Bridge between Vault and password managers
License: Apache License 2.0
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Vulnerable Library - bootstrap-sass-3.3.7.gemLibrary home page: https://rubygems.org/gems/bootstrap-sass-3.3.7.gem
Path to dependency file: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Path to vulnerable library: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-sass-4.5.3.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
An issue was discovered in LibSass <3.5.3. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11695
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution (node-sass): 4.9.0
Direct dependency fix Resolution (ember-cli-sass): 6.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-sass-4.5.3.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11693
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution (node-sass): 4.11.0
Direct dependency fix Resolution (ember-cli-sass): 6.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - rack-1.6.9.gemRack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.9.gem
Path to dependency file: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Path to vulnerable library: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.
Publish Date: 2019-12-18
URL: CVE-2019-16782
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782
Release Date: 2019-12-18
Fix Resolution: 1.6.12;2.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - lodash-4.17.4.tgz, lodash-3.10.1.tgz, lodash-2.4.2.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash/package.json
Dependency Hierarchy:
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash/package.json
Dependency Hierarchy:
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/merge-defaults/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (ember-cli-sass): 6.1.3
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (ember-cli-favicon): 2.2.0
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (ember-cli-favicon): 2.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-2.2.1.tgztar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
Publish Date: 2021-08-03
URL: CVE-2021-32804
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-3jfq-g458-7qm9
Release Date: 2021-08-03
Fix Resolution (tar): 3.2.2
Direct dependency fix Resolution (ember-cli-qunit): 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-2.2.1.tgztar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
Publish Date: 2019-04-30
URL: CVE-2018-20834
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082
Release Date: 2019-04-30
Fix Resolution (tar): 2.2.2
Direct dependency fix Resolution (ember-cli-qunit): 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.0.10.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Mend Note: Converted from WS-2019-0491, on 2022-11-08.
Publish Date: 2020-09-30
URL: CVE-2019-20922
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2020-09-30
Fix Resolution (handlebars): 4.4.5
Direct dependency fix Resolution (ember-source): 2.15.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - trim-newlines-1.0.0.tgzTrim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/trim-newlines/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution (trim-newlines): 3.0.1
Direct dependency fix Resolution (ember-cli-sass): 8.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - kramdown-1.16.2.gemkramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.
Library home page: https://rubygems.org/gems/kramdown-1.16.2.gem
Path to dependency file: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Path to vulnerable library: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.
Publish Date: 2021-03-19
URL: CVE-2021-28834
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-03-19
Fix Resolution: 2.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-sass-4.5.3.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Inspect::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11696
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution (node-sass): 4.14.0
Direct dependency fix Resolution (ember-cli-sass): 6.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - https://source.codeaurora.org/quic/le/golang/text/v0.2.0-unicode10.0.0, https://source.codeaurora.org/quic/le/golang/text/v0.2.0-unicode10.0.0
Vulnerability Details
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Publish Date: 2020-06-17
URL: CVE-2020-14040
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0015
Release Date: 2020-06-17
Fix Resolution: v0.3.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.0.10.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (ember-source): 2.15.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - deep-extend-0.4.2.tgzRecursive object extending
Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.2.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
Publish Date: 2018-07-03
URL: CVE-2018-3750
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750
Release Date: 2018-07-03
Fix Resolution (deep-extend): 0.5.1
Direct dependency fix Resolution (ember-cli-qunit): 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - net500e7a4f953ddaf55d316b4d3adc516aa0379622
[mirror] Go supplementary network libraries
Library home page: https://github.com/golang/net.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.
Publish Date: 2018-09-17
URL: CVE-2018-17143
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17143
Release Date: 2018-09-17
Fix Resolution: net- go1.11.1
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - mime-1.3.6.tgz, mime-1.3.4.tgz
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.3.6.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/mime/package.json
Dependency Hierarchy:
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/mime/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Mend Note: Converted from WS-2017-0330, on 2022-11-08.
Publish Date: 2018-06-07
URL: CVE-2017-16138
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-04-26
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (ember-cli): 2.14.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - glob-parent-2.0.0.tgzStrips glob magic from a string to provide the parent path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (ember-cli-qunit): 4.0.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - jsonpointer-4.0.1.tgzSimple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/jsonpointer/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
Prototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.
