-
Notifications
You must be signed in to change notification settings - Fork 22
/
yarn-audit-known-issues
1 lines (1 loc) · 40.6 KB
/
yarn-audit-known-issues
1
{"actions":[],"advisories":{"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","id":1088948,"npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","reported_by":null,"title":"Got allows a redirect to a UNIX socket","metadata":null,"cves":["CVE-2022-33987"],"access":"public","severity":"moderate","module_name":"got","vulnerable_versions":"<11.8.5","github_advisory_id":"GHSA-pfrx-2q88-qq97","recommendation":"Upgrade to version 11.8.5 or later","patched_versions":">=11.8.5","updated":"2023-01-27T05:05:01.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"cwe":[],"url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","id":1093639,"npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","metadata":null,"cves":["CVE-2022-25896"],"access":"public","severity":"moderate","module_name":"passport","vulnerable_versions":"<0.6.0","github_advisory_id":"GHSA-v923-w3x8-wh69","recommendation":"Upgrade to version 0.6.0 or later","patched_versions":">=0.6.0","updated":"2023-09-11T16:22:18.000Z","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"cwe":["CWE-384"],"url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094544":{"findings":[{"version":"8.4.29","paths":["@angular/ssr>critters>postcss"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-44270\n- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\n- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\n- https://github.com/postcss/postcss/releases/tag/8.4.31\n- https://github.com/github/advisory-database/issues/2820\n- https://github.com/advisories/GHSA-7fh5-64p2-3v2j","created":"2023-09-30T00:31:10.000Z","id":1094544,"npm_advisory_id":null,"overview":"An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.","reported_by":null,"title":"PostCSS line return parsing error","metadata":null,"cves":["CVE-2023-44270"],"access":"public","severity":"moderate","module_name":"postcss","vulnerable_versions":"<8.4.31","github_advisory_id":"GHSA-7fh5-64p2-3v2j","recommendation":"Upgrade to version 8.4.31 or later","patched_versions":">=8.4.31","updated":"2023-11-05T05:05:37.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"cwe":["CWE-74","CWE-144"],"url":"https://github.com/advisories/GHSA-7fh5-64p2-3v2j"},"1094902":{"findings":[{"version":"116.0.0","paths":["accessibility-checker>chromedriver"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26156\n- https://github.com/giggio/node-chromedriver/commit/de961e34e023afcf4fa5c0faeeec69aaa6c3c815\n- https://gist.github.com/mcoimbra/47b1da554a80795c45126d51e41b2b18\n- https://security.snyk.io/vuln/SNYK-JS-CHROMEDRIVER-6049539\n- https://github.com/advisories/GHSA-hm92-vgmw-qfmx","created":"2023-11-09T06:30:28.000Z","id":1094902,"npm_advisory_id":null,"overview":"Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system.\n\n**Note:**\n\nAn attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver. ","reported_by":null,"title":"chromedriver Command Injection vulnerability","metadata":null,"cves":["CVE-2023-26156"],"access":"public","severity":"moderate","module_name":"chromedriver","vulnerable_versions":"<119.0.1","github_advisory_id":"GHSA-hm92-vgmw-qfmx","recommendation":"Upgrade to version 119.0.1 or later","patched_versions":">=119.0.1","updated":"2023-11-17T22:12:01.000Z","cvss":{"score":5.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},"cwe":["CWE-78"],"url":"https://github.com/advisories/GHSA-hm92-vgmw-qfmx"},"1096353":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects","@hmcts/rpx-xui-node-lib>axios>follow-redirects","accessibility-checker>chromedriver>axios>follow-redirects"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26159\n- https://github.com/follow-redirects/follow-redirects/issues/235\n- https://github.com/follow-redirects/follow-redirects/pull/236\n- https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137\n- https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/\n- https://github.com/advisories/GHSA-jchw-25xp-jwwc","created":"2024-01-02T06:30:30.000Z","id":1096353,"npm_advisory_id":null,"overview":"Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.","reported_by":null,"title":"Follow Redirects improperly handles URLs in the url.parse() function","metadata":null,"cves":["CVE-2023-26159"],"access":"public","severity":"moderate","module_name":"follow-redirects","vulnerable_versions":"<1.15.4","github_advisory_id":"GHSA-jchw-25xp-jwwc","recommendation":"Upgrade to version 1.15.4 or later","patched_versions":">=1.15.4","updated":"2024-01-31T05:07:10.000Z","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"cwe":["CWE-20","CWE-601"],"url":"https://github.com/advisories/GHSA-jchw-25xp-jwwc"},"1096693":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://fluidattacks.com/advisories/myers\n- https://github.com/Leonidas-from-XIV/node-xml2js\n- https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","id":1096693,"npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","metadata":null,"cves":["CVE-2023-0842"],"access":"public","severity":"moderate","module_name":"xml2js","vulnerable_versions":"<0.5.0","github_advisory_id":"GHSA-776f-qx25-q3cc","recommendation":"Upgrade to version 0.5.0 or later","patched_versions":">=0.5.0","updated":"2024-03-14T21:47:27.