karma-sauce-launcher-0.3.1.tgz: 18 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - karma-sauce-launcher-0.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonpointer/package.json

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2021-23807	High	9.8	jsonpointer-4.1.0.tgz	Transitive	1.0.0	✅
CVE-2018-1000620	High	9.8	cryptiles-2.0.5.tgz	Transitive	1.1.0	✅
CVE-2019-10744	High	9.1	multiple	Transitive	1.2.0	✅
CVE-2018-3728	High	8.8	hoek-2.16.3.tgz	Transitive	1.1.0	✅
CVE-2016-10540	High	7.5	minimatch-2.0.10.tgz	Transitive	1.1.0	✅
CVE-2016-2515	High	7.5	hawk-2.3.1.tgz	Transitive	1.1.0	✅
CVE-2017-1000048	High	7.5	qs-2.4.2.tgz	Transitive	1.1.0	✅
WS-2017-3772	High	7.5	underscore.string-3.0.3.tgz	Transitive	1.1.0	✅
CVE-2017-16116	High	7.5	underscore.string-3.0.3.tgz	Transitive	N/A	❌
CVE-2020-8203	High	7.4	multiple	Transitive	1.2.0	✅
CVE-2021-23337	High	7.2	multiple	Transitive	1.2.0	✅
CVE-2019-1010266	Medium	6.5	multiple	Transitive	1.2.0	✅
CVE-2018-3721	Medium	6.5	multiple	Transitive	1.2.0	✅
CVE-2020-8244	Medium	6.5	bl-0.9.5.tgz	Transitive	1.1.0	✅
CVE-2017-16026	Medium	5.9	request-2.55.0.tgz	Transitive	1.1.0	✅
CVE-2018-16487	Medium	5.6	multiple	Transitive	1.2.0	✅
WS-2018-0076	Medium	5.1	tunnel-agent-0.4.3.tgz	Transitive	1.1.0	✅
WS-2017-0266	Low	3.5	http-signature-0.10.1.tgz	Transitive	1.1.0	✅

Details

Partial details (15 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the WhiteSource Application.

CVE-2021-23807

Vulnerable Library - jsonpointer-4.1.0.tgz

Simple JSON Addressing.

Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonpointer/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • request-2.55.0.tgz
      • har-validator-1.8.0.tgz
        • is-my-json-valid-2.20.5.tgz
          • ❌ jsonpointer-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.

Publish Date: 2021-11-03

URL: CVE-2021-23807

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23807

Release Date: 2021-11-03

Fix Resolution (jsonpointer): 5.0.0

Direct dependency fix Resolution (karma-sauce-launcher): 1.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2018-1000620

Vulnerable Library - cryptiles-2.0.5.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cryptiles/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • request-2.55.0.tgz
      • hawk-2.3.1.tgz
        • ❌ cryptiles-2.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (karma-sauce-launcher): 1.1.0

⛑️ Automatic Remediation is available for this issue

CVE-2019-10744

Vulnerable Libraries - lodash-3.2.0.tgz, lodash-3.9.3.tgz

lodash-3.2.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/archiver/node_modules/lodash/package.json,/node_modules/zip-stream/node_modules/lodash/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • archiver-0.14.4.tgz
      • ❌ lodash-3.2.0.tgz (Vulnerable Library)

lodash-3.9.3.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/wd/node_modules/lodash/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • ❌ lodash-3.9.3.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (karma-sauce-launcher): 1.2.0

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (karma-sauce-launcher): 1.2.0

⛑️ Automatic Remediation is available for this issue

CVE-2018-3728

Vulnerable Library - hoek-2.16.3.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hoek/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • request-2.55.0.tgz
      • hawk-2.3.1.tgz
        • ❌ hoek-2.16.3.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2018-03-30

Fix Resolution (hoek): 4.2.0

Direct dependency fix Resolution (karma-sauce-launcher): 1.1.0

⛑️ Automatic Remediation is available for this issue

CVE-2016-10540

Vulnerable Library - minimatch-2.0.10.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/archiver/node_modules/minimatch/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • archiver-0.14.4.tgz
      • glob-4.3.5.tgz
        • ❌ minimatch-2.0.10.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540

Release Date: 2018-05-31

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (karma-sauce-launcher): 1.1.0

⛑️ Automatic Remediation is available for this issue

CVE-2016-2515

Vulnerable Library - hawk-2.3.1.tgz

HTTP Hawk Authentication Scheme

Library home page: https://registry.npmjs.org/hawk/-/hawk-2.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hawk/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • request-2.55.0.tgz
      • ❌ hawk-2.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.

Publish Date: 2016-04-13

URL: CVE-2016-2515

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2515

Release Date: 2016-04-13

Fix Resolution (hawk): 3.1.3

Direct dependency fix Resolution (karma-sauce-launcher): 1.1.0

⛑️ Automatic Remediation is available for this issue

CVE-2017-1000048

Vulnerable Library - qs-2.4.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/wd/node_modules/qs/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • request-2.55.0.tgz
      • ❌ qs-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048

Release Date: 2017-07-17

Fix Resolution (qs): 6.0.4

Direct dependency fix Resolution (karma-sauce-launcher): 1.1.0

⛑️ Automatic Remediation is available for this issue

WS-2017-3772

Vulnerable Library - underscore.string-3.0.3.tgz

String manipulation extensions for Underscore.js javascript library.