Publish Date: 2020-07-03
URL: WS-2020-0345
CVSS 3 Score Details (8.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-03
Fix Resolution (jsonpointer): 4.1.0
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-sass-4.5.3.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11694
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
Step up your Open Source Security Game with Mend here
Vulnerable Library - cryptof70185d77e8278766928032ee1355e3da47e7181
[mirror] Go supplementary cryptography libraries
Library home page: https://github.com/golang/crypto.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.
Publish Date: 2019-05-22
URL: CVE-2019-11841
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-11841
Release Date: 2019-05-22
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20200221.2aa609c-1,1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1,1:0.0~git20200221.2aa609c-1;golang-go.crypto-dev - 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1,1:0.0~git20200221.2aa609c-1,1:0.0~git20200221.2aa609c-1
Step up your Open Source Security Game with Mend here
Vulnerable Library - net500e7a4f953ddaf55d316b4d3adc516aa0379622
[mirror] Go supplementary network libraries
Library home page: https://github.com/golang/net.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.
Publish Date: 2018-09-17
URL: CVE-2018-17142
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17142
Release Date: 2018-09-17
Fix Resolution: net- go1.11.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-sass-4.5.3.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.
Publish Date: 2021-01-11
URL: CVE-2020-24025
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-r8f7-9pfq-mjmv
Release Date: 2021-01-11
Fix Resolution (node-sass): 7.0.0
Direct dependency fix Resolution (ember-cli-sass): 8.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - cryptof70185d77e8278766928032ee1355e3da47e7181
[mirror] Go supplementary cryptography libraries
Library home page: https://github.com/golang/crypto.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
Publish Date: 2020-12-17
URL: CVE-2020-29652
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
Release Date: 2020-12-17
Fix Resolution: v0.0.0-20201216223049-8b5274cf687f
Step up your Open Source Security Game with Mend here
Vulnerable Library - stringstream-0.0.5.tgzEncode and decode streams into string streams
Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/stringstream/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
Publish Date: 2020-12-03
URL: CVE-2018-21270
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21270
Release Date: 2020-12-03
Fix Resolution (stringstream): 0.0.6
Direct dependency fix Resolution (ember-cli-qunit): 4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tunnel-agent-0.4.3.tgzHTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.
Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/tunnel-agent/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.
Publish Date: 2017-03-05
URL: WS-2018-0076
CVSS 3 Score Details (5.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/598
Release Date: 2017-03-05
Fix Resolution (tunnel-agent): 0.6.0
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - nokogiri-1.8.2.gemNokogiri (้ธ) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.8.2.gem
Path to dependency file: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Path to vulnerable library: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.
Publish Date: 2021-09-27
URL: CVE-2021-41098
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41098
Release Date: 2021-09-27
Fix Resolution: nokogiri - 1.12.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - is-my-json-valid-2.16.0.tgzA JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.16.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/is-my-json-valid/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.
Publish Date: 2020-06-09
URL: WS-2020-0344
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-06-09
Fix Resolution (is-my-json-valid): 2.20.3
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - is-my-json-valid-2.16.0.tgzA JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.16.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/is-my-json-valid/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.
Publish Date: 2020-06-27
URL: WS-2020-0342
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-06-27
Fix Resolution (is-my-json-valid): 2.20.2
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - https://source.codeaurora.org/quic/chrome4sdp/chromium/src/third_party/dnscrypt-proxy/2.0.11, https://source.codeaurora.org/quic/chrome4sdp/chromium/src/third_party/dnscrypt-proxy/2.0.11
Vulnerability Details
An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
Mend Note: Converted from WS-2019-0030, on 2021-08-01.
Publish Date: 2019-05-09
URL: CVE-2019-11840
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1691529
Fix Resolution: Upgrade to version golang.org/x/crypto v0.0.0-0.20190320223903-b7391e95e576 or greater
Step up your Open Source Security Game with Mend here
Vulnerable Library - merge-1.2.0.tgzMerge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/merge/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.
