Vulnerable Library - extend-3.0.1.tgz

Port of jQuery.extend for node.js and the browser

Library home page: https://registry.npmjs.org/extend/-/extend-3.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/extend/package.json

Dependency Hierarchy:

• gulp-4.0.0.tgz (Root Library)
  • vinyl-fs-3.0.3.tgz
    • glob-stream-6.1.0.tgz
      • ❌ extend-3.0.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16492

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/381185

Release Date: 2019-02-01

Fix Resolution (extend): 3.0.2

Direct dependency fix Resolution (gulp): 4.0.1

Vulnerable Library - trim-newlines-1.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim-newlines/package.json

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.13.1.tgz
    • meow-3.7.0.tgz
      • ❌ trim-newlines-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Publish Date: 2021-05-28

URL: CVE-2021-33623

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623

Release Date: 2021-05-28

Fix Resolution (trim-newlines): 3.0.1

Direct dependency fix Resolution (gulp-sass): 5.0.0

Vulnerable Library - websocket-extensions-0.1.3.tgz

Generic extension manager for WebSocket connections

Library home page: https://registry.npmjs.org/websocket-extensions/-/websocket-extensions-0.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/websocket-extensions/package.json

Dependency Hierarchy:

• gulp-connect-5.5.0.tgz (Root Library)
  • tiny-lr-0.2.1.tgz
    • faye-websocket-0.10.0.tgz
      • websocket-driver-0.7.0.tgz
        • ❌ websocket-extensions-0.1.3.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: master

Vulnerability Details

websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

Publish Date: 2020-06-02

URL: CVE-2020-7662

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-g78m-2chm-r7qv

Release Date: 2020-06-02

Fix Resolution (websocket-extensions): 0.1.4

Direct dependency fix Resolution (gulp-connect): 5.6.1

Vulnerable Library - sshpk-1.13.1.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/sshpk/package.json

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.13.1.tgz
    • request-2.83.0.tgz
      • http-signature-1.2.0.tgz
        • ❌ sshpk-1.13.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

Publish Date: 2018-06-07

URL: CVE-2018-3737

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/319593

Release Date: 2018-04-26

Fix Resolution (sshpk): 1.13.2

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - asciidoctor-1.5.7.1.gem

A fast, open source text processor and publishing toolchain, written in Ruby, for converting AsciiDoc content to HTML5, DocBook 5 (or 4.5) and other formats.

Library home page: https://rubygems.org/gems/asciidoctor-1.5.7.1.gem

Dependency Hierarchy:

• html-pipeline-asciidoc_filter-1.5.3.gem (Root Library)
  • ❌ asciidoctor-1.5.7.1.gem (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: master

Vulnerability Details

Asciidoctor in versions < 1.5.8 allows remote attackers to cause a denial of service (infinite loop). The loop was caused by the fact that Parser.next_block was not exhausting all the lines in the reader as the while loop expected it would. This was happening because the regular expression that detects any list was not agreeing with the regular expression that detects a specific list type. So the line kept getting pushed back onto the reader, hence causing the loop.

Publish Date: 2018-10-16

URL: CVE-2018-18385

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-18385

Release Date: 2018-10-16

Fix Resolution: v1.5.8

Vulnerable Library - jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to dependency file: /assets/vendor/lunr.js/node_modules/github-flavored-markdown/_layouts/default.html

Path to vulnerable library: /assets/vendor/lunr.js/node_modules/github-flavored-markdown/_layouts/default.html

Dependency Hierarchy:

• ❌ jquery-1.3.2.min.js (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: master

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-28

Fix Resolution: jquery - 1.9.0

Vulnerable Library - chownr-1.0.1.tgz

like `chown -R`

Library home page: https://registry.npmjs.org/chownr/-/chownr-1.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gulp-4.0.0.tgz (Root Library)
  • glob-watcher-5.0.1.tgz
    • chokidar-2.0.4.tgz
      • fsevents-1.2.4.tgz
        • node-pre-gyp-0.10.0.tgz
          • tar-4.4.1.tgz
            • ❌ chownr-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.

