Bulk vulnerability fix - Lockfile fix

[debricked]

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2019–10744

• Description

  NVD

  Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

  GitHub

  Prototype Pollution in lodash

  Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

  Recommendation

  Update to version 4.17.12 or later.

• CVSS details - 9.1

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	High
  Availability	High

• References

      CVE-2019-10744 Lodash Vulnerability in NetApp Products | NetApp Product Security
      Red Hat Customer Portal - Access to 24x7 support and knowledge
      CONFIRM
      Oracle Critical Patch Update Advisory - October 2020
      Oracle Critical Patch Update Advisory - January 2021

CVE–2020–8203

• Description

  Allocation of Resources Without Limits or Throttling

  The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

  NVD

  Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15.

• CVSS details - 7.4

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	High
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	High
  Availability	High

• References

      HackerOne
      CVE-2020-8203 Lodash Vulnerability in NetApp Products | NetApp Product Security
      CVE-2020-8203 is not modified in /.internal/baseSet.js · Issue #4874 · lodash/lodash · GitHub
      Oracle Critical Patch Update Advisory - April 2021

CVE–2020–28500

• Description

  NVD

  All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	Low

• References

      CONFIRM
      perf: improve performance of toNumber, trim and trimEnd on large input strings by falsyvalues · Pull Request #5065 · lodash/lodash · GitHub
      February 2021 Lodash Vulnerabilities in NetApp Products | NetApp Product Security

CVE–2021–23337

• Description

  Improper Neutralization of Special Elements used in a Command ('Command Injection')

  The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

  NVD

  All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

  GitHub

  Command Injection in lodash

  lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

• CVSS details - 7.2

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	High
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      MISC
      February 2021 Lodash Vulnerabilities in NetApp Products | NetApp Product Security
      lodash/lodash.js at ddfd9b11a0126db2302cb70ec9973b66baec0975 · lodash/lodash · GitHub
      NVD - CVE-2021-23337
      Prevent command injection through _.template's variable option · lodash/lodash@3469357 · GitHub
      Command Injection in lodash · CVE-2021-23337 · GitHub Advisory Database · GitHub

CVE–2021–23343

• Description

  NVD

  All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      ReDoS in path-parse · Issue #8 · jbgutierrez/path-parse · GitHub
      Pony Mail!

CVE–2020–7598

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  NVD

  minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

  GitHub

  Prototype Pollution in minimist

  Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
  Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
  This is exploitable if attackers have control over the arguments being passed to minimist.

  Recommendation

  Upgrade to versions 0.2.1, 1.2.3 or later.

• CVSS details - 5.6

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	High
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	Low
  Integrity	Low
  Availability	Low

• References

      [security-announce] openSUSE-SU-2020:0802-1: critical: Security update for nodejs8 - openSUSE Security Announce - openSUSE Mailing Lists
      NVD - CVE-2020-7598
      even more aggressive checks for protocol pollution · substack/minimist@38a4d1c · GitHub
      Prototype Pollution in minimist · CVE-2020-7598 · GitHub Advisory Database · GitHub
      don't assign onto proto · substack/minimist@63e7ed0 · GitHub

CVE–2021–29060

• Description

  Allocation of Resources Without Limits or Throttling

  The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

  NVD

  A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.

  GitHub

  Regular Expression Denial of Service (ReDOS)

  In the npm package color-string, there is a ReDos (Regular Expression Denial of Service) vulnerability regarding an exponential time complexity for
  linearly increasing input lengths for hwb() color strings.

  Strings reaching more than 5000 characters would see several
  milliseconds of processing time; strings reaching more than
  50,000 characters began seeing 1500ms (1.5s) of processing time.

  The cause was due to a the regular expression that parses
  hwb() strings - specifically, the hue value - where
  the integer portion of the hue value used a 0-or-more quantifier
  shortly thereafter followed by a 1-or-more quantifier.