Library home page: https://registry.npmjs.org/underscore.string/-/underscore.string-3.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/underscore.string/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • ❌ underscore.string-3.0.3.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in underscore.string 2.4.0 through 3.3.5.

Publish Date: 2017-09-08

URL: WS-2017-3772

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: esamattis/underscore.string@f486cd6

Release Date: 2017-09-08

Fix Resolution (underscore.string): 3.3.3

Direct dependency fix Resolution (karma-sauce-launcher): 1.1.0

⛑️ Automatic Remediation is available for this issue

CVE-2017-16116

Vulnerable Library - underscore.string-3.0.3.tgz

String manipulation extensions for Underscore.js javascript library.

Library home page: https://registry.npmjs.org/underscore.string/-/underscore.string-3.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/underscore.string/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • ❌ underscore.string-3.0.3.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.

Publish Date: 2018-06-07

URL: CVE-2017-16116

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2020-8203

Vulnerable Libraries - lodash-3.2.0.tgz, lodash-3.9.3.tgz

lodash-3.2.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/archiver/node_modules/lodash/package.json,/node_modules/zip-stream/node_modules/lodash/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • archiver-0.14.4.tgz
      • ❌ lodash-3.2.0.tgz (Vulnerable Library)

lodash-3.9.3.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/wd/node_modules/lodash/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • ❌ lodash-3.9.3.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.9

Direct dependency fix Resolution (karma-sauce-launcher): 1.2.0

Fix Resolution (lodash): 4.17.9

Direct dependency fix Resolution (karma-sauce-launcher): 1.2.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-23337

Vulnerable Libraries - lodash-3.2.0.tgz, lodash-3.9.3.tgz

lodash-3.2.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/archiver/node_modules/lodash/package.json,/node_modules/zip-stream/node_modules/lodash/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • archiver-0.14.4.tgz
      • ❌ lodash-3.2.0.tgz (Vulnerable Library)

lodash-3.9.3.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/wd/node_modules/lodash/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • ❌ lodash-3.9.3.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (karma-sauce-launcher): 1.2.0

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (karma-sauce-launcher): 1.2.0

⛑️ Automatic Remediation is available for this issue

CVE-2019-1010266

Vulnerable Libraries - lodash-3.2.0.tgz, lodash-3.9.3.tgz

lodash-3.2.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/archiver/node_modules/lodash/package.json,/node_modules/zip-stream/node_modules/lodash/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • archiver-0.14.4.tgz
      • ❌ lodash-3.2.0.tgz (Vulnerable Library)

lodash-3.9.3.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/wd/node_modules/lodash/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • ❌ lodash-3.9.3.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2020-09-30

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (karma-sauce-launcher): 1.2.0

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (karma-sauce-launcher): 1.2.0

⛑️ Automatic Remediation is available for this issue

CVE-2018-3721

Vulnerable Libraries - lodash-3.2.0.tgz, lodash-3.9.3.tgz

lodash-3.2.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/archiver/node_modules/lodash/package.json,/node_modules/zip-stream/node_modules/lodash/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • archiver-0.14.4.tgz
      • ❌ lodash-3.2.0.tgz (Vulnerable Library)

lodash-3.9.3.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/wd/node_modules/lodash/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • ❌ lodash-3.9.3.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (karma-sauce-launcher): 1.2.0

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (karma-sauce-launcher): 1.2.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-8244

Vulnerable Library - bl-0.9.5.tgz

Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!

Library home page: https://registry.npmjs.org/bl/-/bl-0.9.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/bl/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • request-2.55.0.tgz
      • ❌ bl-0.9.5.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Publish Date: 2020-08-30

URL: CVE-2020-8244

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pp7h-53gx-mx7r

Release Date: 2020-08-30

Fix Resolution (bl): 1.2.3

Direct dependency fix Resolution (karma-sauce-launcher): 1.1.0

⛑️ Automatic Remediation is available for this issue

CVE-2017-16026

Vulnerable Library - request-2.55.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.55.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/wd/node_modules/request/package.json

Dependency Hierarchy:

• karma-sauce-launcher-0.3.1.tgz (Root Library)
  • wd-0.3.12.tgz
    • ❌ request-2.55.0.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Request is an http client. If a request is made using multipart, and the body type is a number, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.

Publish Date: 2018-06-04

URL: CVE-2017-16026

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16026

Release Date: 2018-06-04

Fix Resolution (request): 2.68.0

Direct dependency fix Resolution (karma-sauce-launcher): 1.1.0

⛑️ Automatic Remediation is available for this issue

---

⛑️ Automatic Remediation is available for this issue.