Publish Date: 2020-06-15

URL: CVE-2017-18869

CVSS 3 Score Details (2.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18869

Release Date: 2020-06-15

Fix Resolution (chownr): 1.1.0

Direct dependency fix Resolution (gulp): 4.0.1

Vulnerable Libraries - ms-0.3.0.tgz, ms-0.7.1.tgz

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: master

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-04-12

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: vercel/ms#89

Release Date: 2017-04-12

Fix Resolution: 2.1.1

Vulnerable Library - node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • ❌ node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11694

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Library - node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • ❌ node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

There is a stack consumption issue in LibSass 3.4.5 that is triggered in the function Sass::Eval::operator() in eval.cpp. It will lead to a remote denial of service attack.

Publish Date: 2017-08-18

URL: CVE-2017-12964

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-03

Fix Resolution (node-sass): 4.4.0

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/body-parser/node_modules/debug/package.json,/node_modules/tiny-lr/node_modules/debug/package.json,/node_modules/send/node_modules/debug/package.json

Dependency Hierarchy:

• gulp-connect-5.5.0.tgz (Root Library)
  • send-0.13.2.tgz
    • ❌ debug-2.2.0.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-gxpj-cx7g-858c

Release Date: 2018-04-26

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (gulp-connect): 5.6.1

Vulnerable Library - deap-1.0.0.tgz

extend and merge objects, deep or shallow

Library home page: https://registry.npmjs.org/deap/-/deap-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/deap/package.json

Dependency Hierarchy:

• gulp-uglify-1.5.4.tgz (Root Library)
  • ❌ deap-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

The utilities function in all versions < 1.0.1 of the deap node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

Publish Date: 2018-07-03

URL: CVE-2018-3749

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/611

Release Date: 2018-05-24

Fix Resolution (deap): 1.0.1

Direct dependency fix Resolution (gulp-uglify): 2.0.0

Vulnerable Library - kramdown-2.1.0.gem

kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.

Library home page: https://rubygems.org/gems/kramdown-2.1.0.gem

Dependency Hierarchy:

• ❌ kramdown-2.1.0.gem (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: master

Vulnerability Details

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

Publish Date: 2021-03-19

URL: CVE-2021-28834

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: rubysec/ruby-advisory-db@d06e48b

Release Date: 2021-03-19

Fix Resolution: 2.3.1

Vulnerable Libraries - qs-5.2.0.tgz, qs-5.1.0.tgz

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048

Release Date: 2017-07-13

Fix Resolution (qs): 6.0.4

Direct dependency fix Resolution (gulp-connect): 5.6.1

Fix Resolution (qs): 6.0.4

Direct dependency fix Resolution (gulp-connect): 5.6.1

Vulnerable Library - cryptiles-3.1.2.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-3.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cryptiles/package.json

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.13.1.tgz
    • request-2.83.0.tgz
      • hawk-6.0.2.tgz
        • ❌ cryptiles-3.1.2.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - kramdown-2.1.0.gem

kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.

Library home page: https://rubygems.org/gems/kramdown-2.1.0.gem

Dependency Hierarchy:

• ❌ kramdown-2.1.0.gem (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: master

Vulnerability Details

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

Publish Date: 2020-07-17

URL: CVE-2020-14001

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001

Release Date: 2020-07-17

Fix Resolution: kramdown - 2.3.0

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mixin-deep/package.json

Dependency Hierarchy:

• gulp-4.0.0.tgz (Root Library)
  • gulp-cli-2.0.1.tgz
    • matchdep-2.0.0.tgz
      • micromatch-3.1.10.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (mixin-deep): 1.3.2

Direct dependency fix Resolution (gulp): 4.0.1

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ini/package.json,/package.json

Dependency Hierarchy:

• gulp-4.0.0.tgz (Root Library)
  • gulp-cli-2.0.1.tgz
    • liftoff-2.5.0.tgz
      • findup-sync-2.0.0.tgz
        • resolve-dir-1.0.1.tgz
          • global-modules-1.0.0.tgz
            • global-prefix-1.0.2.tgz
              • ❌ ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (gulp): 4.0.1

Vulnerable Library - node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • ❌ node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11697

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution (node-sass): 4.14.0

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • ❌ node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11698

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: node-sass - 3.6.0

Vulnerable Library - nokogiri-1.8.4.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.8.4.gem

Dependency Hierarchy:

