nlamirault / alan Goto Github PK
View Code? Open in Web Editor NEWBridge between Vault and password managers
License: Apache License 2.0
Bridge between Vault and password managers
License: Apache License 2.0
A JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.16.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/is-my-json-valid/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.
Publish Date: 2020-06-27
URL: WS-2020-0342
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-06-27
Fix Resolution (is-my-json-valid): 2.20.2
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Step up your Open Source Security Game with Mend here
A JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.16.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/is-my-json-valid/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.
Publish Date: 2020-06-09
URL: WS-2020-0344
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-06-09
Fix Resolution (is-my-json-valid): 2.20.3
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Step up your Open Source Security Game with Mend here
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.3.6.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/mime/package.json
Dependency Hierarchy:
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/mime/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Mend Note: Converted from WS-2017-0330, on 2022-11-08.
Publish Date: 2018-06-07
URL: CVE-2017-16138
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-04-26
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (ember-cli): 2.14.1
Step up your Open Source Security Game with Mend here
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (ember-cli): 2.18.2
Step up your Open Source Security Game with Mend here
writable stream that concatenates strings or binary data and calls a callback with the result
Library home page: https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/concat-stream/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write()
Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.
Publish Date: 2018-04-25
URL: WS-2018-0075
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/597
Release Date: 2018-01-27
Fix Resolution (concat-stream): 1.5.2
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Step up your Open Source Security Game with Mend here
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.
Publish Date: 2021-01-11
URL: CVE-2020-24025
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r8f7-9pfq-mjmv
Release Date: 2021-01-11
Fix Resolution (node-sass): 7.0.0
Direct dependency fix Resolution (ember-cli-sass): 8.0.1
Step up your Open Source Security Game with Mend here
HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.
Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/tunnel-agent/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.
Publish Date: 2017-03-05
URL: WS-2018-0076
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/598
Release Date: 2017-03-05
Fix Resolution (tunnel-agent): 0.6.0
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Step up your Open Source Security Game with Mend here
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11694
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
Step up your Open Source Security Game with Mend here
Library home page: https://rubygems.org/gems/bootstrap-sass-3.3.7.gem
Path to dependency file: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Path to vulnerable library: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Step up your Open Source Security Game with Mend here
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-0.7.4.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/debug/package.json
Dependency Hierarchy:
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-rest-client/node_modules/debug/package.json
Dependency Hierarchy:
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.6.8.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/debug/package.json
Dependency Hierarchy:
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.3.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/socket.io-adapter/node_modules/debug/package.json
Dependency Hierarchy:
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.6.7.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/debug/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gxpj-cx7g-858c
Release Date: 2018-04-26
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (ember-cli-favicon): 2.0.0
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (ember-cli-favicon): 2.0.0
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (ember-cli): 2.18.2
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (ember-cli): 2.18.2
Step up your Open Source Security Game with Mend here
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11693
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution (node-sass): 4.11.0
Direct dependency fix Resolution (ember-cli-sass): 6.1.0
Step up your Open Source Security Game with Mend here
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Publish Date: 2020-06-17
URL: CVE-2020-14040
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0015
Release Date: 2020-06-17
Fix Resolution: v0.3.3
Step up your Open Source Security Game with Mend here
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths
flag is not set to true
. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc
would turn into home/user/.bashrc
. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc
. node-tar
would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc
) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry
method which sanitizes the entry.path
or a filter
method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
Publish Date: 2021-08-03
URL: CVE-2021-32804
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3jfq-g458-7qm9
Release Date: 2021-08-03
Fix Resolution (tar): 3.2.2
Direct dependency fix Resolution (ember-cli-qunit): 4.0.1
Step up your Open Source Security Game with Mend here
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/merge/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.
Publish Date: 2018-10-30
URL: CVE-2018-16469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16469
Release Date: 2018-10-30
Fix Resolution (merge): 1.2.1
Direct dependency fix Resolution (ember-cli-sass): 6.1.0
Step up your Open Source Security Game with Mend here
Simple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/jsonpointer/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.
