Coder Social home page Coder Social logo

levyforchh / stat-engine Goto Github PK

View Code? Open in Web Editor NEW

This project forked from statengine/stat-engine

0.0 1.0 0.0 32.44 MB

A Real-Time Open Source Data Analytics and Visualization Platform for Public Safety

Home Page: https://statengine.io

License: GNU General Public License v3.0

Dockerfile 0.07% Shell 0.13% HTML 36.71% JavaScript 38.13% CSS 24.58% SQLPL 0.38%

stat-engine's Introduction

StatEngine

StatEngine is a fire service analytical system, the most comprehensive way to get accurate and real-time information to help fire service leaders assure adequate fire resources, optimize fire operations, reduce firefighter injury and death, minimize civilian injury and death, and minimize property loss. More information about funding and background is available here.

Getting Started

Prerequisites

Ensure the following packages are installed

  1. Run npm install --global gulp

  2. Run npm install --global elasticdump

  3. Run brew install pkg-config cairo pango libpng jpeg giflib

  4. (Linux) Run apt-get install -y libcairo2-dev libjpeg-dev libpango1.0-dev libgif-dev build-essential g++

PostgreSQL Setup

  1. Create user in PostgreSQL (username: statengine, password: statengine)

  2. Create statengine database in PostgreSQL

Elasticsearch Setup

  1. Navigate to your Elasticsearch install directory (ex. cd elasticsearch-6.4.1)

  2. Download Readonly Rest Plugin here: https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin/archive/v1.16.33_es6.4.1.zip

  3. Install readonlyrest plugin

bin/elasticsearch-plugin install file:///<location of download>
  1. Configure readonlyrest plugin, copy the following into a new file called in config/readonlyrest.yml
readonlyrest:
  enable: true
  prompt_for_basic_auth: false

  access_control_rules:

  - name: "::USR-KIBANA-RO-STRICT::"
    kibana_access: ro_strict
    kibana_index: ".kibana_@{user}"
    indices: [".kibana", ".kibana-devnull", ".kibana_@{user}", "@{x-se-fire-department-all}"]
    kibana_hide_apps: ["readonlyrest_kbn", "kibana:dev_tools"]
    jwt_auth:
     name: "jwt1"
     roles: ["kibana_ro_strict"]

  - name: "::USR-KIBANA::"
    kibana_access: admin
    kibana_index: ".kibana_@{user}"
    indices: [".kibana", ".kibana-devnull", ".kibana_@{user}", "@{x-se-fire-department-all}"]
    kibana_hide_apps: ["readonlyrest_kbn", "kibana:dev_tools"]
    jwt_auth:
     name: "jwt1"
     roles: ["kibana_admin"]

  - name: "::KIBANA::"
    auth_key: kibana:kibana
    verbosity: info

  jwt:
    - name: jwt1
      signature_algo: 'HMAC'
      signature_key: 'woEayHiICafruph^gZJb3EG5Fnl1qou6XUT8xR^7OMwaCYxz^&@rr#Hi5*s*918tQS&iDJO&67xy0hP!F@pThb3#Aymx%XPV3x^'
      user_claim: 'firecares_id'
      roles_claim: 'roles'
  1. Run .\bin\elasticsearch

Running Kibana

  1. Run the preconfigured Kibana instance
docker run -p 5601:5601 prominentedgestatengine/kibana:HEAD-c7f45bd-development

Loading Elasticsearch Test Data

Nightly Dump

A nightly dump of elasticdump data is availabe in S3. Please contact a team member for access.

Loading data

  1. Make sure Elasticsearch is running

  2. Run multielasticdump --input="./es-test-data" --output="http://kibana:kibana@localhost:9200" --direction="load"

Developing

  1. Run git clone https://github.com/StatEngine/stat-engine.git

  2. Obtain env.json secrets file from development team and copy to the root of stat-engine directory

  3. Run npm install

  4. Run gulp serve to start the development server. It should automatically open the client in your browser when ready.

  5. Login with username: richmond, password: password.

Testing

Stat-Engine uses BrowserStack for compatibility testing.

stat-engine's People

Contributors

bingles avatar chopchop505 avatar garnertb avatar larskendall avatar sbaxter avatar smesdaghi avatar ssontag55 avatar

Watchers

avatar

stat-engine's Issues

CVE-2017-16137 (Medium) detected in debug-2.2.0.tgz

CVE-2017-16137 - Medium Severity Vulnerability

Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Dependency Hierarchy:

  • amplitude-js-4.5.2.tgz (Root Library)
    • top-domain-3.0.0.tgz
      • component-cookie-1.1.4.tgz
        • debug-2.2.0.tgz (Vulnerable Library)

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137

Release Date: 2018-06-07

Fix Resolution: 2.6.9

WS-2019-0289 (Medium) detected in helmet-csp-2.7.1.tgz

WS-2019-0289 - Medium Severity Vulnerability

Vulnerable Library - helmet-csp-2.7.1.tgz

Content Security Policy middleware.

