socketdev / idb-chunk-store Goto Github PK

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: idb-chunk-store/package.json

Path to vulnerable library: idb-chunk-store/node_modules/xmlhttprequest-ssl/package.json

Dependency Hierarchy:

• airtap-4.0.3.tgz (Root Library)
  • engine.io-client-3.3.2.tgz
    • ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in HEAD commit: 3f4101cc328e5efeab7d6580aaf15be0f3dc7ecb

Found in base branch: master

Vulnerability Details

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Publish Date: 2021-03-05

URL: CVE-2020-28502

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4j5-c7cj-74xg

Release Date: 2021-03-05

Fix Resolution: xmlhttprequest - 1.7.0,xmlhttprequest-ssl - 1.6.2

Vulnerable Library - ws-6.1.4.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-6.1.4.tgz

Path to dependency file: idb-chunk-store/package.json

Path to vulnerable library: idb-chunk-store/node_modules/engine.io-client/node_modules/ws/package.json

Dependency Hierarchy:

• airtap-4.0.3.tgz (Root Library)
  • engine.io-client-3.3.2.tgz
    • ❌ ws-6.1.4.tgz (Vulnerable Library)

Found in HEAD commit: 3f4101cc328e5efeab7d6580aaf15be0f3dc7ecb

Found in base branch: master

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution: ws - 7.4.6

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: idb-chunk-store/package.json

Path to vulnerable library: idb-chunk-store/node_modules/xmlhttprequest-ssl/package.json

Dependency Hierarchy:

• airtap-4.0.3.tgz (Root Library)
  • engine.io-client-3.3.2.tgz
    • ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in HEAD commit: 3f4101cc328e5efeab7d6580aaf15be0f3dc7ecb

Found in base branch: master

Vulnerability Details

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Publish Date: 2021-04-23

URL: CVE-2021-31597

CVSS 3 Score Details (9.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597

Release Date: 2021-04-23

Fix Resolution: xmlhttprequest-ssl - 1.6.1

Vulnerable Library - engine.io-3.5.0.tgz

The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server

Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.5.0.tgz

Path to dependency file: idb-chunk-store/package.json

Path to vulnerable library: idb-chunk-store/node_modules/engine.io/package.json

Dependency Hierarchy:

• airtap-4.0.3.tgz (Root Library)
  • ❌ engine.io-3.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 3f4101cc328e5efeab7d6580aaf15be0f3dc7ecb

Found in base branch: master

Vulnerability Details

Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Publish Date: 2021-01-08

URL: CVE-2020-36048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048

Release Date: 2021-01-08

Fix Resolution: engine.io - 4.0.0