Publish Date: 2021-11-03
URL: CVE-2021-23807
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23807
Release Date: 2021-11-03
Fix Resolution (jsonpointer): 5.0.0
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.8.2.gem
Path to dependency file: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Path to vulnerable library: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.
Publish Date: 2021-09-27
URL: CVE-2021-41098
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41098
Release Date: 2021-09-27
Fix Resolution: nokogiri - 1.12.5
Step up your Open Source Security Game with Mend here
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-1.0.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/css-what/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution (css-what): 5.0.1
Direct dependency fix Resolution (ember-cli-favicon): 2.0.0
Step up your Open Source Security Game with WhiteSource here
[mirror] Go supplementary network libraries
Library home page: https://github.com/golang/net.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.
Publish Date: 2018-09-17
URL: CVE-2018-17142
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17142
Release Date: 2018-09-17
Fix Resolution: net- go1.11.1
Step up your Open Source Security Game with Mend here
Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.9.gem
Path to dependency file: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Path to vulnerable library: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
Publish Date: 2020-07-02
URL: CVE-2020-8161
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash/package.json
Dependency Hierarchy:
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash/package.json
Dependency Hierarchy:
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/merge-defaults/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (ember-cli-sass): 6.1.3
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (ember-cli-favicon): 2.2.0
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (ember-cli-favicon): 2.2.0
Step up your Open Source Security Game with Mend here
Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.9.gem
Path to dependency file: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Path to vulnerable library: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.
Publish Date: 2019-12-18
URL: CVE-2019-16782
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782
Release Date: 2019-12-18
Fix Resolution: 1.6.12;2.0.8
Step up your Open Source Security Game with Mend here
Trim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/trim-newlines/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution (trim-newlines): 3.0.1
Direct dependency fix Resolution (ember-cli-sass): 8.0.1
Step up your Open Source Security Game with Mend here
A well-tested CSS minifier
Library home page: https://registry.npmjs.org/clean-css/-/clean-css-3.4.28.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/clean-css/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Publish Date: 2018-03-06
URL: WS-2019-0017
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-wxhq-pm8v-cw75
Release Date: 2018-03-06
Fix Resolution (clean-css): 4.1.11
Direct dependency fix Resolution (ember-cli): 5.0.0
Step up your Open Source Security Game with Mend here
Encode and decode streams into string streams
Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/stringstream/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
Publish Date: 2020-12-03
URL: CVE-2018-21270
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21270
Release Date: 2020-12-03
Fix Resolution (stringstream): 0.0.6
Direct dependency fix Resolution (ember-cli-qunit): 4.0.1
Step up your Open Source Security Game with Mend here
[mirror] Go supplementary cryptography libraries
Library home page: https://github.com/golang/crypto.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.
Publish Date: 2019-05-22
URL: CVE-2019-11841
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-11841
Release Date: 2019-05-22
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20200221.2aa609c-1,1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1,1:0.0~git20200221.2aa609c-1;golang-go.crypto-dev - 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1,1:0.0~git20200221.2aa609c-1,1:0.0~git20200221.2aa609c-1
Step up your Open Source Security Game with Mend here
kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.
Library home page: https://rubygems.org/gems/kramdown-1.16.2.gem
Path to dependency file: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Path to vulnerable library: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.
Publish Date: 2021-03-19
URL: CVE-2021-28834
Base Score Metrics:
Step up your Open Source Security Game with Mend here
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash/package.json
Dependency Hierarchy:
The lodash method `_.mergeWith` exported as a module.
Library home page: https://registry.npmjs.org/lodash.mergewith/-/lodash.mergewith-4.6.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash.mergewith/package.json
Dependency Hierarchy:
The lodash method `_.merge` exported as a module.
Library home page: https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash.merge/package.json
Dependency Hierarchy:
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/merge-defaults/node_modules/lodash/package.json
Dependency Hierarchy:
The lodash method `_.defaultsDeep` exported as a module.