Library home page: https://registry.npmjs.org/helmet-csp/-/helmet-csp-2.7.1.tgz

Dependency Hierarchy:

  • helmet-3.15.0.tgz (Root Library)
    • helmet-csp-2.7.1.tgz (Vulnerable Library)

Vulnerability Details

Helmet-csp before 2.9.1 is vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting.

Publish Date: 2019-11-18

URL: WS-2019-0289

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1176

Release Date: 2019-10-06

Fix Resolution: 2.9.1

CVE-2020-11023 (Medium) detected in jquery-3.3.1.tgz

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.3.1.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz

Dependency Hierarchy:

  • parsleyjs-2.8.1.tgz (Root Library)
    • jquery-3.3.1.tgz (Vulnerable Library)

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

CVE-2020-11022 (Medium) detected in jquery-3.3.1.tgz

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.3.1.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz

Dependency Hierarchy:

  • parsleyjs-2.8.1.tgz (Root Library)
    • jquery-3.3.1.tgz (Vulnerable Library)

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

CVE-2019-20149 (High) detected in kind-of-6.0.2.tgz

CVE-2019-20149 - High Severity Vulnerability

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Dependency Hierarchy:

  • http-proxy-middleware-0.17.4.tgz (Root Library)
    • micromatch-2.3.11.tgz
      • braces-1.8.5.tgz
        • expand-range-1.8.2.tgz
          • fill-range-2.2.4.tgz
            • randomatic-3.1.1.tgz
              • kind-of-6.0.2.tgz (Vulnerable Library)

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution: 6.0.3

WS-2019-0158 (Medium) detected in static-eval-2.0.0.tgz, static-eval-0.2.3.tgz

WS-2019-0158 - Medium Severity Vulnerability

Vulnerable Libraries - static-eval-2.0.0.tgz, static-eval-0.2.3.tgz

static-eval-2.0.0.tgz

evaluate statically-analyzable expressions

Library home page: https://registry.npmjs.org/static-eval/-/static-eval-2.0.0.tgz

Dependency Hierarchy:

  • mapbox-gl-0.45.0.tgz (Root Library)
    • brfs-1.6.1.tgz
      • static-module-2.2.5.tgz
        • static-eval-2.0.0.tgz (Vulnerable Library)
static-eval-0.2.3.tgz

evaluate statically-analyzable expressions

Library home page: https://registry.npmjs.org/static-eval/-/static-eval-0.2.3.tgz

Dependency Hierarchy:

  • plotly.js-1.43.2.tgz (Root Library)
    • ndarray-fill-1.0.2.tgz
      • cwise-1.0.10.tgz
        • static-module-1.5.0.tgz
          • static-eval-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 8a6196e6ea2e379801a93ecb474740420c5aafce

Vulnerability Details

static-eval before 2.0.2 pass untrusted user input directly to the global function constructor. leads to Arbitrary Code Execution

Publish Date: 2019-02-18

URL: WS-2019-0158

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/758

Release Date: 2019-07-15

Fix Resolution: 2.0.2

WS-2020-0091 (High) detected in http-proxy-1.17.0.tgz

WS-2020-0091 - High Severity Vulnerability

Vulnerable Library - http-proxy-1.17.0.tgz

HTTP proxying for the masses

Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.17.0.tgz

Dependency Hierarchy:

  • http-proxy-middleware-0.17.4.tgz (Root Library)
    • http-proxy-1.17.0.tgz (Vulnerable Library)

Vulnerability Details

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

Publish Date: 2020-05-14

URL: WS-2020-0091

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1486

Release Date: 2020-05-26

Fix Resolution: http-proxy - 1.18.1

WS-2019-0367 (Medium) detected in angular-1.7.5.tgz, angular-1.6.10.tgz

WS-2019-0367 - Medium Severity Vulnerability

Vulnerable Libraries - angular-1.7.5.tgz, angular-1.6.10.tgz

angular-1.7.5.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.7.5.tgz

Dependency Hierarchy:

  • angular-ui-grid-4.6.6.tgz (Root Library)
    • angular-1.7.5.tgz (Vulnerable Library)
angular-1.6.10.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.6.10.tgz

Dependency Hierarchy:

  • angular-1.6.10.tgz (Vulnerable Library)

Vulnerability Details

Prototype Pollution vulnerability found in Angular before 1.7.9.

