dependency Hierarchy:

• babel-core-6.4.0.tgz (Root Library)
  • ❌ debug-2.2.0.tgz (Vulnerable Library)

Found in HEAD commit: e46c9e999fee67f1f53f8c486f809dec41482377

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Change files

Origin: debug-js/debug@42a6ae0

Release Date: 2017-09-21

Fix Resolution: Replace or update the following file: node.js

Vulnerable Library - brace-expansion-1.1.2.tgz

Brace expansion as known from sh/bash

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.2.tgz

Path to dependency file: /jsx-live-compiler/package.json

Path to vulnerable library: /tmp/git/jsx-live-compiler/node_modules/brace-expansion/package.json

Dependency Hierarchy:

• babel-core-6.4.0.tgz (Root Library)
  • minimatch-2.0.10.tgz
    • ❌ brace-expansion-1.1.2.tgz (Vulnerable Library)

Found in HEAD commit: e46c9e999fee67f1f53f8c486f809dec41482377

Vulnerability Details

index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.

Publish Date: 2018-01-27

URL: CVE-2017-18077

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-18077

Release Date: 2018-01-27

Fix Resolution: 1.1.7

Vulnerable Library - ms-0.7.1.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz

Path to dependency file: /jsx-live-compiler/package.json

Path to vulnerable library: /tmp/git/jsx-live-compiler/node_modules/ms/package.json

Dependency Hierarchy:

• babel-core-6.4.0.tgz (Root Library)
  • debug-2.2.0.tgz
    • ❌ ms-0.7.1.tgz (Vulnerable Library)

Found in HEAD commit: e46c9e999fee67f1f53f8c486f809dec41482377

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-05-15

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: vercel/ms@305f2dd

Release Date: 2017-04-12

Fix Resolution: Replace or update the following file: index.js

Vulnerable Library - brace-expansion-1.1.2.tgz

Brace expansion as known from sh/bash

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.2.tgz

Path to dependency file: /jsx-live-compiler/package.json

Path to vulnerable library: /tmp/git/jsx-live-compiler/node_modules/brace-expansion/package.json

Dependency Hierarchy:

• babel-core-6.4.0.tgz (Root Library)
  • minimatch-2.0.10.tgz
    • ❌ brace-expansion-1.1.2.tgz (Vulnerable Library)

Found in HEAD commit: e46c9e999fee67f1f53f8c486f809dec41482377

Vulnerability Details

Brace-expansion is a module to support bash-like brace expansion in JavaScript.
For example,{1,2,3,4} would expand to 1 2 3 4. brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks.

Publish Date: 2017-04-25

URL: WS-2017-0206

CVSS 2 Score Details (6.2)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/338

Release Date: 2017-01-31

Fix Resolution: 1.1.7

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /jsx-live-compiler/package.json

Path to vulnerable library: /tmp/git/jsx-live-compiler/node_modules/lodash/package.json

Dependency Hierarchy:

• babel-core-6.4.0.tgz (Root Library)
  • ❌ lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: e46c9e999fee67f1f53f8c486f809dec41482377

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

Vulnerable Library - minimatch-2.0.10.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz

Path to dependency file: /jsx-live-compiler/package.json

Path to vulnerable library: /tmp/git/jsx-live-compiler/node_modules/minimatch/package.json

Dependency Hierarchy:

• babel-core-6.4.0.tgz (Root Library)
  • ❌ minimatch-2.0.10.tgz (Vulnerable Library)

Found in HEAD commit: e46c9e999fee67f1f53f8c486f809dec41482377

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.