Library home page: https://registry.npmjs.org/lodash.defaultsdeep/-/lodash.defaultsdeep-4.6.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash.defaultsdeep/package.json
Dependency Hierarchy:
Lodash exported as ES modules.
Library home page: https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.4.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash-es/package.json
Dependency Hierarchy:
The modern build of lodash’s `_.template` as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-3.6.2.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash.template/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash/package.json
Dependency Hierarchy:
The lodash method `_.template` exported as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-4.4.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/lodash.template/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (ember-cli-favicon): 2.2.0
Fix Resolution (lodash.mergewith): 4.17.12
Direct dependency fix Resolution (ember-cli-sass): 6.1.0
Fix Resolution (lodash.merge): 4.17.12
Direct dependency fix Resolution (ember-cli-uglify): 2.0.0
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (ember-cli-favicon): 2.2.0
Fix Resolution (lodash.defaultsdeep): 4.17.12
Direct dependency fix Resolution (ember-cli-eslint): 4.2.0
Fix Resolution (lodash-es): 4.17.12
Direct dependency fix Resolution (ember-cli-mirage): 0.4.2
Fix Resolution (lodash.template): 4.17.12
Direct dependency fix Resolution (ember-fetch): 3.4.4
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (ember-cli-sass): 6.1.3
Fix Resolution (lodash.template): 4.17.12
Direct dependency fix Resolution (ember-cli): 2.14.1
Step up your Open Source Security Game with Mend here
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
Publish Date: 2019-04-30
URL: CVE-2018-20834
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082
Release Date: 2019-04-30
Fix Resolution (tar): 2.2.2
Direct dependency fix Resolution (ember-cli-qunit): 4.0.1
Step up your Open Source Security Game with Mend here
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11697
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution (node-sass): 4.14.0
Direct dependency fix Resolution (ember-cli-sass): 6.1.0
Step up your Open Source Security Game with Mend here
Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.9.gem
Path to dependency file: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Path to vulnerable library: /vendor/github.com/hashicorp/vault/website/Gemfile.lock
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the scheme
method on Rack::Request
. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.
Publish Date: 2018-11-13
URL: CVE-2018-16471
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/forum/#!topic/rubyonrails-security/GKsAFT924Ag
Release Date: 2018-11-13
Fix Resolution: 2.0.6, 1.6.11
Step up your Open Source Security Game with Mend here
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Mend Note: Converted from WS-2019-0491, on 2022-11-08.
Publish Date: 2020-09-30
URL: CVE-2019-20922
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2020-09-30
Fix Resolution (handlebars): 4.4.5
Direct dependency fix Resolution (ember-source): 2.15.0
Step up your Open Source Security Game with Mend here
An XML builder for node.js
Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-4.2.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/xmlbuilder/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
The package xmlbuilder-js before 9.0.5 is vulnerable to denial of service due to a regular expression issue.
Publish Date: 2018-02-08
URL: WS-2018-0625
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-02-08
Fix Resolution (xmlbuilder): 9.0.5
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Step up your Open Source Security Game with Mend here
[mirror] Go supplementary network libraries
Library home page: https://github.com/golang/net.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
/vendor/golang.org/x/net/html/node.go
/vendor/golang.org/x/net/html/node.go
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.
Publish Date: 2018-10-01
URL: CVE-2018-17848
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17848
Release Date: 2018-10-01
Fix Resolution: golang-golang-x-net-dev - 1:0.0+git20181201.351d144+dfsg-3
Step up your Open Source Security Game with Mend here
An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
Mend Note: Converted from WS-2019-0030, on 2021-08-01.
