chore(deps): update dependency coder/code-server to v4.96.1

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
coder/code-server	minor	4.95.3 -> 4.96.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

coder/code-server (coder/code-server)

v4.96.1

Compare Source

Code v1.96.1

Added

• Dark color scheme for login and error pages.

Changed

• Update to Code 1.96.1.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/code-server:4.96.1

📦 Image Reference ghcr.io/uniget-org/tools/code-server:4.96.1

digest	sha256:51de442b7557effac9c130f22ad68429b9d396c2338bbfbbae97091a27c1f15a
vulnerabilities
platform	linux/amd64
size	110 MB
packages	390

handlebars 1.0.0 (npm) pkg:npm/[email protected] Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Affected range <4.7.7 Fixed version 4.7.7 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source. Improper Control of Generation of Code ('Code Injection') Affected range <4.7.7 Fixed version 4.7.7 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Affected range <3.0.8 Fixed version 4.3.0 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads. Recommendation Upgrade to version 3.0.8, 4.3.0 or later. Improper Control of Generation of Code ('Code Injection') Affected range <3.0.8 Fixed version 3.0.8 CVSS Score 8.1 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L Description Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS). Modification of Assumed-Immutable Data (MAID) Affected range <3.0.7 Fixed version 3.0.7 CVSS Score 7.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Description Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server. Recommendation For handlebars 4.1.x upgrade to 4.1.2 or later. For handlebars 4.0.x upgrade to 4.0.14 or later. Improper Control of Generation of Code ('Code Injection') Affected range <3.0.8 Fixed version 3.0.8 CVSS Score 7.3 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L Description Versions of handlebars prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting). The following template can be used to demonstrate the vulnerability: {{#with split as |a|}} {{pop (push "alert('Vulnerable Handlebars JS');")}} {{#with (concat (lookup join (slice 0 1)))}} {{#each (slice 2 3)}} {{#with (apply 0 a)}} {{.}} {{/with}} {{/each}} {{/with}} {{/with}} {{/with}}``` ## Recommendation Upgrade to version 3.0.8, 4.5.2 or later. </blockquote> </details> <a href="https://scout.docker.com/v/GHSA-q2c6-c6pm-g3gh?s=github&n=handlebars&t=npm&vr=%3C3.0.8"><img alt="high : GHSA--q2c6--c6pm--g3gh" src="https://img.shields.io/badge/GHSA--q2c6--c6pm--g3gh-lightgrey?label=high%20&labelColor=e25d68"/></a> <table> <tr><td>Affected range</td><td><code><3.0.8</code></td></tr> <tr><td>Fixed version</td><td><code>3.0.8</code></td></tr></table> <details><summary>Description</summary> <blockquote> Versions of `handlebars` prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a [previous issue](https://www.npmjs.com/advisories/1316). This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting). ## Recommendation Upgrade to version 3.0.8, 4.5.3 or later. </blockquote> </details> <a href="https://scout.docker.com/v/GHSA-g9r4-xpmj-mj65?s=github&n=handlebars&t=npm&vr=%3C3.0.8"><img alt="high : GHSA--g9r4--xpmj--mj65" src="https://img.shields.io/badge/GHSA--g9r4--xpmj--mj65-lightgrey?label=high%20&labelColor=e25d68"/></a> <i>Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')</i> <table> <tr><td>Affected range</td><td><code><3.0.8</code></td></tr> <tr><td>Fixed version</td><td><code>3.0.8</code></td></tr></table> <details><summary>Description</summary> <blockquote> Versions of `handlebars` prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions. ## Recommendation Upgrade to version 3.0.8, 4.5.3 or later. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2015-8861?s=github&n=handlebars&t=npm&vr=%3C4.0.0"><img alt="medium 6.1: CVE--2015--8861" src="https://img.shields.io/badge/CVE--2015--8861-lightgrey?label=medium%206.1&labelColor=fbb552"/></a> <i>Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</i> <table> <tr><td>Affected range</td><td><code><4.0.0</code></td></tr> <tr><td>Fixed version</td><td><code>4.0.0</code></td></tr> <tr><td>CVSS Score</td><td><code>6.1</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Versions of `handlebars` prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted. ## Proof of Concept Template: ```<a href={{foo}}/>``` Input: ```{ 'foo' : 'test.com onload=alert(1)'}``` Rendered result: ```<a href=test.com onload=alert(1)/>``` ## Recommendation Update to version 4.0.0 or later. Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes. </blockquote> </details> <a href="https://scout.docker.com/v/GMS-2015-33?s=gitlab&n=handlebars&t=npm&vr=%3C4.0.0"><img alt="unspecified : GMS--2015--33" src="https://img.shields.io/badge/GMS--2015--33-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i> <table> <tr><td>Affected range</td><td><code><4.0.0</code></td></tr> <tr><td>Fixed version</td><td><code>4.0.0</code></td></tr></table> <details><summary>Description</summary> <blockquote> The library does not properly escape attribute values making XSS exploits possible. </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 1" src="https://img.shields.io/badge/C-1-8b1924"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>code-server</strong> <code>1.96.1</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/CVE-2023-26114?s=github&n=code-server&t=npm&vr=%3C4.10.1"><img alt="critical 9.3: CVE--2023--26114" src="https://img.shields.io/badge/CVE--2023--26114-lightgrey?label=critical%209.3&labelColor=8b1924"/></a> <i>Missing Origin Validation in WebSockets</i> <table> <tr><td>Affected range</td><td><code><4.10.1</code></td></tr> <tr><td>Fixed version</td><td><code>4.10.1</code></td></tr> <tr><td>CVSS Score</td><td><code>9.3</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2021-3810?s=github&n=code-server&t=npm&vr=%3C3.12.0"><img alt="high 7.5: CVE--2021--3810" src="https://img.shields.io/badge/CVE--2021--3810-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Inefficient Regular Expression Complexity</i> <table> <tr><td>Affected range</td><td><code><3.12.0</code></td></tr> <tr><td>Fixed version</td><td><code>3.12.0</code></td></tr> <tr><td>CVSS Score</td><td><code>7.5</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr> </table> <details><summary>Description</summary> <blockquote> code-server is vulnerable to Inefficient Regular Expression Complexity </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2021-42648?s=github&n=code-server&t=npm&vr=%3C3.12.0"><img alt="medium 6.1: CVE--2021--42648" src="https://img.shields.io/badge/CVE--2021--42648-lightgrey?label=medium%206.1&labelColor=fbb552"/></a> <i>Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</i> <table> <tr><td>Affected range</td><td><code><3.12.0</code></td></tr> <tr><td>Fixed version</td><td><code>3.12.0</code></td></tr> <tr><td>CVSS Score</td><td><code>6.1</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Cross-site scripting (XSS) vulnerability exists in Coder Code-Server before 3.12.0, allows attackers to execute arbitrary code via crafted URL. </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 5" src="https://img.shields.io/badge/H-5-e25d68"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <img alt="unspecified: 1" src="https://img.shields.io/badge/U-1-lightgrey"/><strong>npm</strong> <code>1.0.1</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/CVE-2018-7408?s=github&n=npm&t=npm&vr=%3C5.7.1"><img alt="high 7.8: CVE--2018--7408" src="https://img.shields.io/badge/CVE--2018--7408-lightgrey?label=high%207.8&labelColor=e25d68"/></a> <i>Incorrect Permission Assignment for Critical Resource</i> <table> <tr><td>Affected range</td><td><code><5.7.1</code></td></tr> <tr><td>Fixed version</td><td><code>5.7.1</code></td></tr> <tr><td>CVSS Score</td><td><code>7.8</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</code></td></tr> </table> <details><summary>Description</summary> <blockquote> An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2019-16777?s=github&n=npm&t=npm&vr=%3C6.13.4"><img alt="high 7.7: CVE--2019--16777" src="https://img.shields.io/badge/CVE--2019--16777-lightgrey?label=high%207.7&labelColor=e25d68"/></a> <i>Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</i> <table> <tr><td>Affected range</td><td><code><6.13.4</code></td></tr> <tr><td>Fixed version</td><td><code>6.13.4</code></td></tr> <tr><td>CVSS Score</td><td><code>7.7</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a `serve` binary, any subsequent installs of packages that also create a `serve` binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global node_modules directory. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. ## Recommendation Upgrade to version 6.13.4 or later. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2019-16776?s=github&n=npm&t=npm&vr=%3C6.13.3"><img alt="high 7.7: CVE--2019--16776" src="https://img.shields.io/badge/CVE--2019--16776-lightgrey?label=high%207.7&labelColor=e25d68"/></a> <i>Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</i> <table> <tr><td>Affected range</td><td><code><6.13.3</code></td></tr> <tr><td>Fixed version</td><td><code>6.13.3</code></td></tr> <tr><td>CVSS Score</td><td><code>7.7</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of node_modules. It is possible for packages to create symlinks to files outside of the`node_modules` folder through the `bin` field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the `npm install` are affected. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. ## Recommendation Upgrade to version 6.13.3 or later. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2019-16775?s=github&n=npm&t=npm&vr=%3C6.13.3"><img alt="high 7.7: CVE--2019--16775" src="https://img.shields.io/badge/CVE--2019--16775-lightgrey?label=high%207.7&labelColor=e25d68"/></a> <i>Improper Link Resolution Before File Access ('Link Following')</i> <table> <tr><td>Affected range</td><td><code><6.13.3</code></td></tr> <tr><td>Fixed version</td><td><code>6.13.3</code></td></tr> <tr><td>CVSS Score</td><td><code>7.7</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on a user's system when the package is installed. It is only possible to affect files that the user running `npm install` has access to and it is not possible to over write files that already exist on disk. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. ## Recommendation Upgrade to version 6.13.3 or later. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2016-3956?s=github&n=npm&t=npm&vr=%3C%3D2.15.0"><img alt="high : CVE--2016--3956" src="https://img.shields.io/badge/CVE--2016--3956-lightgrey?label=high%20&labelColor=e25d68"/></a> <i>Exposure of Sensitive Information to an Unauthorized Actor</i> <table> <tr><td>Affected range</td><td><code><=2.15.0</code></td></tr> <tr><td>Fixed version</td><td><code>2.15.1</code></td></tr></table> <details><summary>Description</summary> <blockquote> Affected versions of the `npm` package include the bearer token of the logged in user in every request made by the CLI, even if the request is not directed towards the user's active registry. An attacker could create an HTTP server to collect tokens, and by various means including but not limited to install scripts, cause the npm CLI to make a request to that server, which would compromise the user's token. This compromised token could be used to do anything that the user could do, including publishing new packages. ## Recommendation 1. Update npm with `npm install npm@latest -g` 2. [Revoke your Tokens](https://www.npmjs.com/settings/tokens) 3. Enable [Two-Factor Authentication](https://docs.npmjs.com/getting-started/using-two-factor-authentication) </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2020-15095?s=github&n=npm&t=npm&vr=%3C6.14.6"><img alt="medium 4.4: CVE--2020--15095" src="https://img.shields.io/badge/CVE--2020--15095-lightgrey?label=medium%204.4&labelColor=fbb552"/></a> <i>Insertion of Sensitive Information into Log File</i> <table> <tr><td>Affected range</td><td><code><6.14.6</code></td></tr> <tr><td>Fixed version</td><td><code>6.14.6</code></td></tr> <tr><td>CVSS Score</td><td><code>4.4</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like `<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>`. The password value is not redacted and is printed to stdout and also to any generated log files. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2013-4116?s=github&n=npm&t=npm&vr=%3C1.3.3"><img alt="low : CVE--2013--4116" src="https://img.shields.io/badge/CVE--2013--4116-lightgrey?label=low%20&labelColor=fce1a9"/></a> <i>Improper Link Resolution Before File Access ('Link Following')</i> <table> <tr><td>Affected range</td><td><code><1.3.3</code></td></tr> <tr><td>Fixed version</td><td><code>1.3.3</code></td></tr></table> <details><summary>Description</summary> <blockquote> Affected versions of `npm` use predictable temporary file names during archive unpacking. If an attacker can create a symbolic link at the location of one of these temporary file names, the attacker can arbitrarily write to any file that the user which owns the `npm` process has permission to write to, potentially resulting in local privilege escalation. ## Recommendation Update to version 1.3.3 or later. </blockquote> </details> <a href="https://scout.docker.com/v/GMS-2016-23?s=gitlab&n=npm&t=npm&vr=%3C%3D%2C2.15.0"><img alt="unspecified : GMS--2016--23" src="https://img.shields.io/badge/GMS--2016--23-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i> <table> <tr><td>Affected range</td><td><code><=<br/>2.15.0</code></td></tr> <tr><td>Fixed version</td><td><code>2.15.1, 3.8.3</code></td></tr></table> <details><summary>Description</summary> <blockquote> The primary npm registry has, since late, used HTTP bearer tokens to authenticate requests from the npm command-line interface. Due to a design