Publish Date: 2020-01-08

URL: WS-2019-0367

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19

Release Date: 2020-01-08

Fix Resolution: angular - 1.7.9

WS-2019-0063 (High) detected in js-yaml-3.12.1.tgz

WS-2019-0063 - High Severity Vulnerability

Vulnerable Library - js-yaml-3.12.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.1.tgz

Dependency Hierarchy:

  • mapbox-gl-0.45.0.tgz (Root Library)
    • gray-matter-3.1.1.tgz
      • js-yaml-3.12.1.tgz (Vulnerable Library)

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution: js-yaml - 3.13.1

CVE-2018-1109 (High) detected in braces-1.8.5.tgz

CVE-2018-1109 - High Severity Vulnerability

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Dependency Hierarchy:

  • http-proxy-middleware-0.17.4.tgz (Root Library)
    • micromatch-2.3.11.tgz
      • braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Braces before 1.4.2 and 2.17.2 is vulnerable to ReDoS. It used a regular expression (^{(,+(?:({,+})),|,(?:({,+})),+)}) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long.

Publish Date: 2020-07-21

URL: CVE-2018-1109

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1547272

Release Date: 2020-07-21

Fix Resolution: 2.3.1

WS-2019-0043 (Medium) detected in dot-1.1.2.tgz

WS-2019-0043 - Medium Severity Vulnerability

Vulnerable Library - dot-1.1.2.tgz

Concise and fast javascript templating compatible with nodejs and other javascript environments

Library home page: https://registry.npmjs.org/dot/-/dot-1.1.2.tgz

Dependency Hierarchy:

  • dot-1.1.2.tgz (Vulnerable Library)

Vulnerability Details

All versions of dot are vulnerable to Command Injection. The template compilation may execute arbitrary commands if an attacker can inject code in the template or if a Prototype Pollution-like vulnerability can be exploited to alter an Object's prototype.

Publish Date: 2019-04-05

URL: WS-2019-0043

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

CVE-2019-8331 (Medium) detected in bootstrap-4.2.1.tgz

CVE-2019-8331 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-4.2.1.tgz

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-4.2.1.tgz

Dependency Hierarchy:

  • bootstrap-4.2.1.tgz (Vulnerable Library)

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#28236

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

WS-2019-0019 (Medium) detected in braces-1.8.5.tgz

WS-2019-0019 - Medium Severity Vulnerability

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Dependency Hierarchy:

  • http-proxy-middleware-0.17.4.tgz (Root Library)
    • micromatch-2.3.11.tgz
      • braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2018-02-16

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

WS-2019-0381 (Medium) detected in kind-of-6.0.2.tgz

WS-2019-0381 - Medium Severity Vulnerability

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Dependency Hierarchy:

  • http-proxy-middleware-0.17.4.tgz (Root Library)
    • micromatch-2.3.11.tgz
      • braces-1.8.5.tgz
        • expand-range-1.8.2.tgz
          • fill-range-2.2.4.tgz
            • randomatic-3.1.1.tgz
              • kind-of-6.0.2.tgz (Vulnerable Library)

Vulnerability Details

Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

Publish Date: 2020-03-18

URL: WS-2019-0381

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/kind-of@975c13a

Release Date: 2020-03-18

Fix Resolution: kind-of - 6.0.3

CVE-2019-5428 (Medium) detected in jquery-3.3.1.tgz

CVE-2019-5428 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.3.1.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz

Dependency Hierarchy:

  • parsleyjs-2.8.1.tgz (Root Library)
    • jquery-3.3.1.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability exists in jQuery versions < 3.4.0 that allows an attacker to inject properties on Object.prototype.