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1096727":{"findings":[{"version":"2.88.2","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://security.netapp.com/advisory/ntap-20230413-0007\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","id":1096727,"npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","reported_by":null,"title":"Server-Side Request Forgery in Request","metadata":null,"cves":["CVE-2023-28155"],"access":"public","severity":"moderate","module_name":"request","vulnerable_versions":"<=2.88.2","github_advisory_id":"GHSA-p8p7-x288-28g6","recommendation":"None","patched_versions":"<0.0.0","updated":"2024-03-21T17:47:21.000Z","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"cwe":["CWE-918"],"url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1096820":{"findings":[{"version":"4.18.2","paths":["@hmcts/rpx-xui-node-lib>express"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc\n- https://github.com/koajs/koa/issues/1800\n- https://github.com/expressjs/express/pull/5539\n- https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd\n- https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94\n- https://expressjs.com/en/4x/api.html#res.location\n- https://nvd.nist.gov/vuln/detail/CVE-2024-29041\n- https://github.com/advisories/GHSA-rv95-896h-c2vc","created":"2024-03-25T19:40:26.000Z","id":1096820,"npm_advisory_id":null,"overview":"### Impact\n\nVersions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.\n\nWhen a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.\n\nThe main method impacted is `res.location()` but this is also called from within `res.redirect()`.\n\n### Patches\n\nhttps://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd\nhttps://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94\n\nAn initial fix went out with `[email protected]`, we then patched a feature regression in `4.19.1` and added improved handling for the bypass in `4.19.2`.\n\n### Workarounds\n\nThe fix for this involves pre-parsing the url string with either `require('node:url').parse` or `new URL`. These are steps you can take on your own before passing the user input string to `res.location` or `res.redirect`.\n\n### References\n\nhttps://github.com/expressjs/express/pull/5539\nhttps://github.com/koajs/koa/issues/1800\nhttps://expressjs.com/en/4x/api.html#res.location","reported_by":null,"title":"Express.js Open Redirect in malformed URLs","metadata":null,"cves":["CVE-2024-29041"],"access":"public","severity":"moderate","module_name":"express","vulnerable_versions":"<4.19.2","github_advisory_id":"GHSA-rv95-896h-c2vc","recommendation":"Upgrade to version 4.19.2 or later","patched_versions":">=4.19.2","updated":"2024-03-27T21:47:29.000Z","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"cwe":["CWE-601","CWE-1286"],"url":"https://github.com/advisories/GHSA-rv95-896h-c2vc"},"1096832":{"findings":[{"version":"1.28.2","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"found_by":null,"deleted":null,"references":"- https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q\n- https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314\n- https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28176\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG\n- https://github.com/advisories/GHSA-hhhv-q57g-882q","created":"2024-03-07T17:40:57.000Z","id":1096832,"npm_advisory_id":null,"overview":"A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.\n\nNote that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory.\n\n### Impact\n\nUnder certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.\n\n### Affected users\n\nThe impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.\n\nYou are NOT affected if any of the following applies to you\n\n- Your code uses jose version v5.x where JWE Compression is not supported anymore\n- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box\n- Your code does not use the JWE decryption APIs\n- Your code only accepts JWEs produced by trusted sources\n\n### Patches\n\n`v2.0.7` and `v4.15.5` releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the `inflateRaw` decryption option implementation. In v2.x it is possible to further adjust this limit via the `inflateRawSyncLimit` decryption option.