• html-proofer-3.9.2.gem (Root Library)
  • ❌ nokogiri-1.8.4.gem (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: master

Vulnerability Details

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

Publish Date: 2020-12-30

URL: CVE-2020-26247

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4

Release Date: 2020-12-30

Fix Resolution: 1.11.0.rc4

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/base/node_modules/kind-of/package.json,/node_modules/extglob/node_modules/kind-of/package.json,/node_modules/define-property/node_modules/kind-of/package.json,/node_modules/make-iterator/node_modules/kind-of/package.json,/node_modules/snapdragon-node/node_modules/kind-of/package.json,/node_modules/nanomatch/node_modules/kind-of/package.json,/node_modules/micromatch/node_modules/kind-of/package.json

Dependency Hierarchy:

• gulp-4.0.0.tgz (Root Library)
  • gulp-cli-2.0.1.tgz
    • matchdep-2.0.0.tgz
      • micromatch-3.1.10.tgz
        • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (gulp): 4.0.1

Vulnerable Library - copy-props-2.0.4.tgz

Copy properties deeply between two objects.

Library home page: https://registry.npmjs.org/copy-props/-/copy-props-2.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/copy-props/package.json

Dependency Hierarchy:

• gulp-4.0.0.tgz (Root Library)
  • gulp-cli-2.0.1.tgz
    • ❌ copy-props-2.0.4.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

The package copy-props before 2.0.5 are vulnerable to Prototype Pollution via the main functionality.

Publish Date: 2021-03-23

URL: CVE-2020-28503

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-23

Fix Resolution (copy-props): 2.0.5

Direct dependency fix Resolution (gulp): 4.0.1

Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/merge/package.json

Dependency Hierarchy:

• gulp-coffee-2.3.5.tgz (Root Library)
  • ❌ merge-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.

Publish Date: 2018-10-30

URL: CVE-2018-16469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16469

Release Date: 2018-10-30

Fix Resolution (merge): 1.2.1

Direct dependency fix Resolution (gulp-coffee): 3.0.0

Vulnerable Library - node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • ❌ node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp.

Publish Date: 2019-11-06

URL: CVE-2019-18797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-18797

Release Date: 2019-11-06

Fix Resolution (node-sass): 4.8.0

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - diff-1.0.2.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-1.0.2.tgz

Path to dependency file: /assets/vendor/mustache/package.json

Path to vulnerable library: /assets/vendor/mustache/node_modules/diff/package.json

Dependency Hierarchy:

• mocha-1.5.0.tgz (Root Library)
  • ❌ diff-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (mocha): 5.0.3

Vulnerable Library - uglify-js-2.4.13.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.4.13.tgz

Path to dependency file: S69y/assets/vendor/lunr.js/package.json

Path to vulnerable library: S69y/assets/vendor/lunr.js/node_modules/uglify-js/package.json

Dependency Hierarchy:

• ❌ uglify-js-2.4.13.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: master

Vulnerability Details

uglifier incorrectly handles non-boolean comparisons during minification.The upstream library for the Ruby uglifier gem, UglifyJS, is affected by a vulnerability that allows a specially crafted Javascript file to have altered functionality after minification. This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated to allow potentially malicious code to be hidden within secure code, and activated by the minification process.

Publish Date: 2015-07-22

URL: WS-2015-0033

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://hakiri.io/technologies/uglifier/issues/279911d9720338

Release Date: 2015-07-22

Fix Resolution: Uglifier - 2.7.2;uglify-js - v2.4.24

Vulnerable Library - y18n-3.2.1.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/y18n/package.json

Dependency Hierarchy:

• gulp-4.0.0.tgz (Root Library)
  • gulp-cli-2.0.1.tgz
    • yargs-7.1.0.tgz
      • ❌ y18n-3.2.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 3.2.2

Direct dependency fix Resolution (gulp): 4.0.1

Vulnerable Libraries - tar-2.2.1.tgz, tar-4.4.1.tgz

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2019-04-30

Fix Resolution (tar): 2.2.2

Direct dependency fix Resolution (gulp-sass): 3.0.0

Fix Resolution (tar): 2.2.2

Direct dependency fix Resolution (gulp): 4.0.1

Vulnerable Library - ms-0.3.0.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.3.0.tgz