Publish Date: 2019-04-22

URL: CVE-2019-5428

CVSS 2 Score Details (5.6)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

Release Date: 2019-04-22

Fix Resolution: 3.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7768 (High) detected in grpc-1.18.0.tgz

CVE-2020-7768 - High Severity Vulnerability

Vulnerable Library - grpc-1.18.0.tgz

gRPC Library for Node

Library home page: https://registry.npmjs.org/grpc/-/grpc-1.18.0.tgz

Dependency Hierarchy:

  • grpc-1.18.0.tgz (Vulnerable Library)

Vulnerability Details

The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.

Publish Date: 2020-11-11

URL: CVE-2020-7768

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7768

Release Date: 2020-07-21

Fix Resolution: grpc 1.24.4, grpc-js 1.1.8

  • Check this box to open an automated fix PR

WS-2018-0590 (High) detected in diff-1.0.8.tgz

WS-2018-0590 - High Severity Vulnerability

Vulnerable Library - diff-1.0.8.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-1.0.8.tgz

Dependency Hierarchy:

  • aws-0.0.3-2.tgz (Root Library)
    • vows-0.8.2.tgz
      • diff-1.0.8.tgz (Vulnerable Library)

Found in HEAD commit: 8a6196e6ea2e379801a93ecb474740420c5aafce

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 2 Score Details (7.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: kpdecker/jsdiff@2aec429

Release Date: 2019-06-11

Fix Resolution: 3.5.0

WS-2019-0054 (Medium) detected in sequelize-3.34.0.tgz

WS-2019-0054 - Medium Severity Vulnerability

Vulnerable Library - sequelize-3.34.0.tgz

Multi dialect ORM for Node.JS/io.js

Library home page: https://registry.npmjs.org/sequelize/-/sequelize-3.34.0.tgz

Dependency Hierarchy:

  • express-sequelize-session-0.4.0.tgz (Root Library)
    • sequelize-3.34.0.tgz (Vulnerable Library)

Vulnerability Details

Versions of sequelize prior to 5.3.0 (excluding v3 and v4) are vulnerable to SQL Injection. when PostgreSQL optionstandard_conforming_strings is not set to on by default

Publish Date: 2019-04-23

URL: WS-2019-0054

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/821/versions

Release Date: 2019-04-23

Fix Resolution: 4.12.0

Step up your Open Source Security Game with WhiteSource here

CVE-2019-11358 (Medium) detected in jquery-3.3.1.tgz

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.3.1.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz

Dependency Hierarchy:

  • parsleyjs-2.8.1.tgz (Root Library)
    • jquery-3.3.1.tgz (Vulnerable Library)

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

WS-2020-0022 (Medium) detected in sequelize-3.34.0.tgz

WS-2020-0022 - Medium Severity Vulnerability

Vulnerable Library - sequelize-3.34.0.tgz

Multi dialect ORM for Node.JS/io.js

Library home page: https://registry.npmjs.org/sequelize/-/sequelize-3.34.0.tgz

Dependency Hierarchy:

  • express-sequelize-session-0.4.0.tgz (Root Library)
    • sequelize-3.34.0.tgz (Vulnerable Library)

Vulnerability Details

Versions of sequelize prior to 5.x are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process.

Publish Date: 2020-02-11

URL: WS-2020-0022

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sequelize/sequelize

Release Date: 2020-02-11

Fix Resolution: 5.0

CVE-2020-7598 (Medium) detected in multiple libraries

CVE-2020-7598 - Medium Severity Vulnerability

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.5.tgz, minimist-0.0.8.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Dependency Hierarchy:

  • mapbox-gl-0.45.0.tgz (Root Library)
    • brfs-1.6.1.tgz
      • quote-stream-1.0.2.tgz
        • minimist-1.2.0.tgz (Vulnerable Library)
minimist-0.0.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.5.tgz

Dependency Hierarchy:

  • mapbox-gl-0.45.0.tgz (Root Library)
    • geojson-rewind-0.3.1.tgz
      • sharkdown-0.1.0.tgz
        • minimist-0.0.5.tgz (Vulnerable Library)
minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Dependency Hierarchy:

  • mapbox-gl-0.45.0.tgz (Root Library)
    • minimist-0.0.8.tgz (Vulnerable Library)

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

WS-2020-0042 (High) detected in acorn-5.7.3.tgz

WS-2020-0042 - High Severity Vulnerability

Vulnerable Library - acorn-5.7.3.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.3.tgz

Dependency Hierarchy:

  • plotly.js-1.43.2.tgz (Root Library)
    • glslify-6.4.1.tgz
      • falafel-2.1.0.tgz
        • acorn-5.7.3.tgz (Vulnerable Library)