Publish Date: 2018-10-30
URL: CVE-2018-16469
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16469
Release Date: 2018-10-30
Fix Resolution (merge): 1.2.1
Direct dependency fix Resolution (ember-cli-sass): 6.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - clean-css-3.4.28.tgzA well-tested CSS minifier
Library home page: https://registry.npmjs.org/clean-css/-/clean-css-3.4.28.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/clean-css/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Publish Date: 2018-03-06
URL: WS-2019-0017
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-wxhq-pm8v-cw75
Release Date: 2018-03-06
Fix Resolution (clean-css): 4.1.11
Direct dependency fix Resolution (ember-cli): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-sass-4.5.3.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11698
CVSS 3 Score Details (4.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution: node-sass - 3.6.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - xmlhttprequest-ssl-1.5.3.tgzXMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (ember-cli): 2.18.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-sass-4.5.3.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11697
CVSS 3 Score Details (4.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution (node-sass): 4.14.0
Direct dependency fix Resolution (ember-cli-sass): 6.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - diff-3.4.0.tgz, diff-3.3.0.tgz
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-3.4.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/diff/package.json
Dependency Hierarchy:
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-3.3.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/diff/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Publish Date: 2018-03-05
URL: WS-2018-0590
CVSS 3 Score Details (7.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-03-05
Fix Resolution (diff): 3.5.0
Direct dependency fix Resolution (ember-sinon): 2.0.0
Fix Resolution (diff): 3.5.0
Direct dependency fix Resolution (ember-cli): 2.14.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - rack-1.6.9.gemRack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.9.gem
Path to dependency file: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Path to vulnerable library: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the scheme method on Rack::Request. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.
Publish Date: 2018-11-13
URL: CVE-2018-16471
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://groups.google.com/forum/#!topic/rubyonrails-security/GKsAFT924Ag
Release Date: 2018-11-13
Fix Resolution: 2.0.6, 1.6.11
Step up your Open Source Security Game with Mend here
Vulnerable Library - concat-stream-1.5.0.tgzwritable stream that concatenates strings or binary data and calls a callback with the result
Library home page: https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/concat-stream/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write()
Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.
Publish Date: 2018-04-25
URL: WS-2018-0075
CVSS 3 Score Details (5.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/597
Release Date: 2018-01-27
Fix Resolution (concat-stream): 1.5.2
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - css-what-1.0.0.tgza CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-1.0.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/css-what/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution (css-what): 5.0.1
Direct dependency fix Resolution (ember-cli-favicon): 2.0.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - rack-1.6.9.gemRack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.9.gem
Path to dependency file: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Path to vulnerable library: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
Publish Date: 2020-07-02
URL: CVE-2020-8161
CVSS 3 Score Details (8.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution: 2.2.0,2.1.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - net500e7a4f953ddaf55d316b4d3adc516aa0379622
[mirror] Go supplementary network libraries
Library home page: https://github.com/golang/net.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerable Source Files (2)
Vulnerability Details
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.
Publish Date: 2018-10-01
URL: CVE-2018-17847
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17847
Release Date: 2018-10-01
Fix Resolution: golang-golang-x-net-dev - 1:0.0+git20181201.351d144+dfsg-3
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.0.10.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Publish Date: 2020-09-30
URL: CVE-2019-20920
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2020-10-15
Fix Resolution (handlebars): 4.5.3
Direct dependency fix Resolution (ember-source): 2.15.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - jsonpointer-4.0.1.tgzSimple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/jsonpointer/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.
Publish Date: 2021-11-03
URL: CVE-2021-23807
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23807
Release Date: 2021-11-03
Fix Resolution (jsonpointer): 5.0.0
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - xmlbuilder-4.2.1.tgzAn XML builder for node.js
Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-4.2.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/xmlbuilder/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
The package xmlbuilder-js before 9.0.5 is vulnerable to denial of service due to a regular expression issue.
Publish Date: 2018-02-08
URL: WS-2018-0625
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-02-08
Fix Resolution (xmlbuilder): 9.0.5
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - vaultv0.10.0, vaultv0.10.0
Vulnerability Details
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.
