express-3.0.0.tgz: 10 vulnerabilities (highest severity is: 7.5)

[uriel-mend-app]

Vulnerable Library - express-3.0.0.tgz

Sinatra inspired web development framework

Library home page: https://registry.npmjs.org/express/-/express-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/express/package.json

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (express version)	Fix PR available
CVE-2017-16138	High	7.5	mime-1.2.6.tgz	Transitive	N/A*	❌
CVE-2017-16119	High	7.5	fresh-0.1.0.tgz	Transitive	N/A*	❌
CVE-2014-6394	High	7.3	detected in multiple dependencies	Transitive	3.21.0	✅
CVE-2013-7370	Medium	6.1	connect-2.6.0.tgz	Transitive	3.21.0	✅
CVE-2014-6393	Medium	6.1	express-3.0.0.tgz	Direct	3.21.0	✅
WS-2013-0004	Medium	6.1	connect-2.6.0.tgz	Transitive	3.21.0	✅
CVE-2013-7371	Medium	6.1	connect-2.6.0.tgz	Transitive	3.21.0	✅
CVE-2018-3717	Medium	5.4	connect-2.6.0.tgz	Transitive	3.21.0	✅
CVE-2015-8859	Medium	5.3	detected in multiple dependencies	Transitive	3.21.0	✅
CVE-2014-7191	Medium	5.3	qs-0.5.1.tgz	Transitive	3.21.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2017-16138

Vulnerable Library - mime-1.2.6.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.2.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mime/package.json

Dependency Hierarchy:

• express-3.0.0.tgz (Root Library)
  • send-0.1.0.tgz
    • ❌ mime-1.2.6.tgz (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-06-07

Fix Resolution: 1.4.1,2.0.3

CVE-2017-16119

Vulnerable Library - fresh-0.1.0.tgz

HTTP response freshness testing

Library home page: https://registry.npmjs.org/fresh/-/fresh-0.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/fresh/package.json

Dependency Hierarchy:

• express-3.0.0.tgz (Root Library)
  • ❌ fresh-0.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

Vulnerability Details

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16119

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/526

Release Date: 2018-06-07

Fix Resolution: fresh - 0.5.2

CVE-2014-6394

Vulnerable Libraries - send-0.1.0.tgz, send-0.0.4.tgz

send-0.1.0.tgz

Better streaming static file server with Range and conditional-GET support

Library home page: https://registry.npmjs.org/send/-/send-0.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/send/package.json

Dependency Hierarchy:

• express-3.0.0.tgz (Root Library)
  • ❌ send-0.1.0.tgz (Vulnerable Library)

send-0.0.4.tgz

Better streaming static file server with Range and conditional-GET support

Library home page: https://registry.npmjs.org/send/-/send-0.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/connect/node_modules/send/package.json

Dependency Hierarchy:

• express-3.0.0.tgz (Root Library)
  • connect-2.6.0.tgz
    • ❌ send-0.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

Vulnerability Details

visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.

Publish Date: 2014-10-08

URL: CVE-2014-6394

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-6394

Release Date: 2014-10-08

Fix Resolution (send): 0.8.4

Direct dependency fix Resolution (express): 3.21.0

Fix Resolution (send): 0.8.4

Direct dependency fix Resolution (express): 3.21.0

⛑️ Automatic Remediation is available for this issue

CVE-2013-7370

Vulnerable Library - connect-2.6.0.tgz

High performance middleware framework

Library home page: https://registry.npmjs.org/connect/-/connect-2.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/connect/package.json

Dependency Hierarchy:

• express-3.0.0.tgz (Root Library)
  • ❌ connect-2.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

Vulnerability Details

node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware

Publish Date: 2019-12-11

URL: CVE-2013-7370

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7370

Release Date: 2019-12-11

Fix Resolution (connect): 2.8.2

Direct dependency fix Resolution (express): 3.21.0

⛑️ Automatic Remediation is available for this issue

CVE-2014-6393

Vulnerable Library - express-3.0.0.tgz

Sinatra inspired web development framework

Library home page: https://registry.npmjs.org/express/-/express-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/express/package.json

Dependency Hierarchy:

• ❌ express-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

Vulnerability Details

The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.

Publish Date: 2017-08-09

URL: CVE-2014-6393

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6393

Release Date: 2017-08-09

Fix Resolution (express): express - 3.11.0, 4.5.0

Direct dependency fix Resolution (express): 3.21.0

⛑️ Automatic Remediation is available for this issue

WS-2013-0004

Vulnerable Library - connect-2.6.0.tgz

High performance middleware framework

Library home page: https://registry.npmjs.org/connect/-/connect-2.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/connect/package.json

Dependency Hierarchy:

• express-3.0.0.tgz (Root Library)
  • ❌ connect-2.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

Vulnerability Details

The "methodOverride" let the http post to override the method of the request with the value of the post key or with the header, which allows XSS attack.

Publish Date: 2013-06-27

URL: WS-2013-0004

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2013-06-27

Fix Resolution (connect): 2.8.2

Direct dependency fix Resolution (express): 3.21.0

⛑️ Automatic Remediation is available for this issue

CVE-2013-7371

Vulnerable Library - connect-2.6.0.tgz

High performance middleware framework

Library home page: https://registry.npmjs.org/connect/-/connect-2.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/connect/package.json

Dependency Hierarchy:

• express-3.0.0.tgz (Root Library)
  • ❌ connect-2.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

Vulnerability Details

node-connects before 2.8.2 has cross site scripting in Sencha Labs Connect middleware (vulnerability due to incomplete fix for CVE-2013-7370)

Publish Date: 2019-12-11

URL: CVE-2013-7371

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7371

Release Date: 2019-12-11

Fix Resolution (connect): 2.8.2

Direct dependency fix Resolution (express): 3.21.0

⛑️ Automatic Remediation is available for this issue

CVE-2018-3717

Vulnerable Library - connect-2.6.0.tgz

High performance middleware framework

Library home page: https://registry.npmjs.org/connect/-/connect-2.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/connect/package.json

Dependency Hierarchy:

• express-3.0.0.tgz (Root Library)
  • ❌ connect-2.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

Vulnerability Details

connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.

Publish Date: 2018-06-07

URL: CVE-2018-3717

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3717

Release Date: 2018-06-07

Fix Resolution (connect): 2.14.0

Direct dependency fix Resolution (express): 3.21.0

⛑️ Automatic Remediation is available for this issue

CVE-2015-8859

Vulnerable Libraries - send-0.1.0.tgz, send-0.0.4.tgz

send-0.1.0.tgz

Better streaming static file server with Range and conditional-GET support

Library home page: https://registry.npmjs.org/send/-/send-0.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/send/package.json

Dependency Hierarchy:

• express-3.0.0.tgz (Root Library)
  • ❌ send-0.1.0.tgz (Vulnerable Library)

send-0.0.4.tgz

Better streaming static file server with Range and conditional-GET support

Library home page: https://registry.npmjs.org/send/-/send-0.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/connect/node_modules/send/package.json

Dependency Hierarchy:

• express-3.0.0.tgz (Root Library)
  • connect-2.6.0.tgz
    • ❌ send-0.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

Vulnerability Details

The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.

Publish Date: 2017-01-23

URL: CVE-2015-8859

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8859

Release Date: 2017-01-23

Fix Resolution (send): 0.11.1

Direct dependency fix Resolution (express): 3.21.0

Fix Resolution (send): 0.11.1

Direct dependency fix Resolution (express): 3.21.0

⛑️ Automatic Remediation is available for this issue

CVE-2014-7191

Vulnerable Library - qs-0.5.1.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

• express-3.0.0.tgz (Root Library)
  • connect-2.6.0.tgz
    • ❌ qs-0.5.1.tgz (Vulnerable Library)

Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d

Found in base branch: main

Vulnerability Details

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.

Publish Date: 2014-10-19

URL: CVE-2014-7191

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191

Release Date: 2014-10-19

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (express): 3.21.0

⛑️ Automatic Remediation is available for this issue

---

⛑️ Automatic Remediation is available for this issue.

[uriel-mend-app]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[uriel-mend-app]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.