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-08

Fix Resolution: 7.1.1

CVE-2020-7760 (Medium) detected in codemirror-5.42.2.tgz

CVE-2020-7760 - Medium Severity Vulnerability

Vulnerable Library - codemirror-5.42.2.tgz

Full-featured in-browser code editor

Library home page: https://registry.npmjs.org/codemirror/-/codemirror-5.42.2.tgz

Dependency Hierarchy:

  • codemirror-5.42.2.tgz (Vulnerable Library)

Vulnerability Details

This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/.?/)

Publish Date: 2020-10-30

URL: CVE-2020-7760

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7760

Release Date: 2020-07-21

Fix Resolution: codemirror - 5.58.2

  • Check this box to open an automated fix PR

CVE-2019-10748 (High) detected in sequelize-3.34.0.tgz

CVE-2019-10748 - High Severity Vulnerability

Vulnerable Library - sequelize-3.34.0.tgz

Multi dialect ORM for Node.JS/io.js

Library home page: https://registry.npmjs.org/sequelize/-/sequelize-3.34.0.tgz

Dependency Hierarchy:

  • express-sequelize-session-0.4.0.tgz (Root Library)
    • sequelize-3.34.0.tgz (Vulnerable Library)

Vulnerability Details

Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.

Publish Date: 2019-10-29

URL: CVE-2019-10748

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1017

Release Date: 2019-07-11

Fix Resolution: 3.35.1

CVE-2020-8141 (High) detected in dot-1.1.2.tgz

CVE-2020-8141 - High Severity Vulnerability

Vulnerable Library - dot-1.1.2.tgz

Concise and fast javascript templating compatible with nodejs and other javascript environments

Library home page: https://registry.npmjs.org/dot/-/dot-1.1.2.tgz

Dependency Hierarchy:

  • dot-1.1.2.tgz (Vulnerable Library)

Vulnerability Details

The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.

Publish Date: 2020-03-15

URL: CVE-2020-8141

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2017-16082 (High) detected in pg-6.4.2.tgz

CVE-2017-16082 - High Severity Vulnerability

Vulnerable Library - pg-6.4.2.tgz

PostgreSQL client - pure javascript & libpq with the same API

Library home page: https://registry.npmjs.org/pg/-/pg-6.4.2.tgz

Dependency Hierarchy:

  • pg-6.4.2.tgz (Vulnerable Library)

Vulnerability Details

A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.

Publish Date: 2018-06-07

URL: CVE-2017-16082

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/521

Release Date: 2017-08-13

Fix Resolution: Version 2.x.x: Update to version 2.11.2 or later. * Version 3.x.x: Update to version 3.6.4 or later. * Version 4.x.x: Update to version 4.5.7 or later. * Version 5.x.x: Update to version 5.2.1 or later. * Version 6.x.x: Update to version 6.4.2 or later. ( Note that versions 6.1.6, 6.2.5, and 6.3.3 are also patched. ) * Version 7.x.x: Update to version 7.1.2 or later. ( Note that version 7.0.2 is also patched. )

Step up your Open Source Security Game with WhiteSource here

WS-2019-0032 (Medium) detected in js-yaml-3.12.1.tgz

WS-2019-0032 - Medium Severity Vulnerability

Vulnerable Library - js-yaml-3.12.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.1.tgz

Dependency Hierarchy:

  • mapbox-gl-0.45.0.tgz (Root Library)
    • gray-matter-3.1.1.tgz
      • js-yaml-3.12.1.tgz (Vulnerable Library)

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution: js-yaml - 3.13.0

WS-2020-0070 (High) detected in multiple libraries

WS-2020-0070 - High Severity Vulnerability

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-3.10.1.tgz, lodash-4.17.11.tgz

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Dependency Hierarchy:

  • elasticsearch-14.2.2.tgz (Root Library)
    • lodash-2.4.2.tgz (Vulnerable Library)
lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Dependency Hierarchy:

  • express-sequelize-session-0.4.0.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)
lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Dependency Hierarchy:

  • http-proxy-middleware-0.17.4.tgz (Root Library)
    • lodash-4.17.11.tgz (Vulnerable Library)

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2018-3721 (Medium) detected in lodash-2.4.2.tgz, lodash-3.10.1.tgz

CVE-2018-3721 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-3.10.1.tgz

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Dependency Hierarchy:

  • elasticsearch-14.2.2.tgz (Root Library)
    • lodash-2.4.2.tgz (Vulnerable Library)
lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Dependency Hierarchy:

  • express-sequelize-session-0.4.0.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

CVE-2019-10749 (High) detected in sequelize-3.34.0.tgz

CVE-2019-10749 - High Severity Vulnerability

Vulnerable Library - sequelize-3.34.0.tgz

Multi dialect ORM for Node.JS/io.js

Library home page: https://registry.npmjs.org/sequelize/-/sequelize-3.34.0.tgz

Dependency Hierarchy:

  • express-sequelize-session-0.4.0.tgz (Root Library)
    • sequelize-3.34.0.tgz (Vulnerable Library)

Vulnerability Details

sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect.

Publish Date: 2019-10-29

URL: CVE-2019-10749

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1017

Release Date: 2019-07-11

Fix Resolution: 3.35.1

WS-2019-0053 (Medium) detected in sequelize-3.34.0.tgz

WS-2019-0053 - Medium Severity Vulnerability

Vulnerable Library - sequelize-3.34.0.tgz

Multi dialect ORM for Node.JS/io.js

Library home page: https://registry.npmjs.org/sequelize/-/sequelize-3.34.0.tgz

Dependency Hierarchy:

  • express-sequelize-session-0.4.0.tgz (Root Library)
    • sequelize-3.34.0.tgz (Vulnerable Library)

Vulnerability Details

Versions of sequelize prior to 4.12.0 are vulnerable to NoSQL Injection. Query operators such as $gt are not properly sanitized and may allow an attacker to alter data queries, leading to NoSQL Injection.

Publish Date: 2017-08-31

URL: WS-2019-0053

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/820/versions

Release Date: 2019-04-23

Fix Resolution: 4.12.0

CVE-2021-23337 (High) detected in multiple libraries

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-3.10.1.tgz, lodash-4.17.11.tgz

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Dependency Hierarchy:

  • elasticsearch-14.2.2.tgz (Root Library)
    • lodash-2.4.2.tgz (Vulnerable Library)
lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Dependency Hierarchy:

  • express-sequelize-session-0.4.0.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)
lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Dependency Hierarchy:

  • http-proxy-middleware-0.17.4.tgz (Root Library)
    • lodash-4.17.11.tgz (Vulnerable Library)

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

CVE-2018-16487 (Medium) detected in lodash-2.4.2.tgz, lodash-3.10.1.tgz

CVE-2018-16487 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-3.10.1.tgz

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Dependency Hierarchy:

  • elasticsearch-14.2.2.tgz (Root Library)
    • lodash-2.4.2.tgz (Vulnerable Library)
lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Dependency Hierarchy:

  • express-sequelize-session-0.4.0.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

CVE-2020-28500 (Medium) detected in lodash-4.17.11.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Dependency Hierarchy:

  • http-proxy-middleware-0.17.4.tgz (Root Library)
    • lodash-4.17.11.tgz (Vulnerable Library)

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
WhiteSource Note: After conducting further research, WhiteSource has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash-4.17.21

WS-2018-0159 (Low) detected in njwt-0.4.0.tgz

WS-2018-0159 - Low Severity Vulnerability

Vulnerable Library - njwt-0.4.0.tgz

JWT Library for Node.js

Library home page: https://registry.npmjs.org/njwt/-/njwt-0.4.0.tgz

Dependency Hierarchy:

  • njwt-0.4.0.tgz (Vulnerable Library)

Vulnerability Details

Njwt version 0.4.0 and before are vulnerable to out-of-bounds reads when a number is passed into the base64urlEncode function.
On Node.js 6.x or lower this can expose sensitive information and on any other version of Node.js this creates a Denial of Service vulnerability.

Publish Date: 2018-07-29

URL: WS-2018-0159

CVSS 2 Score Details (3.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/678/versions

Release Date: 2018-01-06

Fix Resolution: 1.4.3

  • Check this box to open an automated fix PR

CVE-2019-10768 (Medium) detected in angular-1.7.5.tgz, angular-1.6.10.tgz

CVE-2019-10768 - Medium Severity Vulnerability

Vulnerable Libraries - angular-1.7.5.tgz, angular-1.6.10.tgz

angular-1.7.5.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.7.5.tgz

Dependency Hierarchy:

  • angular-ui-grid-4.6.6.tgz (Root Library)
    • angular-1.7.5.tgz (Vulnerable Library)
angular-1.6.10.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.6.10.tgz

Dependency Hierarchy:

  • angular-1.6.10.tgz (Vulnerable Library)

Vulnerability Details

In AngularJS before 1.7.9 the function merge() could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.