  This caused excessive backtracking and a cartesian scan,
  resulting in exponential time complexity given a linear
  increase in input length.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	Low

• References

      SaveResults/color-string.js at main · yetingli/SaveResults · GitHub
      PoCs/Color-String.md at main · yetingli/PoCs · GitHub
      fix ReDos in hwb() parser (low-severity) · Qix-/color-string@0789e21 · GitHub
      color-string - npm

CVE–2020–7774

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  NVD

  This affects the package y18n before 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

• CVSS details - 7.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	Low
  Integrity	Low
  Availability	Low

• References

      Prototype pollution · Issue #96 · yargs/y18n · GitHub
      fix: address prototype pollution issue by bcoe · Pull Request #108 · yargs/y18n · GitHub
      Oracle Critical Patch Update Advisory - April 2021

CVE–2020–7733

• Description

  Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

  The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

  NVD

  The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

  GitHub

  Regular Expression Denial of Service in ua-parser-js

  The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      Fix potential ReDoS vulnerability · faisalman/ua-parser-js@233d3ba · GitHub
      NVD - CVE-2020-7733
      GitHub - faisalman/ua-parser-js: UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.
      Regular Expression Denial of Service in ua-parser-js · CVE-2020-7733 · GitHub Advisory Database · GitHub
      GitHub - faisalman/ua-parser-js: UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.

CVE–2020–7793

• Description

  Uncontrolled Resource Consumption

  The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  NVD

  The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      Fix ReDoS vulnerabilities reported by Snyk · faisalman/ua-parser-js@6d1f26d · GitHub

CVE–2021–27292

• Description

  NVD

  ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

  GitHub

  Regular Expression Denial of Service (ReDoS) in ua-parser-js

  ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      cve-2021-27292 · GitHub
      Fix several exponential/cubic complexity regexes found by Ben Caller/… · pygments/pygments@2e7e8c4 · GitHub
      Fix potential ReDoS vulnerability as reported by Doyensec · faisalman/ua-parser-js@809439e · GitHub
      Regular Expression Denial of Service (ReDoS) in ua-parser-js · CVE-2021-27292 · GitHub Advisory Database · GitHub
      NVD - CVE-2021-27292

CVE–2021–23368

• Description

  NVD

  The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	Low

• References

      Fix unsafe regexp · postcss/postcss@8682b1e · GitHub
      Fix unsafe regexp in getAnnotationURL() too · postcss/postcss@b6f3e4d · GitHub
      Pony Mail!
      Pony Mail!
      Pony Mail!
      Pony Mail!
      Pony Mail!
      Pony Mail!

CVE–2020–8116

• Description

  Direct Request ('Forced Browsing')

  The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

  NVD

  Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

  GitHub

  Prototype Pollution in dot-prop

  Prototype pollution vulnerability in dot-prop npm package before versions 4.2.1 and 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

• CVSS details - 7.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	Low
  Integrity	Low
  Availability	Low

• References

      HackerOne
      Prototype Pollution in dot-prop · CVE-2020-8116 · GitHub Advisory Database · GitHub
      GitHub - sindresorhus/dot-prop at v4
      NVD - CVE-2020-8116
      Please backport CVE-2020-8116 security fix to 4.x. · Issue #63 · sindresorhus/dot-prop · GitHub

CVE–2021–28092

• Description

  NVD

  The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

  GitHub

  Regular Expression Denial of Service (ReDoS)

  The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      Releases · sindresorhus/is-svg · GitHub
      Release v4.2.2 · sindresorhus/is-svg · GitHub
      is-svg - npm
      CVE-2021-28092 Node.js Vulnerability in NetApp Products | NetApp Product Security

CVE–2021–29059

• Description

  Allocation of Resources Without Limits or Throttling

  The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

  NVD

  A vulnerability was discovered in IS-SVG version 4.3.1 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      SaveResults/is-svg.js at main · yetingli/SaveResults · GitHub
      is-svg - npm
      Release v4.3.0 · sindresorhus/is-svg · GitHub
      PoCs/IS-SVG.md at main · yetingli/PoCs · GitHub

CVE–2019–10747

• Description

  Uncontrolled Resource Consumption

  The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  NVD

  set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

  GitHub

  Prototype Pollution in set-value

  Versions of set-value prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

  Recommendation

  If you are using set-value 3.x, upgrade to version 3.0.1 or later.
  If you are using set-value 2.x, upgrade to version 2.0.1 or later.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      Pony Mail!
      [SECURITY] Fedora 30 Update: nodejs-set-value-2.0.1-1.fc30 - package-announce - Fedora Mailing-Lists
      [SECURITY] Fedora 31 Update: nodejs-set-value-2.0.1-1.fc31 - package-announce - Fedora Mailing-Lists
      disallow proto keys · jonschlinkert/set-value@95e9d99 · GitHub
      NVD - CVE-2019-10747
      GitHub - jonschlinkert/set-value: Set nested properties on an object using dot-notation.
      Prototype Pollution in set-value · CVE-2019-10747 · GitHub Advisory Database · GitHub