flaw in the CLI, these bearer tokens were sent with every request made by the CLI for logged-in users, regardless of the destination of the request. They should instead only be included for requests made against the registry or registries used for the current install. This flaw allows an attacker to set up an HTTP server that could collect authentication information they could use to impersonate the users whose tokens they collected. This impersonation would allow them to do anything the compromised users could do, including publishing new versions of packages. </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 2" src="https://img.shields.io/badge/H-2-e25d68"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>grunt</strong> <code>1.0.0</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/CVE-2020-7729?s=github&n=grunt&t=npm&vr=%3C1.3.0"><img alt="high 7.1: CVE--2020--7729" src="https://img.shields.io/badge/CVE--2020--7729-lightgrey?label=high%207.1&labelColor=e25d68"/></a> <i>Initialization of a Resource with an Insecure Default</i> <table> <tr><td>Affected range</td><td><code><1.3.0</code></td></tr> <tr><td>Fixed version</td><td><code>1.3.0</code></td></tr> <tr><td>CVSS Score</td><td><code>7.1</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H</code></td></tr> </table> <details><summary>Description</summary> <blockquote> The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2022-1537?s=github&n=grunt&t=npm&vr=%3C1.5.3"><img alt="high 7.0: CVE--2022--1537" src="https://img.shields.io/badge/CVE--2022--1537-lightgrey?label=high%207.0&labelColor=e25d68"/></a> <i>Time-of-check Time-of-use (TOCTOU) Race Condition</i> <table> <tr><td>Affected range</td><td><code><1.5.3</code></td></tr> <tr><td>Fixed version</td><td><code>1.5.3</code></td></tr> <tr><td>CVSS Score</td><td><code>7</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H</code></td></tr> </table> <details><summary>Description</summary> <blockquote> file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2022-0436?s=github&n=grunt&t=npm&vr=%3C1.5.2"><img alt="medium 5.5: CVE--2022--0436" src="https://img.shields.io/badge/CVE--2022--0436-lightgrey?label=medium%205.5&labelColor=fbb552"/></a> <i>Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</i> <table> <tr><td>Affected range</td><td><code><1.5.2</code></td></tr> <tr><td>Fixed version</td><td><code>1.5.2</code></td></tr> <tr><td>CVSS Score</td><td><code>5.5</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Grunt prior to version 1.5.2 is vulnerable to path traversal. </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>pug</strong> <code>1.0.0</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/CVE-2021-21353?s=github&n=pug&t=npm&vr=%3C3.0.1"><img alt="high 6.8: CVE--2021--21353" src="https://img.shields.io/badge/CVE--2021--21353-lightgrey?label=high%206.8&labelColor=e25d68"/></a> <i>Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')</i> <table> <tr><td>Affected range</td><td><code><3.0.1</code></td></tr> <tr><td>Fixed version</td><td><code>3.0.1</code></td></tr> <tr><td>CVSS Score</td><td><code>6.8</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> ### Impact If a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. ### Patches Upgrade to `[email protected]` or `[email protected]` or `[email protected]`, which correctly sanitise the parameter. ### Workarounds If there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade. ### References Original report: https://github.com/pugjs/pug/issues/3312 ### For more information If you believe you have found other vulnerabilities, please **DO NOT** open an issue. Instead, you can follow the instructions in our [Security Policy](https://github.com/pugjs/pug/blob/master/SECURITY.md) </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2024-36361?s=github&n=pug&t=npm&vr=%3C%3D3.0.2"><img alt="medium 6.8: CVE--2024--36361" src="https://img.shields.io/badge/CVE--2024--36361-lightgrey?label=medium%206.8&labelColor=fbb552"/></a> <i>Improper Control of Generation of Code ('Code Injection')</i> <table> <tr><td>Affected range</td><td><code><=3.0.2</code></td></tr> <tr><td>Fixed version</td><td><code>3.0.3</code></td></tr> <tr><td>CVSS Score</td><td><code>6.8</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the `compileClient`, `compileFileClient`, or `compileClientWithDependenciesTracked` function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers. </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>path-to-regexp</strong> <code>3.2.0</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/CVE-2024-45296?s=github&n=path-to-regexp&t=npm&vr=%3E%3D2.0.0%2C%3C3.3.0"><img alt="high 7.7: CVE--2024--45296" src="https://img.shields.io/badge/CVE--2024--45296-lightgrey?label=high%207.7&labelColor=e25d68"/></a> <i>Inefficient Regular Expression Complexity</i> <table> <tr><td>Affected range</td><td><code>>=2.0.0<br/><3.3.0</code></td></tr> <tr><td>Fixed version</td><td><code>3.3.0</code></td></tr> <tr><td>CVSS Score</td><td><code>7.7</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P</code></td></tr> </table> <details><summary>Description</summary> <blockquote> ### Impact A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b`. ### Patches For users of 0.1, upgrade to `0.1.10`. All other users should upgrade to `8.0.0`. These versions add backtrack protection when a custom regex pattern is not provided: - [0.1.10](https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10) - [1.9.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0) - [3.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0) - [6.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0) They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability. Version [7.1.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0) can enable `strict: true` and get an error when the regular expression might be bad. Version [8.0.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0) removes the features that can cause a ReDoS. ### Workarounds All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b` to `/:a-:b([^-/]+)`. If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster. ### Details Using `/:a-:b` will produce the regular expression `/^\/([^\/]+?)-([^\/]+?)\/?$/`. This can be exploited by a path such as `/a${'-a'.repeat(8_000)}/a`. [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) has a good example of why this occurs, but the TL;DR is the `/a` at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the `:a-:b` on the repeated 8,000 `-a`. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms. ### References * [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) * [Detailed blog post](https://blakeembrey.com/posts/2024-09-web-redos/) </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>diff</strong> <code>1.0.0</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/GHSA-h6ch-v84p-w6p9?s=github&n=diff&t=npm&vr=%3C3.5.0"><img alt="high : GHSA--h6ch--v84p--w6p9" src="https://img.shields.io/badge/GHSA--h6ch--v84p--w6p9-lightgrey?label=high%20&labelColor=e25d68"/></a> <i>Uncontrolled Resource Consumption</i> <table> <tr><td>Affected range</td><td><code><3.5.0</code></td></tr> <tr><td>Fixed version</td><td><code>3.5.0</code></td></tr></table> <details><summary>Description</summary> <blockquote> A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>ini</strong> <code>1.0.0</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/CVE-2020-7788?s=github&n=ini&t=npm&vr=%3C1.3.6"><img alt="high 7.3: CVE--2020--7788" src="https://img.shields.io/badge/CVE--2020--7788-lightgrey?label=high%207.3&labelColor=e25d68"/></a> <i>Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')</i> <table> <tr><td>Affected range</td><td><code><1.3.6</code></td></tr> <tr><td>Fixed version</td><td><code>1.3.6</code></td></tr> <tr><td>CVSS Score</td><td><code>7.3</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L</code></td></tr> </table> <details><summary>Description</summary> <blockquote> ### Overview The `ini` npm package before version 1.3.6 has a Prototype Pollution vulnerability. If an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context. ### Patches This has been patched in 1.3.6. ### Steps to reproduce payload.ini [proto] polluted = "polluted" poc.js: var fs = require('fs') var ini = require('ini') var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.proto) console.log(polluted) node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>json</strong> <code>1.0.0</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/CVE-2020-7712?s=github&n=json&t=npm&vr=%3C10.0.0"><img alt="high 7.2: CVE--2020--7712" src="https://img.shields.io/badge/CVE--2020--7712-lightgrey?label=high%207.2&labelColor=e25d68"/></a> <i>Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')</i> <table> <tr><td>Affected range</td><td><code><10.0.0</code></td></tr> <tr><td>Fixed version</td><td><code>10.0.0</code></td></tr> <tr><td>CVSS Score</td><td><code>7.2</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H</code></td></tr> </table> <details><summary>Description</summary> <blockquote> This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function. </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <!-- unspecified: 0 --><strong>cookie</strong> <code>0.4.1</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/CVE-2024-47764?s=github&n=cookie&t=npm&vr=%3C0.7.0"><img alt="low : CVE--2024--47764" src="https://img.shields.io/badge/CVE--2024--47764-lightgrey?label=low%20&labelColor=fce1a9"/></a> <i>Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')</i> <table> <tr><td>Affected range</td><td><code><0.7.0</code></td></tr> <tr><td>Fixed version</td><td><code>0.7.0</code></td></tr></table> <details><summary>Description</summary> <blockquote> ### Impact The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value)` would result in `"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test"`, setting `userName` cookie to `<script>` and ignoring `value`. A similar escape can be used for `path` and `domain`, which could be abused to alter other fields of the cookie. ### Patches Upgrade to 0.7.0, which updates the validation for `name`, `path`, and `domain`. ### Workarounds Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input. ### References * https://github.com/jshttp/cookie/pull/167 </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <!-- unspecified: 0 --><strong>express</strong> <code>5.0.0-beta.3</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/CVE-2024-43796?s=github&n=express&t=npm&vr=%3E%3D5.0.0-alpha.1%2C%3C5.0.0"><img alt="low 2.3: CVE--2024--43796" src="https://img.shields.io/badge/CVE--2024--43796-lightgrey?label=low%202.3&labelColor=fce1a9"/></a> <i>Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</i> <table> <tr><td>Affected range</td><td><code>>=5.0.0-alpha.1<br/><5.0.0</code></td></tr> <tr><td>Fixed version</td><td><code>5.0.0</code></td></tr> <tr><td>CVSS Score</td><td><code>2.3</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L</code></td></tr> </table> <details><summary>Description</summary> <blockquote> ### Impact In express <4.20.0, passing untrusted user input - even after sanitizing it - to `response.redirect()` may execute untrusted code ### Patches this issue is patched in express 4.20.0 ### Workarounds users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist ### Details successful exploitation of this vector requires the following: 1. The attacker MUST control the input to response.redirect() 1. express MUST NOT redirect before the template appears 1. the browser MUST NOT complete redirection before: 1. the user MUST click on the link in the template </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <!-- unspecified: 0 --><strong>markdown</strong> <code>1.0.0</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/GHSA-wx77-rp39-c6vg?s=github&n=markdown&t=npm&vr=%3E%3D0.0.0"><img alt="low : GHSA--wx77--rp39--c6vg" src="https://img.shields.io/badge/GHSA--wx77--rp39--c6vg-lightgrey?label=low%20&labelColor=fce1a9"/></a> <i>Uncontrolled Resource Consumption</i> <table> <tr><td>Affected range</td><td><code>>=0.0.0</code></td></tr> <tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr></table> <details><summary>Description</summary> <blockquote> All versions of `markdown` are vulnerable to Regular Expression Denial of Service (ReDoS). The `markdown.toHTML()` function has significantly degraded performance when parsing long strings containing underscores. This may lead to Denial of Service if the parser accepts user input. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available. </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <!-- unspecified: 0 --><strong>cookie</strong> <code>0.6.0</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/CVE-2024-47764?s=github&n=cookie&t=npm&vr=%3C0.7.0"><img alt="low : CVE--2024--47764" src="https://img.shields.io/badge/CVE--2024--47764-lightgrey?label=low%20&labelColor=fce1a9"/></a> <i>Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')</i> <table> <tr><td>Affected range</td><td><code><0.7.0</code></td></tr> <tr><td>Fixed version</td><td><code>0.7.0</code></td></tr></table> <details><summary>Description</summary> <blockquote> ### Impact The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value)` would result in `"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test"`, setting `userName` cookie to `<script>` and ignoring `value`. A similar escape can be used for `path` and `domain`, which could be abused to alter other fields of the cookie. ### Patches Upgrade to 0.7.0, which updates the validation for `name`, `path`, and `domain`. ### Workarounds Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input. ### References * https://github.com/jshttp/cookie/pull/167 </blockquote> </details> </details></td></tr> </table>

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/12404878809.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/12404878809.