Publish Date: 2019-11-19

URL: CVE-2019-10768

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10768

Release Date: 2019-11-19

Fix Resolution: v1.7.9

WS-2018-0151 (Low) detected in njwt-0.4.0.tgz

WS-2018-0151 - Low Severity Vulnerability

Vulnerable Library - njwt-0.4.0.tgz

JWT Library for Node.js

Library home page: https://registry.npmjs.org/njwt/-/njwt-0.4.0.tgz

Dependency Hierarchy:

  • njwt-0.4.0.tgz (Vulnerable Library)

Vulnerability Details

njwt allocates uninitialized Buffers when number is passed in base64urlEncode input versions <=0.4.0

Publish Date: 2018-07-16

URL: WS-2018-0151

CVSS 2 Score Details (1.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/321704

Release Date: 2018-01-16

Fix Resolution: 0.4.1

  • Check this box to open an automated fix PR

CVE-2020-15084 (High) detected in express-jwt-5.3.1.tgz

CVE-2020-15084 - High Severity Vulnerability

Vulnerable Library - express-jwt-5.3.1.tgz

JWT authentication middleware.

Library home page: https://registry.npmjs.org/express-jwt/-/express-jwt-5.3.1.tgz

Dependency Hierarchy:

  • express-jwt-5.3.1.tgz (Vulnerable Library)

Vulnerability Details

In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have algorithms configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the secret. You can fix this by specifying algorithms in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.

Publish Date: 2020-06-30

URL: CVE-2020-15084

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6g6m-m6h5-w9gf

Release Date: 2020-06-30

Fix Resolution: 6.0.0

  • Check this box to open an automated fix PR

CVE-2020-7769 (High) detected in nodemailer-4.7.0.tgz

CVE-2020-7769 - High Severity Vulnerability

Vulnerable Library - nodemailer-4.7.0.tgz

Easy as cake e-mail sending from your Node.js applications

Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-4.7.0.tgz

Dependency Hierarchy:

  • nodemailer-4.7.0.tgz (Vulnerable Library)

Vulnerability Details

This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

Publish Date: 2020-11-12

URL: CVE-2020-7769

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7769

Release Date: 2020-11-12

Fix Resolution: v6.4.16

  • Check this box to open an automated fix PR

CVE-2017-16226 (High) detected in static-eval-0.2.3.tgz

CVE-2017-16226 - High Severity Vulnerability

Vulnerable Library - static-eval-0.2.3.tgz

evaluate statically-analyzable expressions

Library home page: https://registry.npmjs.org/static-eval/-/static-eval-0.2.3.tgz

Dependency Hierarchy:

  • plotly.js-1.43.2.tgz (Root Library)
    • ndarray-fill-1.0.2.tgz
      • cwise-1.0.10.tgz
        • static-module-1.5.0.tgz
          • static-eval-0.2.3.tgz (Vulnerable Library)

Vulnerability Details

The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.

Publish Date: 2018-06-07

URL: CVE-2017-16226

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16226

Release Date: 2018-06-07

Fix Resolution: 2.0.0

CVE-2020-8203 (High) detected in multiple libraries

CVE-2020-8203 - High Severity Vulnerability

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-3.10.1.tgz, lodash-4.17.11.tgz

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Dependency Hierarchy:

  • elasticsearch-14.2.2.tgz (Root Library)
    • lodash-2.4.2.tgz (Vulnerable Library)
lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Dependency Hierarchy:

  • express-sequelize-session-0.4.0.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)
lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Dependency Hierarchy:

  • http-proxy-middleware-0.17.4.tgz (Root Library)
    • lodash-4.17.11.tgz (Vulnerable Library)

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-23

Fix Resolution: lodash - 4.17.19

CVE-2019-10752 (High) detected in sequelize-3.34.0.tgz

CVE-2019-10752 - High Severity Vulnerability

Vulnerable Library - sequelize-3.34.0.tgz

Multi dialect ORM for Node.JS/io.js

Library home page: https://registry.npmjs.org/sequelize/-/sequelize-3.34.0.tgz

Dependency Hierarchy:

  • express-sequelize-session-0.4.0.tgz (Root Library)
    • sequelize-3.34.0.tgz (Vulnerable Library)

Vulnerability Details

Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.