CVE–2021–25949

• Description

  NVD

  Prototype pollution vulnerability in ‘set-getter’ version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      CVE-2021-25949 | WhiteSource Vulnerability Database
      set-getter/index.js at 5bc2750fe1c3db9651d936131be187744111378d · doowb/set-getter · GitHub

CVE–2019–10746

• Description

  Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

  The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

  NVD

  mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

  GitHub

  Prototype Pollution in mixin-deep

  Versions of mixin-deep prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The mixinDeep function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

  Recommendation

  If you are using mixin-deep 2.x, upgrade to version 2.0.1 or later.
  If you are using mixin-deep 1.x, upgrade to version 1.3.2 or later.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      [SECURITY] Fedora 30 Update: nodejs-mixin-deep-1.3.2-1.fc30 - package-announce - Fedora Mailing-Lists
      [SECURITY] Fedora 31 Update: nodejs-mixin-deep-1.3.2-1.fc31 - package-announce - Fedora Mailing-Lists
      Prototype Pollution in mixin-deep · CVE-2019-10746 · GitHub Advisory Database · GitHub
      disallow constructor and prototype keys · jonschlinkert/mixin-deep@8f464c8 · GitHub
      NVD - CVE-2019-10746
      GitHub - jonschlinkert/mixin-deep: Deeply mix the properties of objects into the first object, while also mixing-in child objects.

debricked–124

• Description

  GitHub

  Regular Expression Denial of Service in Acorn

  Affected versions of acorn are vulnerable to Regular Expression Denial of Service.
  A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop.
  The string is not valid UTF16 which usually results in it being sanitized before reaching the parser.
  If an application processes untrusted input and passes it directly to acorn,
  attackers may leverage the vulnerability leading to Denial of Service.

• CVSS details

      No information

• References

      security fix for 6.x versions · Issue #929 · acornjs/acorn · GitHub
      Regular Expression Denial of Service in Acorn · GHSA-6chw-6frg-f759 · GitHub Advisory Database · GitHub

CVE–2019–20149

• Description

  Exposure of Resource to Wrong Sphere

  The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

  NVD

  ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

  GitHub

  Validation Bypass in kind-of

  Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

  Recommendation

  Upgrade to versions 6.0.3 or later.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	High
  Availability	None

• References

      type checking · Issue #30 · jonschlinkert/kind-of · GitHub
      fix type checking vul in ctorName by xiaofen9 · Pull Request #31 · jonschlinkert/kind-of · GitHub
      Validation Bypass in kind-of · CVE-2019-20149 · GitHub Advisory Database · GitHub
      NVD - CVE-2019-20149

CVE–2020–13822

• Description

  Integer Overflow or Wraparound

  The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

  NVD

  The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

  GitHub

  Signature Malleabillity in elliptic

  The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

• CVSS details - 7.7

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	High
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	Low

• References

      Lack of encoding checks allows a certain degree of signature malleability in ECDSA signatures · Issue #226 · indutny/elliptic · GitHub
      Malleability-Attack: Why It Matters | by Herman Schoenfeld | Medium
      elliptic - npm
      How Not to Use ECDSA – Learning Words
      NVD - CVE-2020-13822
      GitHub - indutny/elliptic: Fast Elliptic Curve Cryptography in plain javascript
      Signature Malleabillity in elliptic · CVE-2020-13822 · GitHub Advisory Database · GitHub

CVE–2020–28498

• Description

  Use of a Broken or Risky Cryptographic Algorithm

  The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

  NVD

  All versions of package elliptic are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

  GitHub

  Use of a Broken or Risky Cryptographic Algorithm

  The npm package elliptic before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

• CVSS details - 6.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	High
  Privileges Required	None
  User interaction	None
  Scope	Changed
  Confidentiality	High
  Integrity	None
  Availability	None

• References

      blog/secp256k1_twist_attacks.md at master · christianlundkvist/blog · GitHub
      ec: validate that a point before deriving keys · indutny/elliptic@441b742 · GitHub
      Use of a Broken or Risky Cryptographic Algorithm · CVE-2020-28498 · GitHub Advisory Database · GitHub
      Private by kdenhartog · Pull Request #244 · indutny/elliptic · GitHub
      NVD - CVE-2020-28498