Publish Date: 2020-03-23
URL: CVE-2020-10660
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-23
Fix Resolution: 1.3.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.0.10.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-04-12
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (ember-source): 2.15.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - net500e7a4f953ddaf55d316b4d3adc516aa0379622
[mirror] Go supplementary network libraries
Library home page: https://github.com/golang/net.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
The html package (aka x/net/html) through 2018-09-25 in Go mishandles
Publish Date: 2018-10-01
URL: CVE-2018-17846
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17846
Release Date: 2018-10-01
Fix Resolution: golang-golang-x-net-dev - 1:0.0+git20181201.351d144+dfsg-3
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - debug-0.7.4.tgz, debug-2.2.0.tgz, debug-2.6.8.tgz, debug-2.3.3.tgz, debug-2.6.7.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-0.7.4.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/debug/package.json
Dependency Hierarchy:
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-rest-client/node_modules/debug/package.json
Dependency Hierarchy:
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.6.8.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/debug/package.json
Dependency Hierarchy:
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.3.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/socket.io-adapter/node_modules/debug/package.json
Dependency Hierarchy:
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.6.7.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/debug/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-gxpj-cx7g-858c
Release Date: 2018-04-26
Fix Resolution: debug - 2.6.9,3.1.0,3.2.7,4.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - net500e7a4f953ddaf55d316b4d3adc516aa0379622
[mirror] Go supplementary network libraries
Library home page: https://github.com/golang/net.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerable Source Files (2)
Vulnerability Details
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.
Publish Date: 2018-10-01
URL: CVE-2018-17848
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17848
Release Date: 2018-10-01
Fix Resolution: golang-golang-x-net-dev - 1:0.0+git20181201.351d144+dfsg-3
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - lodash-3.10.1.tgz, lodash.mergewith-4.6.0.tgz, lodash.merge-4.6.0.tgz, lodash-2.4.2.tgz, lodash.defaultsdeep-4.6.0.tgz, lodash-es-4.17.4.tgz, lodash.template-3.6.2.tgz, lodash-4.17.4.tgz, lodash.template-4.4.0.tgz
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash/package.json
Dependency Hierarchy:
The lodash method `_.mergeWith` exported as a module.
Library home page: https://registry.npmjs.org/lodash.mergewith/-/lodash.mergewith-4.6.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash.mergewith/package.json
Dependency Hierarchy:
The lodash method `_.merge` exported as a module.
Library home page: https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash.merge/package.json
Dependency Hierarchy:
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/merge-defaults/node_modules/lodash/package.json
Dependency Hierarchy:
The lodash method `_.defaultsDeep` exported as a module.
Library home page: https://registry.npmjs.org/lodash.defaultsdeep/-/lodash.defaultsdeep-4.6.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash.defaultsdeep/package.json
Dependency Hierarchy:
Lodash exported as ES modules.
Library home page: https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.4.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash-es/package.json
Dependency Hierarchy:
The modern build of lodashโs `_.template` as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-3.6.2.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash.template/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash/package.json
Dependency Hierarchy:
The lodash method `_.template` exported as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-4.4.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash.template/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (ember-cli-favicon): 2.2.0
Fix Resolution (lodash.mergewith): 4.17.12
Direct dependency fix Resolution (ember-cli-sass): 6.1.0
Fix Resolution (lodash.merge): 4.17.12
Direct dependency fix Resolution (ember-cli-uglify): 2.0.0
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (ember-cli-favicon): 2.2.0
Fix Resolution (lodash.defaultsdeep): 4.17.12
Direct dependency fix Resolution (ember-cli-eslint): 4.2.0
Fix Resolution (lodash-es): 4.17.12
Direct dependency fix Resolution (ember-cli-mirage): 0.4.2
Fix Resolution (lodash.template): 4.17.12
Direct dependency fix Resolution (ember-fetch): 3.4.4
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (ember-cli-sass): 6.1.3
Fix Resolution (lodash.template): 4.17.12
Direct dependency fix Resolution (ember-cli): 2.14.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - markdown-it-8.3.1.tgzMarkdown-it - modern pluggable markdown parser.
Library home page: https://registry.npmjs.org/markdown-it/-/markdown-it-8.3.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/markdown-it/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Vulnerability Details
markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading.
Publish Date: 2022-01-10
URL: CVE-2022-21670
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-6vfc-qv3f-vr6c
Release Date: 2022-01-10
Fix Resolution (markdown-it): 12.3.2
Direct dependency fix Resolution (ember-cli): 4.11.0
Step up your Open Source Security Game with Mend here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