Path to dependency file: /assets/vendor/mustache/package.json

Path to vulnerable library: /assets/vendor/mustache/node_modules/ms/package.json

Dependency Hierarchy:

• mocha-1.5.0.tgz (Root Library)
  • ❌ ms-0.3.0.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8315

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8315

Release Date: 2017-01-23

Fix Resolution (ms): 0.7.1

Direct dependency fix Resolution (mocha): 1.12.1

Vulnerable Library - sshpk-1.13.1.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.13.1.tgz
    • request-2.83.0.tgz
      • http-signature-1.2.0.tgz
        • ❌ sshpk-1.13.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: master

Vulnerability Details

Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

Publish Date: 2018-04-25

URL: WS-2018-0084

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/606

Release Date: 2018-01-27

Fix Resolution: 1.14.1

Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/merge/package.json

Dependency Hierarchy:

• gulp-coffee-2.3.5.tgz (Root Library)
  • ❌ merge-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

Publish Date: 2021-02-18

URL: CVE-2020-28499

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-18

Fix Resolution (merge): 2.1.0

Direct dependency fix Resolution (gulp-coffee): 3.0.3

Vulnerable Library - nokogiri-1.8.4.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.8.4.gem

Dependency Hierarchy:

• html-proofer-3.9.2.gem (Root Library)
  • ❌ nokogiri-1.8.4.gem (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: master

Vulnerability Details

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.

Publish Date: 2018-07-19

URL: CVE-2018-14404

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GNOME/libxml2@a436374

Release Date: 2018-07-19

Fix Resolution: nokogiri- 2.9.5, libxml2 - 2.9.9

Vulnerable Library - mime-1.3.4.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mime/package.json

Dependency Hierarchy:

• gulp-connect-5.5.0.tgz (Root Library)
  • send-0.13.2.tgz
    • ❌ mime-1.3.4.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-04-26

Fix Resolution (mime): 1.4.1

Direct dependency fix Resolution (gulp-connect): 5.6.1

Vulnerable Library - stringstream-0.0.5.tgz

Encode and decode streams into string streams

Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/stringstream/package.json

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.13.1.tgz
    • request-2.83.0.tgz
      • ❌ stringstream-0.0.5.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).

Publish Date: 2020-12-03

URL: CVE-2018-21270

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21270

Release Date: 2020-12-03

Fix Resolution (stringstream): 0.0.6

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • ❌ node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11693

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution (node-sass): 4.11.0

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • ❌ node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.

Publish Date: 2018-05-26

URL: CVE-2018-11499

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-05-26

Fix Resolution (node-sass): 4.14.0

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - clean-css-3.4.28.tgz

A well-tested CSS minifier

Library home page: https://registry.npmjs.org/clean-css/-/clean-css-3.4.28.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/clean-css/package.json

Dependency Hierarchy:

• gulp-minify-css-1.2.4.tgz (Root Library)
  • ❌ clean-css-3.4.28.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2018-03-06

URL: WS-2019-0017

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-wxhq-pm8v-cw75

Release Date: 2018-03-06

Fix Resolution: clean-css - 4.1.11

Vulnerable Library - node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • ❌ node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Inspect::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11696

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution (node-sass): 4.14.0

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-parse/package.json

Dependency Hierarchy:

• gulp-4.0.0.tgz (Root Library)
  • gulp-cli-2.0.1.tgz
    • liftoff-2.5.0.tgz
      • resolve-1.8.1.tgz
        • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jbgutierrez/path-parse#8

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (gulp): 4.0.1

Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (gulp): 4.0.1

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (gulp): 4.0.1

Vulnerable Library - lodash-4.17.4.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/babel-register/node_modules/lodash/package.json,/node_modules/babel-plugin-transform-es2015-block-scoping/node_modules/lodash/package.json,/node_modules/node-sass/node_modules/lodash/package.json,/node_modules/babel-helper-regex/node_modules/lodash/package.json,/node_modules/babel-helper-define-map/node_modules/lodash/package.json,/node_modules/babel-template/node_modules/lodash/package.json,/node_modules/babel-core/node_modules/lodash/package.json,/node_modules/babel-generator/node_modules/lodash/package.json,/node_modules/babel-traverse/node_modules/lodash/package.json,/node_modules/sass-graph/node_modules/lodash/package.json,/node_modules/babel-types/node_modules/lodash/package.json