Publish Date: 2019-05-09
URL: CVE-2019-11840
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1691529
Fix Resolution: Upgrade to version golang.org/x/crypto v0.0.0-0.20190320223903-b7391e95e576 or greater
Step up your Open Source Security Game with Mend here
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (ember-source): 2.15.0
Step up your Open Source Security Game with Mend here
[mirror] Go supplementary cryptography libraries
Library home page: https://github.com/golang/crypto.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
Publish Date: 2020-12-17
URL: CVE-2020-29652
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
Release Date: 2020-12-17
Fix Resolution: v0.0.0-20201216223049-8b5274cf687f
Step up your Open Source Security Game with Mend here
[mirror] Go supplementary network libraries
Library home page: https://github.com/golang/net.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
The html package (aka x/net/html) through 2018-09-25 in Go mishandles
Publish Date: 2018-10-01
URL: CVE-2018-17846
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17846
Release Date: 2018-10-01
Fix Resolution: golang-golang-x-net-dev - 1:0.0+git20181201.351d144+dfsg-3
Step up your Open Source Security Game with Mend here
[mirror] Go supplementary network libraries
Library home page: https://github.com/golang/net.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
/vendor/golang.org/x/net/html/node.go
/vendor/golang.org/x/net/html/node.go
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.
Publish Date: 2018-10-01
URL: CVE-2018-17847
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17847
Release Date: 2018-10-01
Fix Resolution: golang-golang-x-net-dev - 1:0.0+git20181201.351d144+dfsg-3
Step up your Open Source Security Game with Mend here
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.
Publish Date: 2020-03-23
URL: CVE-2020-10660
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-04-12
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (ember-source): 2.15.0
Step up your Open Source Security Game with Mend here
[mirror] Go supplementary network libraries
Library home page: https://github.com/golang/net.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.
Publish Date: 2018-09-17
URL: CVE-2018-17143
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17143
Release Date: 2018-09-17
Fix Resolution: net- go1.11.1
Step up your Open Source Security Game with Mend here
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
An issue was discovered in LibSass <3.5.3. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11695
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution (node-sass): 4.9.0
Direct dependency fix Resolution (ember-cli-sass): 6.1.0
Step up your Open Source Security Game with Mend here
Simple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/jsonpointer/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Prototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.
Publish Date: 2020-07-03
URL: WS-2020-0345
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-07-03
Fix Resolution (jsonpointer): 4.1.0
Direct dependency fix Resolution (ember-cli-favicon): 1.0.0
Step up your Open Source Security Game with Mend here
Markdown-it - modern pluggable markdown parser.
Library home page: https://registry.npmjs.org/markdown-it/-/markdown-it-8.3.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/markdown-it/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading.
Publish Date: 2022-01-10
URL: CVE-2022-21670
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6vfc-qv3f-vr6c
Release Date: 2022-01-10
Fix Resolution (markdown-it): 12.3.2
Direct dependency fix Resolution (ember-cli): 4.11.0
Step up your Open Source Security Game with Mend here
Strips glob magic from a string to provide the parent path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (ember-cli-qunit): 4.0.2
Step up your Open Source Security Game with Mend here
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-3.4.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/diff/package.json
Dependency Hierarchy:
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-3.3.0.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/diff/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Publish Date: 2018-03-05
URL: WS-2018-0590
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-03-05
Fix Resolution (diff): 3.5.0
Direct dependency fix Resolution (ember-sinon): 2.0.0
Fix Resolution (diff): 3.5.0
Direct dependency fix Resolution (ember-cli): 2.14.1
Step up your Open Source Security Game with Mend here
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Publish Date: 2020-09-30
URL: CVE-2019-20920
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2020-10-15
Fix Resolution (handlebars): 4.5.3
Direct dependency fix Resolution (ember-source): 2.15.0
Step up your Open Source Security Game with Mend here
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Inspect::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11696
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution (node-sass): 4.14.0
Direct dependency fix Resolution (ember-cli-sass): 6.1.0
Step up your Open Source Security Game with Mend here
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.5.3.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11698
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Recursive object extending
Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.2.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/package.json
Dependency Hierarchy:
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
Publish Date: 2018-07-03
URL: CVE-2018-3750
Base Score Metrics:
Type: Upgrade version
Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750
Release Date: 2018-07-03
Fix Resolution (deep-extend): 0.5.1
Direct dependency fix Resolution (ember-cli-qunit): 4.0.1
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.