CVE–2020–7608

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  NVD

  yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

  NVD

  yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Local
  Attack Complexity	Low
  Privileges Required	Low
  User interaction	None
  Scope	Unchanged
  Confidentiality	Low
  Integrity	Low
  Availability	Low

• References

      THIRD PARTY
      fix: proto will now be replaced with proto in parse (#258) · yargs/yargs-parser@63810ca · GitHub

debricked–149739

• Description

  GitHub

  Prototype Pollution in yargs-parser

  Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
  Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

  Recommendation

  Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

• CVSS details

      No information

• References

      fix: proto will now be replaced with proto in parse (#258) · yargs/yargs-parser@63810ca · GitHub
      Prototype Pollution in yargs-parser · CVE-2020-7608 · GitHub Advisory Database · GitHub

CVE–2021–23329

• Description

  NVD

  The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below.

  GitHub

  Prototype pollution in nested-object-assign

  The package nested-object-assign before 1.0.4 is vulnerable to Prototype Pollution via the default function.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      Security Fix for Prototype Pollution - huntr.dev by huntr-helper · Pull Request #11 · Geta/NestedObjectAssign · GitHub
      NVD - CVE-2021-23329
      Prototype pollution in nested-object-assign · CVE-2021-23329 · GitHub Advisory Database · GitHub

CVE–2018–3774

• Description

  URL Redirection to Untrusted Site ('Open Redirect')

  A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

  NVD

  Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

  GitHub

  Open Redirect in url-parse

  Versions of url-parse before 1.4.3 returns the wrong hostname which could lead to Open Redirect, Server Side Request Forgery (SSRF), or Bypass Authentication Protocol vulnerabilities.

  Recommendation

  Update to version 1.4.3 or later.

• CVSS details - 10

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Changed
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      [security] Sanitize paths, hosts before parsing. · unshiftio/url-parse@53b1794 · GitHub
      [security] Added missing SECURITY.md · unshiftio/url-parse@d7b582e · GitHub
      HackerOne
      NVD - CVE-2018-3774
      Open Redirect in url-parse · CVE-2018-3774 · GitHub Advisory Database · GitHub

CVE–2020–8124

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  NVD

  Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.

  NVD

  Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	Low
  Availability	None

• References

      THIRD PARTY
      HackerOne

CVE–2021–27515

• Description

  NVD

  url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

  GitHub

  Path traversal in url-parse

  url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	Low
  Availability	None

• References

      [security] More backslash fixes (#197) · unshiftio/url-parse@d1e7e88 · GitHub
      Comparing 1.4.7...1.5.0 · unshiftio/url-parse · GitHub
      [security] More backslash fixes by 3rd-Eden · Pull Request #197 · unshiftio/url-parse · GitHub
      MISC
      NVD - CVE-2021-27515
      Path traversal in url-parse · CVE-2021-27515 · GitHub Advisory Database · GitHub

CVE–2020–7662

• Description

  NVD

  websocket-extensions npm module prior to 1.0.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

  GitHub

  Regular Expression Denial of Service in websocket-extensions (NPM package)

  Impact

  The ReDoS flaw allows an attacker to exhaust the server's capacity to process
  incoming requests by sending a WebSocket handshake request containing a header
  of the following form:

   Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ...
  

  That is, a header containing an unclosed string parameter value whose content is
  a repeating two-byte sequence of a backslash and some other character. The
  parser takes exponential time to reject this header as invalid, and this will
  block the processing of any other work on the same thread. Thus if you are
  running a single-threaded server, such a request can render your service
  completely unavailable.

  Patches

  Users should upgrade to version 0.1.4.

  Workarounds

  There are no known work-arounds other than disabling any public-facing
  WebSocket functionality you are operating.

  References

  • https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions/

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      ReDoS vulnerability in websocket-extensions – The If Works
      Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser · faye/websocket-extensions-node@29496f6 · GitHub
      ReDoS vulnerability in Sec-WebSocket-Extensions parser · Advisory · faye/websocket-extensions-node · GitHub
      Regular Expression Denial of Service in websocket-extensions (NPM package) · CVE-2020-7662 · GitHub Advisory Database · GitHub
      NVD - CVE-2020-7662
      Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser · faye/websocket-extensions-ruby@aa156a4 · GitHub

CVE–2021–26707

• Description

  NVD

  The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

  GitHub

  Prototype pollution in Merge-deep

  The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      add isValidKey function to ensure only valid keys are merged · jonschlinkert/merge-deep@11e5dd5 · GitHub
      merge-deep - npm
      GHSL-2020-160: Prototype pollution in Merge-deep | GitHub Security Lab

CVE–2021–23362

• Description

  NVD

  The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via shortcutMatch in fromUrl().