Publish Date: 2019-10-17

URL: CVE-2019-10752

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10752

Release Date: 2019-09-24

Fix Resolution: 4.44.3,5.15.1

CVE-2020-8244 (Medium) detected in bl-1.2.2.tgz

CVE-2020-8244 - Medium Severity Vulnerability

Vulnerable Library - bl-1.2.2.tgz

Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!

Library home page: https://registry.npmjs.org/bl/-/bl-1.2.2.tgz

Dependency Hierarchy:

  • plotly.js-1.43.2.tgz (Root Library)
    • glslify-6.4.1.tgz
      • bl-1.2.2.tgz (Vulnerable Library)

Vulnerability Details

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Publish Date: 2020-08-30

URL: CVE-2020-8244

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8244

Release Date: 2020-07-21

Fix Resolution: 2.2.1,3.0.1,4.0.3

CVE-2019-3820 (Medium) detected in jquery-3.3.1.tgz

CVE-2019-3820 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.3.1.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz

Dependency Hierarchy:

  • parsleyjs-2.8.1.tgz (Root Library)
    • jquery-3.3.1.tgz (Vulnerable Library)

Vulnerability Details

It was discovered that the gnome-shell lock screen since version 3.15.91 did not properly restrict all contextual actions. An attacker with physical access to a locked workstation could invoke certain keyboard shortcuts, and potentially other actions.

Publish Date: 2019-02-06

URL: CVE-2019-3820

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Physical
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://gitlab.gnome.org/GNOME/gnome-shell/issues/851

Release Date: 2019-02-06

Fix Resolution: 3.15.91

CVE-2019-10742 (High) detected in axios-0.18.0.tgz

CVE-2019-10742 - High Severity Vulnerability

Vulnerable Library - axios-0.18.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.18.0.tgz

Dependency Hierarchy:

  • axios-0.18.0.tgz (Vulnerable Library)

Vulnerability Details

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Publish Date: 2019-05-07

URL: CVE-2019-10742

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2019-10744 (High) detected in multiple libraries

CVE-2019-10744 - High Severity Vulnerability

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-3.10.1.tgz, lodash-4.17.11.tgz

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Dependency Hierarchy:

  • elasticsearch-14.2.2.tgz (Root Library)
    • lodash-2.4.2.tgz (Vulnerable Library)
lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Dependency Hierarchy:

  • express-sequelize-session-0.4.0.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)
lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Dependency Hierarchy:

  • http-proxy-middleware-0.17.4.tgz (Root Library)
    • lodash-4.17.11.tgz (Vulnerable Library)

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-08

Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0

CVE-2020-28472 (High) detected in aws-sdk-2.387.0.tgz

CVE-2020-28472 - High Severity Vulnerability

Vulnerable Library - aws-sdk-2.387.0.tgz

AWS SDK for JavaScript

Library home page: https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.387.0.tgz

Dependency Hierarchy:

  • aws-sdk-2.387.0.tgz (Vulnerable Library)

Vulnerability Details

This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2021-01-19

URL: CVE-2020-28472

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28472

Release Date: 2021-01-19

Fix Resolution: aws-sdk-2.814.0,@aws-sdk/shared-ini-file-loader-1.0.0-rc.9

  • Check this box to open an automated fix PR

CVE-2019-1010266 (Medium) detected in lodash-2.4.2.tgz, lodash-3.10.1.tgz

CVE-2019-1010266 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-3.10.1.tgz

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Dependency Hierarchy:

  • elasticsearch-14.2.2.tgz (Root Library)
    • lodash-2.4.2.tgz (Vulnerable Library)
lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Dependency Hierarchy:

  • express-sequelize-session-0.4.0.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2019-07-17

Fix Resolution: 4.17.11

WS-2017-0247 (Low) detected in ms-0.7.1.tgz

WS-2017-0247 - Low Severity Vulnerability

Vulnerable Library - ms-0.7.1.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz

Dependency Hierarchy:

  • amplitude-js-4.5.2.tgz (Root Library)
    • top-domain-3.0.0.tgz
      • component-cookie-1.1.4.tgz
        • debug-2.2.0.tgz
          • ms-0.7.1.tgz (Vulnerable Library)

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-04-12

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: vercel/ms#89

Release Date: 2017-04-12

Fix Resolution: 2.1.1

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.