ilkeraltin / react-redux-weather-app Goto Github PK

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: /react-redux-weather-app/package.json

Path to vulnerable library: /tmp/git/react-redux-weather-app/node_modules/braces/package.json

Dependency Hierarchy:

• webpack-dev-server-1.16.5.tgz (Root Library)
  • http-proxy-middleware-0.17.4.tgz
    • micromatch-2.3.11.tgz
      • ❌ braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-03-25

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Vulnerable Library - axios-0.9.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: http://registry.npmjs.org/axios/-/axios-0.9.1.tgz

Path to dependency file: /react-redux-weather-app/package.json

Path to vulnerable library: /react-redux-weather-app/node_modules/axios/package.json

Dependency Hierarchy:

• ❌ axios-0.9.1.tgz (Vulnerable Library)

Vulnerability Details

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Publish Date: 2019-05-07

URL: CVE-2019-10742

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /react-redux-weather-app/package.json

Path to vulnerable library: /react-redux-weather-app/node_modules/lodash/package.json

Dependency Hierarchy:

• ❌ lodash-3.10.1.tgz (Vulnerable Library)

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /react-redux-weather-app/package.json

Path to vulnerable library: /react-redux-weather-app/node_modules/lodash/package.json

Dependency Hierarchy:

• ❌ lodash-3.10.1.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Vulnerable Library - open-0.0.5.tgz

open a file or url in the user's preferred application

Library home page: https://registry.npmjs.org/open/-/open-0.0.5.tgz

Path to dependency file: /react-redux-weather-app/package.json

Path to vulnerable library: /tmp/git/react-redux-weather-app/node_modules/open/package.json

Dependency Hierarchy:

• webpack-dev-server-1.16.5.tgz (Root Library)
  • ❌ open-0.0.5.tgz (Vulnerable Library)

Vulnerability Details

All versions of open are vulnerable to command injection when unsanitized user input is passed in.

Publish Date: 2018-05-16

URL: WS-2018-0107

CVSS 2 Score Details (10.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/663

Release Date: 2018-05-16

Fix Resolution: No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available.