  GitHub

  Regular Expression Denial of Service in hosted-git-info

  The npm package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	Low

• References

      Commits · npm/hosted-git-info · GitHub
      fix: backport regex fix from #76 · npm/hosted-git-info@29adfe5 · GitHub
      chore(release): 2.8.9 · npm/hosted-git-info@8d4b369 · GitHub
      fix: simplify the regular expression for shortcut matching · npm/hosted-git-info@bede0dc · GitHub
      NVD - CVE-2021-23362
      Regular Expression Denial of Service in hosted-git-info · CVE-2021-23362 · GitHub Advisory Database · GitHub

CVE–2021–23358

• Description

  Improper Control of Generation of Code ('Code Injection')

  The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  NVD

  The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

  GitHub

  Arbitrary Code Execution in underscore

  The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

• CVSS details - 7.2

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	High
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      MISC
      [SECURITY] [DLA 2613-1] underscore security update
      Debian -- Security Information -- DSA-4883-1 underscore
      Pony Mail!
      Pony Mail!
      Pony Mail!
      Pony Mail!
      Pony Mail!
      underscore/template.js at master · jashkenas/underscore · GitHub
      NVD - CVE-2021-23358
      underscore/template.js at cb5f6fc6c2400649d942f1e36f9e5191fb7a1bf1 · jashkenas/underscore · GitHub
      Arbitrary Code Execution in underscore · CVE-2021-23358 · GitHub Advisory Database · GitHub
      Fix #2911 · jashkenas/underscore@4c73526 · GitHub

CVE–2019–15657

• Description

  NVD

  In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code.

  GitHub

  Arbitrary Code Execution in eslint-utils

  Versions of eslint-utils >=1.2.0 or <1.4.1 are vulnerable to Arbitrary Code Execution. The getStaticValue does not properly sanitize user input allowing attackers to supply malicious input that executes arbitrary code during the linting process. The getStringIfConstant and getPropertyName functions are not affected.

  Recommendation

  Upgrade to version 1.4.1 or later.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      'getStaticValue' function can execute arbitrary code · Advisory · mysticatea/eslint-utils · GitHub
      NVD - CVE-2019-15657
      Arbitrary Code Execution in eslint-utils · CVE-2019-15657 · GitHub Advisory Database · GitHub

CVE–2019–20922

• Description

  Loop with Unreachable Exit Condition ('Infinite Loop')

  The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

  NVD

  Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      fix: non-eager matching raw-block-contents · handlebars-lang/handlebars.js@8d5530e · GitHub
      npm

CVE–2019–20920

• Description

  Improper Control of Generation of Code ('Code Injection')

  The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  NVD

  Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

• CVSS details - 8.1

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	High
  Privileges Required	None
  User interaction	None
  Scope	Changed
  Confidentiality	High
  Integrity	Low
  Availability	Low

• References

      npm
      npm

CVE–2021–23369

• Description

  NVD

  The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

  GitHub

  Remote code execution in handlebars when compiling templates

  The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      CVE-2021-23369 Node.js Vulnerability in NetApp Products | NetApp Product Security
      fix: check prototype property access in strict-mode (#1736) · handlebars-lang/handlebars.js@b6d3de7 · GitHub
      fix: escape property names in compat mode (#1736) · handlebars-lang/handlebars.js@f058970 · GitHub

CVE–2021–23383

• Description

  NVD

  The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      fix: escape property names in compat mode (#1736) · handlebars-lang/handlebars.js@f058970 · GitHub
      CVE-2021-23383 Node.js Vulnerability in NetApp Products | NetApp Product Security

CVE–2018–16469

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  NVD

  The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.

  GitHub

  Prototype Pollution in merge

  Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype.