Dependency Hierarchy:

• babel-preset-es2015-6.24.1.tgz (Root Library)
  • babel-plugin-transform-es2015-sticky-regex-6.24.1.tgz
    • babel-helper-regex-6.26.0.tgz
      • ❌ lodash-4.17.4.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

• gulp-4.0.0.tgz (Root Library)
  • vinyl-fs-3.0.3.tgz
    • glob-stream-6.1.0.tgz
      • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Vulnerable Library - growl-1.5.1.tgz

Growl unobtrusive notifications

Library home page: https://registry.npmjs.org/growl/-/growl-1.5.1.tgz

Path to dependency file: /assets/vendor/mustache/package.json

Path to vulnerable library: /assets/vendor/mustache/node_modules/growl/package.json

Dependency Hierarchy:

• mocha-1.5.0.tgz (Root Library)
  • ❌ growl-1.5.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

Publish Date: 2018-06-04

URL: CVE-2017-16042

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16042

Release Date: 2018-04-26

Fix Resolution (growl): 1.10.2

Direct dependency fix Resolution (mocha): 4.0.0

Vulnerable Library - node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • ❌ node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.

Publish Date: 2021-01-11

URL: CVE-2020-24025

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r8f7-9pfq-mjmv

Release Date: 2021-01-11

Fix Resolution (node-sass): 7.0.0

Direct dependency fix Resolution (gulp-sass): 5.0.0

Vulnerable Library - lodash-4.17.4.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/babel-register/node_modules/lodash/package.json,/node_modules/babel-plugin-transform-es2015-block-scoping/node_modules/lodash/package.json,/node_modules/node-sass/node_modules/lodash/package.json,/node_modules/babel-helper-regex/node_modules/lodash/package.json,/node_modules/babel-helper-define-map/node_modules/lodash/package.json,/node_modules/babel-template/node_modules/lodash/package.json,/node_modules/babel-core/node_modules/lodash/package.json,/node_modules/babel-generator/node_modules/lodash/package.json,/node_modules/babel-traverse/node_modules/lodash/package.json,/node_modules/sass-graph/node_modules/lodash/package.json,/node_modules/babel-types/node_modules/lodash/package.json

Dependency Hierarchy:

• babel-preset-es2015-6.24.1.tgz (Root Library)
  • babel-plugin-transform-es2015-sticky-regex-6.24.1.tgz
    • babel-helper-regex-6.26.0.tgz
      • ❌ lodash-4.17.4.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21, lodash-es - 4.17.21

Vulnerable Library - node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • ❌ node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

An issue was discovered in LibSass <3.5.3. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11695

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution (node-sass): 4.9.0

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to dependency file: /assets/vendor/lunr.js/node_modules/github-flavored-markdown/_layouts/default.html

Path to vulnerable library: /assets/vendor/lunr.js/node_modules/github-flavored-markdown/_layouts/default.html

Dependency Hierarchy:

• ❌ jquery-1.3.2.min.js (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Libraries - lodash.template-3.6.2.tgz, lodash-4.17.4.tgz

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash.template): 4.5.0

Direct dependency fix Resolution (gulp-babel): 6.1.3

Vulnerable Library - concat-with-sourcemaps-1.0.4.tgz

Concatenate file contents with a custom separator and generate a source map

Library home page: https://registry.npmjs.org/concat-with-sourcemaps/-/concat-with-sourcemaps-1.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/concat-with-sourcemaps/package.json

Dependency Hierarchy:

• gulp-concat-2.6.1.tgz (Root Library)
  • ❌ concat-with-sourcemaps-1.0.4.tgz (Vulnerable Library)

Found in HEAD commit: dc229a9f59fdfe6153b16c2f9456017e48115716

Found in base branch: git-branch--m-master--git-fetch-origin-git-branch--u-origin/--git-remote-set-head-origin--a

Vulnerability Details

Versions of concat-with-sourcemaps before 1.0.6 allocates uninitialized Buffers when a number is passed as a separator.

Publish Date: 2018-05-16

URL: WS-2018-0100

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/644

Release Date: 2018-01-27

Fix Resolution: 1.0.6