\n\n### Workarounds\n\nIf you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header\n\n```js\nconst { zip } = jose.decodeProtectedHeader(token)\nif (zip !== undefined) {\n throw new Error('JWE Compression is not supported')\n}\n```\n\nIf you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.\n\n### For more information\nIf you have any questions or comments about this advisory please open a discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-hhhv-q57g-882q%20advisory%20question)","reported_by":null,"title":"jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext","metadata":null,"cves":["CVE-2024-28176"],"access":"public","severity":"moderate","module_name":"jose","vulnerable_versions":"<2.0.7","github_advisory_id":"GHSA-hhhv-q57g-882q","recommendation":"Upgrade to version 2.0.7 or later","patched_versions":">=2.0.7","updated":"2024-03-30T06:30:42.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"cwe":["CWE-400"],"url":"https://github.com/advisories/GHSA-hhhv-q57g-882q"},"1096856":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects","@hmcts/rpx-xui-node-lib>axios>follow-redirects","accessibility-checker>chromedriver>axios>follow-redirects"]}],"found_by":null,"deleted":null,"references":"- https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp\n- https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b\n- https://fetch.spec.whatwg.org/#authentication-entries\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28849\n- https://github.com/psf/requests/issues/1885\n- https://hackerone.com/reports/2390009\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z\n- https://github.com/advisories/GHSA-cxjh-pqwp-8mfp","created":"2024-03-14T17:19:42.000Z","id":1096856,"npm_advisory_id":null,"overview":"When using [axios](https://github.com/axios/axios), its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.\n\n## Steps To Reproduce & PoC\n\nTest code:\n\n```js\nconst axios = require('axios');\n\naxios.get('http://127.0.0.1:10081/', {\n headers: {\n 'AuThorization': 'Rear Test',\n 'ProXy-AuthoriZation': 'Rear Test',\n 'coOkie': 't=1'\n }\n})\n .then((response) => {\n console.log(response);\n })\n```\n\nWhen I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.\n\n## Impact\n\nThis vulnerability may lead to credentials leak.\n\n## Recommendations\n\nRemove proxy-authentication header during cross-domain redirect\n\n### Recommended Patch\n\n[follow-redirects/index.js:464](https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b)\n\n```diff\n- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);\n+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);\n```","reported_by":null,"title":"follow-redirects' Proxy-Authorization header kept across hosts","metadata":null,"cves":["CVE-2024-28849"],"access":"public","severity":"moderate","module_name":"follow-redirects","vulnerable_versions":"<=1.15.5","github_advisory_id":"GHSA-cxjh-pqwp-8mfp","recommendation":"Upgrade to version 1.15.6 or later","patched_versions":">=1.15.6","updated":"2024-04-02T17:54:22.000Z","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"cwe":["CWE-200"],"url":"https://github.com/advisories/GHSA-cxjh-pqwp-8mfp"},"1097679":{"findings":[{"version":"0.26.1","paths":["axios","@hmcts/rpx-xui-node-lib>axios","accessibility-checker>chromedriver>axios"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/axios/axios/pull/6091\n- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967\n- https://github.com/axios/axios/releases/tag/v0.28.0\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","id":1097679,"npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","metadata":null,"cves":["CVE-2023-45857"],"access":"public","severity":"moderate","module_name":"axios","vulnerable_versions":">=0.8.1 <0.28.0","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","recommendation":"Upgrade to version 0.28.0 or later","patched_versions":">=0.28.0","updated":"2024-06-21T21:33:58.000Z","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"cwe":["CWE-352"],"url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},"1097682":{"findings":[{"version":"2.5.0","paths":["rx-polling-hmcts>jest-environment-jsdom>jsdom>tough-cookie","protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","id":1097682,"npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","metadata":null,"cves":["CVE-2023-26136"],"access":"public","severity":"moderate","module_name":"tough-cookie","vulnerable_versions":"<4.1.3","github_advisory_id":"GHSA-72xf-g2v4-qvf3","recommendation":"Upgrade to version 4.1.3 or later","patched_versions":">=4.1.3","updated":"2024-06-21T21:33:53.000Z","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1098681":{"findings":[{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch","rx-polling-hmcts>jest-environment-jsdom>@jest/fake-timers>jest-message-util>micromatch","rx-polling-hmcts>jest-environment-jsdom>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","id":1098681,"npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","metadata":null,"cves":["CVE-2024-4067"],"access":"public","severity":"moderate","module_name":"micromatch","vulnerable_versions":"<4.0.8","github_advisory_id":"GHSA-952p-6rrq-rcjv","recommendation":"Upgrade to version 4.0.8 or later","patched_versions":">=4.0.8","updated":"2024-08-28T13:12:27.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"},"1099520":{"findings":[{"version":"1.20.1","paths":["@hmcts/rpx-xui-node-lib>express>body-parser"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7\n- https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45590\n- https://github.com/advisories/GHSA-qwcr-r2fm-qrc7","created":"2024-09-10T15:52:39.000Z","id":1099520,"npm_advisory_id":null,"overview":"### Impact\n\nbody-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.\n\n### Patches\n\nthis issue is patched in 1.20.3\n\n### References\n","reported_by":null,"title":"body-parser vulnerable to denial of service when url encoding is enabled","metadata":null,"cves":["CVE-2024-45590"],"access":"public","severity":"high","module_name":"body-parser","vulnerable_versions":"<1.20.3","github_advisory_id":"GHSA-qwcr-r2fm-qrc7","recommendation":"Upgrade to version 1.20.3 or later","patched_versions":">=1.20.3","updated":"2024-09-10T19:01:11.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-405"],"url":"https://github.com/advisories/GHSA-qwcr-r2fm-qrc7"},"1099525":{"findings":[{"version":"0.18.0","paths":["@hmcts/rpx-xui-node-lib>express>send","@hmcts/rpx-xui-node-lib>express>serve-static>send"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43799\n- https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35\n- https://github.com/advisories/GHSA-m6fv-jmcg-4jfg","created":"2024-09-10T19:42:41.000Z","id":1099525,"npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in send 0.19.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"send vulnerable to template injection that can lead to XSS","metadata":null,"cves":["CVE-2024-43799"],"access":"public","severity":"moderate","module_name":"send","vulnerable_versions":"<0.19.0","github_advisory_id":"GHSA-m6fv-jmcg-4jfg","recommendation":"Upgrade to version 0.19.0 or later","patched_versions":">=0.19.0","updated":"2024-09-10T19:42:42.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-m6fv-jmcg-4jfg"},"1099527":{"findings":[{"version":"1.15.0","paths":["@hmcts/rpx-xui-node-lib>express>serve-static"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43800\n- https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b\n- https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa\n- https://github.com/advisories/GHSA-cm22-4g7w-348p","created":"2024-09-10T19:42:33.000Z","id":1099527,"npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in serve-static 1.16.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"serve-static vulnerable to template injection that can lead to XSS","metadata":null,"cves":["CVE-2024-43800"],"access":"public","severity":"moderate","module_name":"serve-static","vulnerable_versions":"<1.16.0","github_advisory_id":"GHSA-cm22-4g7w-348p","recommendation":"Upgrade to version 1.16.0 or later","patched_versions":">=1.16.0","updated":"2024-09-10T19:42:34.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-cm22-4g7w-348p"},"1099529":{"findings":[{"version":"4.18.2","paths":["@hmcts/rpx-xui-node-lib>express"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43796\n- https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553\n- https://github.com/advisories/GHSA-qw6h-vgh9-j6wx","created":"2024-09-10T19:41:04.000Z","id":1099529,"npm_advisory_id":null,"overview":"### Impact\n\nIn express <4.20.0, passing untrusted user input - even after sanitizing it - to `response.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in express 4.20.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"express vulnerable to XSS via response.redirect()","metadata":null,"cves":["CVE-2024-43796"],"access":"public","severity":"moderate","module_name":"express","vulnerable_versions":"<4.20.0","github_advisory_id":"GHSA-qw6h-vgh9-j6wx","recommendation":"Upgrade to version 4.20.0 or later","patched_versions":">=4.20.0","updated":"2024-09-10T19:41:07.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-qw6h-vgh9-j6wx"},"1099562":{"findings":[{"version":"0.1.7","paths":["@hmcts/rpx-xui-node-lib>express>path-to-regexp"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j\n- https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f\n- https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45296\n- https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485\n- https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef\n- https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894\n- https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0\n- https://github.com/advisories/GHSA-9wv6-86v2-598j","created":"2024-09-09T20:19:15.000Z","id":1099562,"npm_advisory_id":null,"overview":"### Impact\n\nA bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b`.\n\n### Patches\n\nFor users of 0.1, upgrade to `0.1.10`. All other users should upgrade to `8.0.0`.\n\nThese versions add backtrack protection when a custom regex pattern is not provided:\n\n- [0.1.10](https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10)\n- [1.9.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0)\n- [3.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0)\n- [6.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0)\n\nThey do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.\n\nVersion [7.1.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0) can enable `strict: true` and get an error when the regular expression might be bad.\n\nVersion [8.0.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0) removes the features that can cause a ReDoS.\n\n### Workarounds\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b` to `/:a-:b([^-/]+)`.\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.\n\n### Details\n\nUsing `/:a-:b` will produce the regular expression `/^\\/([^\\/]+?)-([^\\/]+?)\\/?$/`. This can be exploited by a path such as `/a${'-a'.repeat(8_000)}/a`. [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) has a good example of why this occurs, but the TL;DR is the `/a` at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the `:a-:b` on the repeated 8,000 `-a`.\n\nBecause JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.\n\n### References\n\n* [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n* [Detailed blog post](https://blakeembrey.com/posts/2024-09-web-redos/)","reported_by":null,"title":"path-to-regexp outputs backtracking regular expressions","metadata":null,"cves":["CVE-2024-45296"],"access":"public","severity":"high","module_name":"path-to-regexp","vulnerable_versions":"<0.1.10","github_advisory_id":"GHSA-9wv6-86v2-598j","recommendation":"Upgrade to version 0.1.10 or later","patched_versions":">=0.1.10","updated":"2024-09-12T17:09:43.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-9wv6-86v2-598j"},"1099846":{"findings":[{"version":"0.5.0","paths":["csurf>cookie","@hmcts/rpx-xui-node-lib>csurf>cookie"]}],"found_by":null,"deleted":null,"references":"- https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x\n- https://github.com/jshttp/cookie/pull/167\n- https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c\n- https://github.com/advisories/GHSA-pxg6-pf52-xh8x","created":"2024-10-04T20:31:00.000Z","id":1099846,"npm_advisory_id":null,"overview":"### Impact\n\nThe cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize(\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a\", value)` would result in `\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test\"`, setting `userName` cookie to `<script>` and ignoring `value`.\n\nA similar escape can be used for `path` and `domain`, which could be abused to alter other fields of the cookie.\n\n### Patches\n\nUpgrade to 0.7.0, which updates the validation for `name`, `path`, and `domain`.\n\n### Workarounds\n\nAvoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.\n\n### References\n\n* https://github.com/jshttp/cookie/pull/167","reported_by":null,"title":"cookie accepts cookie name, path, and domain with out of bounds characters","metadata":null,"cves":["CVE-2024-47764"],"access":"public","severity":"low","module_name":"cookie","vulnerable_versions":"<0.7.0","github_advisory_id":"GHSA-pxg6-pf52-xh8x","recommendation":"Upgrade to version 0.7.0 or later","patched_versions":">=0.7.0","updated":"2024-10-04T20:31:01.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-74"],"url":"https://github.com/advisories/GHSA-pxg6-pf52-xh8x"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":2,"moderate":37,"high":2,"critical":0},"dependencies":994,"devDependencies":97,"optionalDependencies":0,"totalDependencies":1091}}