  Recommendation

  Update to version 1.2.1 or later.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      HackerOne
      Prototype Pollution in merge · CVE-2018-16469 · GitHub Advisory Database · GitHub
      NVD - CVE-2018-16469

CVE–2020–28499

• Description

  NVD

  All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

  GitHub

  Prototype Pollution in merge

  All versions of package merge <2.1.1 are vulnerable to Prototype Pollution via _recursiveMerge .

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      CVE-2020-28499 | merge Package Prototype _recursiveMerge code injection (SNYK-JS-MERGE-1042987)
      CONFIRM

CVE–2017–16028

• Description

  Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

  NVD

  react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).

  GitHub

  Cryptographically Weak PRNG in randomatic

  Affected versions of randomatic generate random values using a cryptographically weak psuedo-random number generator. This may result in predictable values instead of random values as intended.

  Recommendation

  Update to version 3.0.0 or later.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	Low
  Integrity	None
  Availability	None

• References

      nodesecurity.io -&nbspnodesecurity Resources and Information.
      react-native-meteor-oauth/meteor-oauth.js at a7eb738b74c469f5db20296b44b7cae4e2337435 · tableflip/react-native-meteor-oauth · GitHub
      use cryptographically secure random function · jonschlinkert/randomatic@4a52695 · GitHub
      NVD - CVE-2017-16028
      Cryptographically Weak PRNG in randomatic · CVE-2017-16028 · GitHub Advisory Database · GitHub

CVE–2018–14732

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  NVD

  An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.

  GitHub

  Missing Origin Validation in webpack-dev-server

  Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

  Recommendation

  For webpack-dev-server 2.x update to version 2.11.4 or later.
  For webpack-dev-server 3.x update to version 3.1.11 or later.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	None
  Availability	None

• References

      crblog
      check origin header for websocket connection · webpack/webpack-dev-server@f18e5ad · GitHub
      A vulnerability found in webpack-dev-server · Issue #1445 · webpack/webpack-dev-server · GitHub
      NVD - CVE-2018-14732
      Missing Origin Validation in webpack-dev-server · CVE-2018-14732 · GitHub Advisory Database · GitHub

CVE–2021–23386

• Description

  Exposure of Sensitive Information to an Unauthorized Actor

  The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  NVD

  This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

  GitHub

  Potential memory exposure in dns-packet

  This affects the package dns-packet before versions 1.3.2 and 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

• CVSS details - 6.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	Low
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	None
  Availability	None

• References

      HackerOne
      do trim on encodingLength as well · mafintosh/dns-packet@25f15dd · GitHub

debricked–149740

• Description

  GitHub

  Denial of Service in http-proxy

  Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

  For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
  curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

  Recommendation

  Upgrade to version 1.18.1 or later

• CVSS details

      No information

• References

      Denial of Service in http-proxy · GHSA-6x33-pw7p-hmpq · GitHub Advisory Database · GitHub
      Skip sending the proxyReq event when the expect header is present by jsmylnycky · Pull Request #1447 · http-party/node-http-proxy · GitHub

CVE–2020–7720

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  NVD

  All versions of package node-forge are vulnerable to Prototype Pollution via the util.setPath function.

  GitHub

  Prototype Pollution in node-forge

  The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

• CVSS details - 7.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	Low
  Integrity	Low
  Availability	Low

• References

      forge/CHANGELOG.md at master · digitalbazaar/forge · GitHub
      NVD - CVE-2020-7720
      Prototype Pollution in node-forge · CVE-2020-7720 · GitHub Advisory Database · GitHub
      GitHub - digitalbazaar/forge: A native implementation of TLS in Javascript and tools to write crypto-based and network-heavy webapps

CVE–2020–7693

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  NVD

  Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

  GitHub

  Improper Input Validation in SocksJS-Node

  Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	Low

• References

      GitHub - andsnw/sockjs-dos-py: CVE-2020-7693: SockJS 0.3.19 Denial of Service POC
      Merge pull request #266 from cakoose/backport-writeHead-fix · sockjs/sockjs-node@dd7e642 · GitHub
      ERR_STREAM_WRITE_AFTER_END when issuing upgrade request on non-existent URL · Issue #252 · sockjs/sockjs-node · GitHub
      Call res.write instead of res.end in writeHead by brycekahle · Pull Request #265 · sockjs/sockjs-node · GitHub
      NVD - CVE-2020-7693
      Improper Input Validation in SocksJS-Node · CVE-2020-7693 · GitHub Advisory Database · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked