diff --git a/scanners/trivy/parser/__snapshots__/parser.test.js.snap b/scanners/trivy/parser/__snapshots__/parser.test.js.snap index 718e6ab51f..8300cf17dc 100644 --- a/scanners/trivy/parser/__snapshots__/parser.test.js.snap +++ b/scanners/trivy/parser/__snapshots__/parser.test.js.snap @@ -9,12 +9,15 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "installedVersion": "2.10.4-r3", "packageName": "apk-tools", "references": [ + "https://access.redhat.com/security/cve/CVE-2021-36159", "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch", "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749", - "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-36159", + "https://www.cve.org/CVERecord?id=CVE-2021-36159", ], "vulnerabilityId": "CVE-2021-36159", }, @@ -22,7 +25,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", "location": "bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package apk-tools to the fixed version: 2.10.7-r0 or remove the package from the image.", - "name": "Vulnerability in Dependency apk-tools (2.10.4-r3)", + "name": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash", "osi_layer": "NOT_APPLICABLE", "references": [ { @@ -33,6 +36,10 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "type": "URL", "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-36159", }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-36159", + }, { "type": "URL", "value": "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch", @@ -43,19 +50,27 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E", + "value": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E", + "value": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E", + "value": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E", + "value": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-36159", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-36159", }, ], "severity": "HIGH", @@ -105,13 +120,18 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "installedVersion": "1.31.1-r9", "packageName": "busybox", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831", + "https://access.redhat.com/security/cve/CVE-2021-28831", "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", "https://security.gentoo.org/glsa/202105-09", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://ubuntu.com/security/notices/USN-5179-2", + "https://ubuntu.com/security/notices/USN-6335-1", + "https://www.cve.org/CVERecord?id=CVE-2021-28831", ], "vulnerabilityId": "CVE-2021-28831", }, @@ -132,7 +152,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831", + "value": "https://access.redhat.com/security/cve/CVE-2021-28831", }, { "type": "URL", @@ -144,1000 +164,1137 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", }, { "type": "URL", "value": "https://security.gentoo.org/glsa/202105-09", }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-2", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6335-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-28831", + }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.1.1l-r0", + "fixedVersion": "1.31.1-r11", "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.1d-r3", - "packageName": "libcrypto1.1", + "installedVersion": "1.31.1-r9", + "packageName": "busybox", "references": [ - "http://www.openwall.com/lists/oss-security/2021/08/26/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3711", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", - "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", - "https://security.netapp.com/advisory/ntap-20210827-0010/", - "https://security.netapp.com/advisory/ntap-20211022-0003/", - "https://ubuntu.com/security/notices/USN-5051-1", - "https://www.debian.org/security/2021/dsa-4963", - "https://www.openssl.org/news/secadv/20210824.txt", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-16", + "https://access.redhat.com/security/cve/CVE-2021-42378", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42378", ], - "vulnerabilityId": "CVE-2021-3711", + "vulnerabilityId": "CVE-2021-42378", }, "category": "Image Vulnerability", - "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", - "name": "openssl: SM2 Decryption Buffer Overflow", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i()", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-3711", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3711", - }, - { - "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/08/26/2", - }, - { - "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3711", + "value": "CVE-2021-42378", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", + "value": "https://access.redhat.com/security/cve/CVE-2021-42378", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210827-0010/", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20211022-0003/", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5051-1", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", }, { "type": "URL", - "value": "https://www.debian.org/security/2021/dsa-4963", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20210824.txt", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://ubuntu.com/security/notices/USN-5179-1", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-16", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42378", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.1.1g-r0", + "fixedVersion": "1.31.1-r11", "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.1d-r3", - "packageName": "libcrypto1.1", + "installedVersion": "1.31.1-r9", + "packageName": "busybox", "references": [ - "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html", - "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html", - "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html", - "http://seclists.org/fulldisclosure/2020/May/5", - "http://www.openwall.com/lists/oss-security/2020/04/22/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1", - "https://github.com/irsl/CVE-2020-1967", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440", - "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", - "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", - "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc", - "https://security.gentoo.org/glsa/202004-10", - "https://security.netapp.com/advisory/ntap-20200424-0003/", - "https://security.netapp.com/advisory/ntap-20200717-0004/", - "https://www.debian.org/security/2020/dsa-4661", - "https://www.openssl.org/news/secadv/20200421.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpujul2020.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.synology.com/security/advisory/Synology_SA_20_05", - "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL", - "https://www.tenable.com/security/tns-2020-03", - "https://www.tenable.com/security/tns-2020-04", - "https://www.tenable.com/security/tns-2020-11", - "https://www.tenable.com/security/tns-2021-10", + "https://access.redhat.com/security/cve/CVE-2021-42379", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42379", ], - "vulnerabilityId": "CVE-2020-1967", + "vulnerabilityId": "CVE-2021-42379", }, "category": "Image Vulnerability", - "description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1g-r0 or remove the package from the image.", - "name": "openssl: Segmentation fault in SSL_check_chain causes denial of service", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file()", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-1967", + "value": "CVE-2021-42379", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", }, { "type": "URL", - "value": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html", + "value": "https://access.redhat.com/security/cve/CVE-2021-42379", }, { "type": "URL", - "value": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", }, { "type": "URL", - "value": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", }, { "type": "URL", - "value": "http://seclists.org/fulldisclosure/2020/May/5", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2020/04/22/2", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", }, { "type": "URL", - "value": "https://github.com/irsl/CVE-2020-1967", + "value": "https://ubuntu.com/security/notices/USN-5179-1", }, { "type": "URL", - "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42379", }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "busybox", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42380", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42380", + ], + "vulnerabilityId": "CVE-2021-42380", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar()", + "osi_layer": "NOT_APPLICABLE", + "references": [ { - "type": "URL", - "value": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E", + "type": "CVE", + "value": "CVE-2021-42380", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E", + "value": "https://access.redhat.com/security/cve/CVE-2021-42380", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", }, { "type": "URL", - "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", }, { "type": "URL", - "value": "https://security.gentoo.org/glsa/202004-10", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20200424-0003/", + "value": "https://ubuntu.com/security/notices/USN-5179-1", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20200717-0004/", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42380", }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "busybox", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42381", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42381", + ], + "vulnerabilityId": "CVE-2021-42381", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init()", + "osi_layer": "NOT_APPLICABLE", + "references": [ { - "type": "URL", - "value": "https://www.debian.org/security/2020/dsa-4661", + "type": "CVE", + "value": "CVE-2021-42381", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20200421.txt", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", - }, - { - "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", - }, - { - "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpujan2021.html", - }, - { - "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpujul2020.html", + "value": "https://access.redhat.com/security/cve/CVE-2021-42381", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2020.html", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", }, { "type": "URL", - "value": "https://www.synology.com/security/advisory/Synology_SA_20_05", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", }, { "type": "URL", - "value": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2020-03", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2020-04", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2020-11", + "value": "https://ubuntu.com/security/notices/USN-5179-1", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-10", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42381", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.1.1j-r0", + "fixedVersion": "1.31.1-r11", "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.1d-r3", - "packageName": "libcrypto1.1", + "installedVersion": "1.31.1-r9", + "packageName": "busybox", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23840", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", - "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", - "https://linux.oracle.com/cve/CVE-2021-23840.html", - "https://linux.oracle.com/errata/ELSA-2021-9528.html", - "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E", - "https://security.gentoo.org/glsa/202103-03", - "https://security.netapp.com/advisory/ntap-20210219-0009/", - "https://ubuntu.com/security/notices/USN-4738-1", - "https://ubuntu.com/security/notices/USN-5088-1", - "https://www.debian.org/security/2021/dsa-4855", - "https://www.openssl.org/news/secadv/20210216.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-03", - "https://www.tenable.com/security/tns-2021-09", - "https://www.tenable.com/security/tns-2021-10", + "https://access.redhat.com/security/cve/CVE-2021-42382", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42382", ], - "vulnerabilityId": "CVE-2021-23840", + "vulnerabilityId": "CVE-2021-42382", }, "category": "Image Vulnerability", - "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissible length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", - "name": "openssl: integer overflow in CipherUpdate", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s()", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-23840", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840", - }, - { - "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23840", + "value": "CVE-2021-42382", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "value": "https://access.redhat.com/security/cve/CVE-2021-42382", }, { "type": "URL", - "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", }, { "type": "URL", - "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2021-23840.html", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-9528.html", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", }, { "type": "URL", - "value": "https://security.gentoo.org/glsa/202103-03", + "value": "https://ubuntu.com/security/notices/USN-5179-1", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210219-0009/", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42382", }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "busybox", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42383", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-42383", + ], + "vulnerabilityId": "CVE-2021-42383", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "osi_layer": "NOT_APPLICABLE", + "references": [ { - "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-4738-1", + "type": "CVE", + "value": "CVE-2021-42383", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5088-1", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", }, { "type": "URL", - "value": "https://www.debian.org/security/2021/dsa-4855", + "value": "https://access.redhat.com/security/cve/CVE-2021-42383", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20210216.txt", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-03", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-09", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-10", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42383", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.1.1k-r0", + "fixedVersion": "1.31.1-r11", "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.1d-r3", - "packageName": "libcrypto1.1", + "installedVersion": "1.31.1-r9", + "packageName": "busybox", "references": [ - "http://www.openwall.com/lists/oss-security/2021/03/27/1", - "http://www.openwall.com/lists/oss-security/2021/03/27/2", - "http://www.openwall.com/lists/oss-security/2021/03/28/3", - "http://www.openwall.com/lists/oss-security/2021/03/28/4", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", - "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", - "https://linux.oracle.com/cve/CVE-2021-3450.html", - "https://linux.oracle.com/errata/ELSA-2021-9151.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", - "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", - "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", - "https://security.gentoo.org/glsa/202103-03", - "https://security.netapp.com/advisory/ntap-20210326-0006/", - "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", - "https://www.openssl.org/news/secadv/20210325.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-05", - "https://www.tenable.com/security/tns-2021-08", - "https://www.tenable.com/security/tns-2021-09", + "https://access.redhat.com/security/cve/CVE-2021-42384", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42384", ], - "vulnerabilityId": "CVE-2021-3450", + "vulnerabilityId": "CVE-2021-42384", }, "category": "Image Vulnerability", - "description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", - "name": "openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special()", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-3450", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3450", - }, - { - "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/27/1", - }, - { - "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "value": "CVE-2021-42384", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "value": "https://access.redhat.com/security/cve/CVE-2021-42384", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", }, { "type": "URL", - "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", }, { "type": "URL", - "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2021-3450.html", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-9151.html", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", }, { "type": "URL", - "value": "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html", + "value": "https://ubuntu.com/security/notices/USN-5179-1", }, { "type": "URL", - "value": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42384", }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "busybox", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42385", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42385", + ], + "vulnerabilityId": "CVE-2021-42385", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "osi_layer": "NOT_APPLICABLE", + "references": [ { - "type": "URL", - "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "type": "CVE", + "value": "CVE-2021-42385", }, { "type": "URL", - "value": "https://security.gentoo.org/glsa/202103-03", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210326-0006/", + "value": "https://access.redhat.com/security/cve/CVE-2021-42385", }, { "type": "URL", - "value": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20210325.txt", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-05", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-08", + "value": "https://ubuntu.com/security/notices/USN-5179-1", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-09", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42385", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.1.1l-r0", + "fixedVersion": "1.31.1-r11", "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.1d-r3", - "packageName": "libcrypto1.1", + "installedVersion": "1.31.1-r9", + "packageName": "busybox", "references": [ - "http://www.openwall.com/lists/oss-security/2021/08/26/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", - "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", - "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", - "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", - "https://security.netapp.com/advisory/ntap-20210827-0010/", - "https://ubuntu.com/security/notices/USN-5051-1", - "https://ubuntu.com/security/notices/USN-5051-2", - "https://ubuntu.com/security/notices/USN-5051-3", - "https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)", - "https://ubuntu.com/security/notices/USN-5088-1", - "https://www.debian.org/security/2021/dsa-4963", - "https://www.openssl.org/news/secadv/20210824.txt", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-16", + "https://access.redhat.com/security/cve/CVE-2021-42386", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42386", ], - "vulnerabilityId": "CVE-2021-3712", + "vulnerabilityId": "CVE-2021-42386", }, "category": "Image Vulnerability", - "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", - "name": "openssl: Read buffer overruns processing ASN.1 strings", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc()", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-3712", + "value": "CVE-2021-42386", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "value": "https://access.redhat.com/security/cve/CVE-2021-42386", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", }, { "type": "URL", - "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", + "value": "https://ubuntu.com/security/notices/USN-5179-1", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42386", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "busybox", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42374", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42374", + ], + "vulnerabilityId": "CVE-2021-42374", + }, + "category": "Image Vulnerability", + "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: out-of-bounds read in unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42374", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210827-0010/", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5051-1", + "value": "https://access.redhat.com/security/cve/CVE-2021-42374", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5051-2", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5051-3", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5088-1", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", }, { "type": "URL", - "value": "https://www.debian.org/security/2021/dsa-4963", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20210824.txt", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://ubuntu.com/security/notices/USN-5179-1", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-16", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42374", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "1.1.1i-r0", + "fixedVersion": "1.1.1l-r0", "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", "installedVersion": "1.1.1d-r3", "packageName": "libcrypto1.1", "references": [ - "http://www.openwall.com/lists/oss-security/2021/09/14/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f960d81215ebf3f65e03d4d5d857fb9b666d6920", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676", - "https://linux.oracle.com/cve/CVE-2020-1971.html", - "https://linux.oracle.com/errata/ELSA-2021-9150.html", - "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143@%3Ccommits.pulsar.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", - "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", - "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", - "https://security.gentoo.org/glsa/202012-13", - "https://security.netapp.com/advisory/ntap-20201218-0005/", - "https://security.netapp.com/advisory/ntap-20210513-0002/", - "https://ubuntu.com/security/notices/USN-4662-1", - "https://ubuntu.com/security/notices/USN-4745-1", - "https://www.debian.org/security/2020/dsa-4807", - "https://www.openssl.org/news/secadv/20201208.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpujan2021.html", + "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "https://access.redhat.com/security/cve/CVE-2021-3711", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3711", + "https://rustsec.org/advisories/RUSTSEC-2021-0097.html", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010", + "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20211022-0003", + "https://security.netapp.com/advisory/ntap-20211022-0003/", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://ubuntu.com/security/notices/USN-5051-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3711", + "https://www.debian.org/security/2021/dsa-4963", + "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2020-11", - "https://www.tenable.com/security/tns-2021-09", - "https://www.tenable.com/security/tns-2021-10", + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02", ], - "vulnerabilityId": "CVE-2020-1971", + "vulnerabilityId": "CVE-2021-3711", }, "category": "Image Vulnerability", - "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", + "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1i-r0 or remove the package from the image.", - "name": "openssl: EDIPARTYNAME NULL pointer de-reference", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", + "name": "openssl: SM2 Decryption Buffer Overflow", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-1971", + "value": "CVE-2021-3711", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3711", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/09/14/2", + "value": "http://www.openwall.com/lists/oss-security/2021/08/26/2", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971", + "value": "https://access.redhat.com/security/cve/CVE-2021-3711", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f960d81215ebf3f65e03d4d5d857fb9b666d6920", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", }, { "type": "URL", - "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2020-1971.html", + "value": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-9150.html", + "value": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c@%3Cdev.tomcat.apache.org%3E", + "value": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143@%3Ccommits.pulsar.apache.org%3E", + "value": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3711", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0097.html", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", + "value": "https://security.gentoo.org/glsa/202209-02", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", + "value": "https://security.gentoo.org/glsa/202210-02", }, { "type": "URL", - "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", + "value": "https://security.netapp.com/advisory/ntap-20210827-0010", }, { "type": "URL", - "value": "https://security.gentoo.org/glsa/202012-13", + "value": "https://security.netapp.com/advisory/ntap-20210827-0010/", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20201218-0005/", + "value": "https://security.netapp.com/advisory/ntap-20211022-0003", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210513-0002/", + "value": "https://security.netapp.com/advisory/ntap-20211022-0003/", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-4662-1", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-4745-1", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", }, { "type": "URL", - "value": "https://www.debian.org/security/2020/dsa-4807", + "value": "https://ubuntu.com/security/notices/USN-5051-1", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20201208.txt", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3711", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://www.debian.org/security/2021/dsa-4963", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://www.openssl.org/news/secadv/20210824.txt", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpujan2021.html", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2020-11", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-09", + "value": "https://www.tenable.com/security/tns-2021-16", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-10", + "value": "https://www.tenable.com/security/tns-2022-02", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.1.1j-r0", + "fixedVersion": "1.1.1g-r0", "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", "installedVersion": "1.1.1d-r3", "packageName": "libcrypto1.1", "references": [ - "http://seclists.org/fulldisclosure/2021/May/67", - "http://seclists.org/fulldisclosure/2021/May/68", - "http://seclists.org/fulldisclosure/2021/May/70", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23841", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", - "https://linux.oracle.com/cve/CVE-2021-23841.html", - "https://linux.oracle.com/errata/ELSA-2021-9528.html", - "https://security.gentoo.org/glsa/202103-03", - "https://security.netapp.com/advisory/ntap-20210219-0009/", - "https://security.netapp.com/advisory/ntap-20210513-0002/", - "https://support.apple.com/kb/HT212528", - "https://support.apple.com/kb/HT212529", - "https://support.apple.com/kb/HT212534", - "https://ubuntu.com/security/notices/USN-4738-1", - "https://ubuntu.com/security/notices/USN-4745-1", - "https://www.debian.org/security/2021/dsa-4855", - "https://www.openssl.org/news/secadv/20210216.txt", + "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html", + "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html", + "http://seclists.org/fulldisclosure/2020/May/5", + "http://www.openwall.com/lists/oss-security/2020/04/22/2", + "https://access.redhat.com/security/cve/CVE-2020-1967", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1", + "https://github.com/irsl/CVE-2020-1967", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440", + "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO", + "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", + "https://rustsec.org/advisories/RUSTSEC-2020-0015.html", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc", + "https://security.gentoo.org/glsa/202004-10", + "https://security.netapp.com/advisory/ntap-20200424-0003", + "https://security.netapp.com/advisory/ntap-20200424-0003/", + "https://security.netapp.com/advisory/ntap-20200717-0004", + "https://security.netapp.com/advisory/ntap-20200717-0004/", + "https://www.cve.org/CVERecord?id=CVE-2020-1967", + "https://www.debian.org/security/2020/dsa-4661", + "https://www.openssl.org/news/secadv/20200421.txt", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-03", - "https://www.tenable.com/security/tns-2021-09", - ], - "vulnerabilityId": "CVE-2021-23841", - }, - "category": "Image Vulnerability", - "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "https://www.synology.com/security/advisory/Synology_SA_20_05", + "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL", + "https://www.tenable.com/security/tns-2020-03", + "https://www.tenable.com/security/tns-2020-04", + "https://www.tenable.com/security/tns-2020-11", + "https://www.tenable.com/security/tns-2021-10", + ], + "vulnerabilityId": "CVE-2020-1967", + }, + "category": "Image Vulnerability", + "description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", - "name": "openssl: NULL pointer dereference in X509_issuer_and_serial_hash()", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1g-r0 or remove the package from the image.", + "name": "openssl: Segmentation fault in SSL_check_chain causes denial of service", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-23841", + "value": "CVE-2020-1967", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", }, { "type": "URL", - "value": "http://seclists.org/fulldisclosure/2021/May/67", + "value": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html", }, { "type": "URL", - "value": "http://seclists.org/fulldisclosure/2021/May/68", + "value": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html", }, { "type": "URL", - "value": "http://seclists.org/fulldisclosure/2021/May/70", + "value": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23841", + "value": "http://seclists.org/fulldisclosure/2020/May/5", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + "value": "http://www.openwall.com/lists/oss-security/2020/04/22/2", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + "value": "https://access.redhat.com/security/cve/CVE-2020-1967", }, { "type": "URL", - "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2021-23841.html", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-9528.html", + "value": "https://github.com/irsl/CVE-2020-1967", }, { "type": "URL", - "value": "https://security.gentoo.org/glsa/202103-03", + "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210219-0009/", + "value": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210513-0002/", + "value": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E", }, { "type": "URL", - "value": "https://support.apple.com/kb/HT212528", + "value": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E", }, { "type": "URL", - "value": "https://support.apple.com/kb/HT212529", + "value": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E", }, { "type": "URL", - "value": "https://support.apple.com/kb/HT212534", + "value": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-4738-1", + "value": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-4745-1", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", }, { "type": "URL", - "value": "https://www.debian.org/security/2021/dsa-4855", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20210216.txt", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2020-0015.html", + }, + { + "type": "URL", + "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202004-10", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200424-0003", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200424-0003/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200717-0004", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200717-0004/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-1967", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2020/dsa-4661", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20200421.txt", }, { "type": "URL", @@ -1147,135 +1304,176 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "type": "URL", "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2020.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2020.html", + }, { "type": "URL", "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-03", + "value": "https://www.synology.com/security/advisory/Synology_SA_20_05", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-09", + "value": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2020-03", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2020-04", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2020-11", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-10", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.1.1k-r0", + "fixedVersion": "1.1.1j-r0", "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", "installedVersion": "1.1.1d-r3", "packageName": "libcrypto1.1", "references": [ - "http://www.openwall.com/lists/oss-security/2021/03/27/1", - "http://www.openwall.com/lists/oss-security/2021/03/27/2", - "http://www.openwall.com/lists/oss-security/2021/03/28/3", - "http://www.openwall.com/lists/oss-security/2021/03/28/4", - "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", - "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", - "https://linux.oracle.com/cve/CVE-2021-3449.html", - "https://linux.oracle.com/errata/ELSA-2021-9151.html", - "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", - "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "https://access.redhat.com/security/cve/CVE-2021-23840", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "https://github.com/alexcrichton/openssl-src-rs", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "https://linux.oracle.com/cve/CVE-2021-23840.html", + "https://linux.oracle.com/errata/ELSA-2021-9561.html", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23840", + "https://rustsec.org/advisories/RUSTSEC-2021-0057.html", "https://security.gentoo.org/glsa/202103-03", - "https://security.netapp.com/advisory/ntap-20210326-0006/", - "https://security.netapp.com/advisory/ntap-20210513-0002/", - "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", - "https://ubuntu.com/security/notices/USN-4891-1", - "https://ubuntu.com/security/notices/USN-5038-1", - "https://www.debian.org/security/2021/dsa-4875", - "https://www.openssl.org/news/secadv/20210325.txt", + "https://security.netapp.com/advisory/ntap-20210219-0009", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://ubuntu.com/security/notices/USN-4738-1", + "https://ubuntu.com/security/notices/USN-5088-1", + "https://ubuntu.com/security/notices/USN-7018-1", + "https://www.cve.org/CVERecord?id=CVE-2021-23840", + "https://www.debian.org/security/2021/dsa-4855", + "https://www.openssl.org/news/secadv/20210216.txt", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-05", - "https://www.tenable.com/security/tns-2021-06", + "https://www.tenable.com/security/tns-2021-03", "https://www.tenable.com/security/tns-2021-09", "https://www.tenable.com/security/tns-2021-10", ], - "vulnerabilityId": "CVE-2021-3449", + "vulnerabilityId": "CVE-2021-23840", }, "category": "Image Vulnerability", - "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", + "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", - "name": "openssl: NULL pointer dereference in signature_algorithms processing", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", + "name": "openssl: integer overflow in CipherUpdate", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-3449", + "value": "CVE-2021-23840", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "value": "https://access.redhat.com/security/cve/CVE-2021-23840", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", }, { "type": "URL", - "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148", + "value": "https://github.com/alexcrichton/openssl-src-rs", }, { "type": "URL", - "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", }, { "type": "URL", - "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2021-3449.html", + "value": "https://linux.oracle.com/cve/CVE-2021-23840.html", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-9151.html", + "value": "https://linux.oracle.com/errata/ELSA-2021-9561.html", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", + "value": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "value": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E", }, { "type": "URL", - "value": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "value": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", }, { "type": "URL", - "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "value": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0057.html", }, { "type": "URL", @@ -1283,31 +1481,39 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210326-0006/", + "value": "https://security.netapp.com/advisory/ntap-20210219-0009", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210513-0002/", + "value": "https://security.netapp.com/advisory/ntap-20210219-0009/", }, { "type": "URL", - "value": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-4891-1", + "value": "https://ubuntu.com/security/notices/USN-4738-1", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5038-1", + "value": "https://ubuntu.com/security/notices/USN-5088-1", }, { "type": "URL", - "value": "https://www.debian.org/security/2021/dsa-4875", + "value": "https://ubuntu.com/security/notices/USN-7018-1", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20210325.txt", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23840", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2021/dsa-4855", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20210216.txt", }, { "type": "URL", @@ -1319,15 +1525,19 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-05", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-06", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-03", }, { "type": "URL", @@ -1338,7559 +1548,44306 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "value": "https://www.tenable.com/security/tns-2021-10", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.1.1j-r0", + "fixedVersion": "1.1.1k-r0", "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", "installedVersion": "1.1.1d-r3", "packageName": "libcrypto1.1", "references": [ - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30919ab80a478f2d81f2e9acdcca3fa4740cd547", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", - "https://security.netapp.com/advisory/ntap-20210219-0009/", - "https://www.openssl.org/news/secadv/20210216.txt", + "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://access.redhat.com/security/cve/CVE-2021-3450", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + "https://github.com/alexcrichton/openssl-src-rs", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "https://linux.oracle.com/cve/CVE-2021-3450.html", + "https://linux.oracle.com/errata/ELSA-2021-9151.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP", + "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3450", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://rustsec.org/advisories/RUSTSEC-2021-0056.html", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006", + "https://security.netapp.com/advisory/ntap-20210326-0006/", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "https://www.cve.org/CVERecord?id=CVE-2021-3450", + "https://www.openssl.org/news/secadv/20210325.txt", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-05", + "https://www.tenable.com/security/tns-2021-08", + "https://www.tenable.com/security/tns-2021-09", ], - "vulnerabilityId": "CVE-2021-23839", + "vulnerabilityId": "CVE-2021-3450", }, "category": "Image Vulnerability", - "description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", + "description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", - "name": "openssl: incorrect SSLv2 rollback protection", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", + "name": "openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-23839", + "value": "CVE-2021-3450", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23839", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3450", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30919ab80a478f2d81f2e9acdcca3fa4740cd547", + "value": "http://www.openwall.com/lists/oss-security/2021/03/27/1", }, { "type": "URL", - "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "value": "http://www.openwall.com/lists/oss-security/2021/03/27/2", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210219-0009/", + "value": "http://www.openwall.com/lists/oss-security/2021/03/28/3", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/03/28/4", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3450", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + }, + { + "type": "URL", + "value": "https://github.com/alexcrichton/openssl-src-rs", + }, + { + "type": "URL", + "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + }, + { + "type": "URL", + "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3450.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-9151.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP", + }, + { + "type": "URL", + "value": "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3450", + }, + { + "type": "URL", + "value": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0056.html", + }, + { + "type": "URL", + "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202103-03", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210326-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210326-0006/", + }, + { + "type": "URL", + "value": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3450", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20210325.txt", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-05", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-08", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-09", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.1.1l-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.1d-r3", + "packageName": "libcrypto1.1", + "references": [ + "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json", + "https://access.redhat.com/security/cve/CVE-2021-3712", + "https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "https://linux.oracle.com/cve/CVE-2021-3712.html", + "https://linux.oracle.com/errata/ELSA-2022-9023.html", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3712", + "https://rustsec.org/advisories/RUSTSEC-2021-0098.html", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010", + "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://ubuntu.com/security/notices/USN-5051-1", + "https://ubuntu.com/security/notices/USN-5051-2", + "https://ubuntu.com/security/notices/USN-5051-3", + "https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)", + "https://ubuntu.com/security/notices/USN-5088-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3712", + "https://www.debian.org/security/2021/dsa-4963", + "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02", + ], + "vulnerabilityId": "CVE-2021-3712", + }, + "category": "Image Vulnerability", + "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", + "name": "openssl: Read buffer overruns processing ASN.1 strings", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3712", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/08/26/2", + }, + { + "type": "URL", + "value": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3712", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + }, + { + "type": "URL", + "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3712.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-9023.html", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0098.html", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202209-02", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202210-02", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210827-0010", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210827-0010/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5051-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5051-2", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5051-3", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5088-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3712", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2021/dsa-4963", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20210824.txt", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-16", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2022-02", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.1.1i-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.1d-r3", + "packageName": "libcrypto1.1", + "references": [ + "http://www.openwall.com/lists/oss-security/2021/09/14/2", + "https://access.redhat.com/security/cve/CVE-2020-1971", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676", + "https://linux.oracle.com/cve/CVE-2020-1971.html", + "https://linux.oracle.com/errata/ELSA-2021-9150.html", + "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", + "https://nvd.nist.gov/vuln/detail/CVE-2020-1971", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", + "https://security.gentoo.org/glsa/202012-13", + "https://security.netapp.com/advisory/ntap-20201218-0005/", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://ubuntu.com/security/notices/USN-4662-1", + "https://ubuntu.com/security/notices/USN-4745-1", + "https://www.cve.org/CVERecord?id=CVE-2020-1971", + "https://www.debian.org/security/2020/dsa-4807", + "https://www.openssl.org/news/secadv/20201208.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2020-11", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10", + ], + "vulnerabilityId": "CVE-2020-1971", + }, + "category": "Image Vulnerability", + "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1i-r0 or remove the package from the image.", + "name": "openssl: EDIPARTYNAME NULL pointer de-reference", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-1971", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/09/14/2", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-1971", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920", + }, + { + "type": "URL", + "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2020-1971.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-9150.html", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971", + }, + { + "type": "URL", + "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202012-13", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20201218-0005/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210513-0002/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-4662-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-4745-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-1971", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2020/dsa-4807", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20201208.txt", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2020-11", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-09", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-10", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.1.1j-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.1d-r3", + "packageName": "libcrypto1.1", + "references": [ + "http://seclists.org/fulldisclosure/2021/May/67", + "http://seclists.org/fulldisclosure/2021/May/68", + "http://seclists.org/fulldisclosure/2021/May/70", + "https://access.redhat.com/security/cve/CVE-2021-23841", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "https://github.com/alexcrichton/openssl-src-rs", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://linux.oracle.com/cve/CVE-2021-23841.html", + "https://linux.oracle.com/errata/ELSA-2021-9561.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23841", + "https://rustsec.org/advisories/RUSTSEC-2021-0058", + "https://rustsec.org/advisories/RUSTSEC-2021-0058.html", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210219-0009", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20210513-0002", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://support.apple.com/kb/HT212528", + "https://support.apple.com/kb/HT212529", + "https://support.apple.com/kb/HT212534", + "https://ubuntu.com/security/notices/USN-4738-1", + "https://ubuntu.com/security/notices/USN-4745-1", + "https://www.cve.org/CVERecord?id=CVE-2021-23841", + "https://www.debian.org/security/2021/dsa-4855", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-03", + "https://www.tenable.com/security/tns-2021-09", + ], + "vulnerabilityId": "CVE-2021-23841", + }, + "category": "Image Vulnerability", + "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", + "name": "openssl: NULL pointer dereference in X509_issuer_and_serial_hash()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23841", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841", + }, + { + "type": "URL", + "value": "http://seclists.org/fulldisclosure/2021/May/67", + }, + { + "type": "URL", + "value": "http://seclists.org/fulldisclosure/2021/May/68", + }, + { + "type": "URL", + "value": "http://seclists.org/fulldisclosure/2021/May/70", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-23841", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + }, + { + "type": "URL", + "value": "https://github.com/alexcrichton/openssl-src-rs", + }, + { + "type": "URL", + "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-23841.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-9561.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0058", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0058.html", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202103-03", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210219-0009", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210219-0009/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210513-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210513-0002/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT212528", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT212529", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT212534", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-4738-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-4745-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23841", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2021/dsa-4855", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20210216.txt", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-03", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-09", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.1.1k-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.1d-r3", + "packageName": "libcrypto1.1", + "references": [ + "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://access.redhat.com/security/cve/CVE-2021-3449", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148", + "https://github.com/alexcrichton/openssl-src-rs", + "https://github.com/nodejs/node/pull/38083", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "https://linux.oracle.com/cve/CVE-2021-3449.html", + "https://linux.oracle.com/errata/ELSA-2021-9151.html", + "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3449", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://rustsec.org/advisories/RUSTSEC-2021-0055", + "https://rustsec.org/advisories/RUSTSEC-2021-0055.html", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006", + "https://security.netapp.com/advisory/ntap-20210326-0006/", + "https://security.netapp.com/advisory/ntap-20210513-0002", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "https://ubuntu.com/security/notices/USN-4891-1", + "https://ubuntu.com/security/notices/USN-5038-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3449", + "https://www.debian.org/security/2021/dsa-4875", + "https://www.openssl.org/news/secadv/20210325.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-05", + "https://www.tenable.com/security/tns-2021-06", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10", + ], + "vulnerabilityId": "CVE-2021-3449", + }, + "category": "Image Vulnerability", + "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", + "name": "openssl: NULL pointer dereference in signature_algorithms processing", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3449", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/03/27/1", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/03/27/2", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/03/28/3", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/03/28/4", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3449", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148", + }, + { + "type": "URL", + "value": "https://github.com/alexcrichton/openssl-src-rs", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/node/pull/38083", + }, + { + "type": "URL", + "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + }, + { + "type": "URL", + "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3449.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-9151.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449", + }, + { + "type": "URL", + "value": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0055", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0055.html", + }, + { + "type": "URL", + "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202103-03", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210326-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210326-0006/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210513-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210513-0002/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-4891-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5038-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3449", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2021/dsa-4875", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20210325.txt", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-05", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-06", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-09", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-10", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.1.1j-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.1d-r3", + "packageName": "libcrypto1.1", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-23839", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30919ab80a478f2d81f2e9acdcca3fa4740cd547", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23839", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-23839", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-23839", + }, + "category": "Image Vulnerability", + "description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", + "name": "openssl: incorrect SSLv2 rollback protection", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23839", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23839", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-23839", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30919ab80a478f2d81f2e9acdcca3fa4740cd547", + }, + { + "type": "URL", + "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23839", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210219-0009/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23839", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20210216.txt", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "9.3.0-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "9.2.0-r4", + "packageName": "libgcc", + "references": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", + "https://access.redhat.com/security/cve/CVE-2019-15847", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481", + "https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=457dac402027dd7e14543fbd59a75858422cf6c6", + "https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=e99bfdd2a8db732ea84cf0a6486707e5e821ad7e", + "https://linux.oracle.com/cve/CVE-2019-15847.html", + "https://linux.oracle.com/errata/ELSA-2020-1864.html", + "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + "https://www.cve.org/CVERecord?id=CVE-2019-15847", + ], + "vulnerabilityId": "CVE-2019-15847", + }, + "category": "Image Vulnerability", + "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libgcc to the fixed version: 9.3.0-r0 or remove the package from the image.", + "name": "gcc: POWER9 "DARN" RNG intrinsic produces repeated output", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2019-15847", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + }, + { + "type": "URL", + "value": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + }, + { + "type": "URL", + "value": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", + }, + { + "type": "URL", + "value": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2019-15847", + }, + { + "type": "URL", + "value": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481", + }, + { + "type": "URL", + "value": "https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=457dac402027dd7e14543fbd59a75858422cf6c6", + }, + { + "type": "URL", + "value": "https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=e99bfdd2a8db732ea84cf0a6486707e5e821ad7e", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2019-15847.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2020-1864.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2019-15847", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.1.1l-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.1d-r3", + "packageName": "libssl1.1", + "references": [ + "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "https://access.redhat.com/security/cve/CVE-2021-3711", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3711", + "https://rustsec.org/advisories/RUSTSEC-2021-0097.html", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010", + "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20211022-0003", + "https://security.netapp.com/advisory/ntap-20211022-0003/", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://ubuntu.com/security/notices/USN-5051-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3711", + "https://www.debian.org/security/2021/dsa-4963", + "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02", + ], + "vulnerabilityId": "CVE-2021-3711", + }, + "category": "Image Vulnerability", + "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", + "name": "openssl: SM2 Decryption Buffer Overflow", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3711", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3711", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/08/26/2", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3711", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3711", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0097.html", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202209-02", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202210-02", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210827-0010", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210827-0010/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211022-0003", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211022-0003/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5051-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3711", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2021/dsa-4963", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20210824.txt", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-16", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2022-02", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.1.1g-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.1d-r3", + "packageName": "libssl1.1", + "references": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html", + "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html", + "http://seclists.org/fulldisclosure/2020/May/5", + "http://www.openwall.com/lists/oss-security/2020/04/22/2", + "https://access.redhat.com/security/cve/CVE-2020-1967", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1", + "https://github.com/irsl/CVE-2020-1967", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440", + "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO", + "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", + "https://rustsec.org/advisories/RUSTSEC-2020-0015.html", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc", + "https://security.gentoo.org/glsa/202004-10", + "https://security.netapp.com/advisory/ntap-20200424-0003", + "https://security.netapp.com/advisory/ntap-20200424-0003/", + "https://security.netapp.com/advisory/ntap-20200717-0004", + "https://security.netapp.com/advisory/ntap-20200717-0004/", + "https://www.cve.org/CVERecord?id=CVE-2020-1967", + "https://www.debian.org/security/2020/dsa-4661", + "https://www.openssl.org/news/secadv/20200421.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.synology.com/security/advisory/Synology_SA_20_05", + "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL", + "https://www.tenable.com/security/tns-2020-03", + "https://www.tenable.com/security/tns-2020-04", + "https://www.tenable.com/security/tns-2020-11", + "https://www.tenable.com/security/tns-2021-10", + ], + "vulnerabilityId": "CVE-2020-1967", + }, + "category": "Image Vulnerability", + "description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1g-r0 or remove the package from the image.", + "name": "openssl: Segmentation fault in SSL_check_chain causes denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-1967", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", + }, + { + "type": "URL", + "value": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html", + }, + { + "type": "URL", + "value": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html", + }, + { + "type": "URL", + "value": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html", + }, + { + "type": "URL", + "value": "http://seclists.org/fulldisclosure/2020/May/5", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2020/04/22/2", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-1967", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1", + }, + { + "type": "URL", + "value": "https://github.com/irsl/CVE-2020-1967", + }, + { + "type": "URL", + "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2020-0015.html", + }, + { + "type": "URL", + "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202004-10", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200424-0003", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200424-0003/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200717-0004", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200717-0004/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-1967", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2020/dsa-4661", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20200421.txt", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2020.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2020.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + { + "type": "URL", + "value": "https://www.synology.com/security/advisory/Synology_SA_20_05", + }, + { + "type": "URL", + "value": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2020-03", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2020-04", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2020-11", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-10", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.1.1j-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.1d-r3", + "packageName": "libssl1.1", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-23840", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "https://github.com/alexcrichton/openssl-src-rs", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "https://linux.oracle.com/cve/CVE-2021-23840.html", + "https://linux.oracle.com/errata/ELSA-2021-9561.html", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23840", + "https://rustsec.org/advisories/RUSTSEC-2021-0057.html", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210219-0009", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://ubuntu.com/security/notices/USN-4738-1", + "https://ubuntu.com/security/notices/USN-5088-1", + "https://ubuntu.com/security/notices/USN-7018-1", + "https://www.cve.org/CVERecord?id=CVE-2021-23840", + "https://www.debian.org/security/2021/dsa-4855", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-03", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10", + ], + "vulnerabilityId": "CVE-2021-23840", + }, + "category": "Image Vulnerability", + "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", + "name": "openssl: integer overflow in CipherUpdate", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23840", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-23840", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + }, + { + "type": "URL", + "value": "https://github.com/alexcrichton/openssl-src-rs", + }, + { + "type": "URL", + "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + }, + { + "type": "URL", + "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-23840.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-9561.html", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0057.html", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202103-03", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210219-0009", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210219-0009/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-4738-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5088-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-7018-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23840", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2021/dsa-4855", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20210216.txt", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-03", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-09", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-10", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.1.1k-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.1d-r3", + "packageName": "libssl1.1", + "references": [ + "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://access.redhat.com/security/cve/CVE-2021-3450", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + "https://github.com/alexcrichton/openssl-src-rs", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "https://linux.oracle.com/cve/CVE-2021-3450.html", + "https://linux.oracle.com/errata/ELSA-2021-9151.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP", + "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3450", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://rustsec.org/advisories/RUSTSEC-2021-0056.html", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006", + "https://security.netapp.com/advisory/ntap-20210326-0006/", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "https://www.cve.org/CVERecord?id=CVE-2021-3450", + "https://www.openssl.org/news/secadv/20210325.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-05", + "https://www.tenable.com/security/tns-2021-08", + "https://www.tenable.com/security/tns-2021-09", + ], + "vulnerabilityId": "CVE-2021-3450", + }, + "category": "Image Vulnerability", + "description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", + "name": "openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3450", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3450", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/03/27/1", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/03/27/2", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/03/28/3", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/03/28/4", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3450", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + }, + { + "type": "URL", + "value": "https://github.com/alexcrichton/openssl-src-rs", + }, + { + "type": "URL", + "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + }, + { + "type": "URL", + "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3450.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-9151.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP", + }, + { + "type": "URL", + "value": "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3450", + }, + { + "type": "URL", + "value": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0056.html", + }, + { + "type": "URL", + "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202103-03", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210326-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210326-0006/", + }, + { + "type": "URL", + "value": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3450", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20210325.txt", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-05", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-08", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-09", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.1.1l-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.1d-r3", + "packageName": "libssl1.1", + "references": [ + "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json", + "https://access.redhat.com/security/cve/CVE-2021-3712", + "https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "https://linux.oracle.com/cve/CVE-2021-3712.html", + "https://linux.oracle.com/errata/ELSA-2022-9023.html", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3712", + "https://rustsec.org/advisories/RUSTSEC-2021-0098.html", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010", + "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://ubuntu.com/security/notices/USN-5051-1", + "https://ubuntu.com/security/notices/USN-5051-2", + "https://ubuntu.com/security/notices/USN-5051-3", + "https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)", + "https://ubuntu.com/security/notices/USN-5088-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3712", + "https://www.debian.org/security/2021/dsa-4963", + "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02", + ], + "vulnerabilityId": "CVE-2021-3712", + }, + "category": "Image Vulnerability", + "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", + "name": "openssl: Read buffer overruns processing ASN.1 strings", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3712", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/08/26/2", + }, + { + "type": "URL", + "value": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3712", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + }, + { + "type": "URL", + "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3712.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-9023.html", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0098.html", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202209-02", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202210-02", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210827-0010", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210827-0010/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5051-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5051-2", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5051-3", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5088-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3712", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2021/dsa-4963", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20210824.txt", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-16", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2022-02", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.1.1i-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.1d-r3", + "packageName": "libssl1.1", + "references": [ + "http://www.openwall.com/lists/oss-security/2021/09/14/2", + "https://access.redhat.com/security/cve/CVE-2020-1971", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676", + "https://linux.oracle.com/cve/CVE-2020-1971.html", + "https://linux.oracle.com/errata/ELSA-2021-9150.html", + "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", + "https://nvd.nist.gov/vuln/detail/CVE-2020-1971", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", + "https://security.gentoo.org/glsa/202012-13", + "https://security.netapp.com/advisory/ntap-20201218-0005/", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://ubuntu.com/security/notices/USN-4662-1", + "https://ubuntu.com/security/notices/USN-4745-1", + "https://www.cve.org/CVERecord?id=CVE-2020-1971", + "https://www.debian.org/security/2020/dsa-4807", + "https://www.openssl.org/news/secadv/20201208.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2020-11", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10", + ], + "vulnerabilityId": "CVE-2020-1971", + }, + "category": "Image Vulnerability", + "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1i-r0 or remove the package from the image.", + "name": "openssl: EDIPARTYNAME NULL pointer de-reference", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-1971", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/09/14/2", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-1971", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920", + }, + { + "type": "URL", + "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2020-1971.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-9150.html", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971", + }, + { + "type": "URL", + "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202012-13", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20201218-0005/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210513-0002/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-4662-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-4745-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-1971", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2020/dsa-4807", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20201208.txt", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2020-11", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-09", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-10", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.1.1j-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.1d-r3", + "packageName": "libssl1.1", + "references": [ + "http://seclists.org/fulldisclosure/2021/May/67", + "http://seclists.org/fulldisclosure/2021/May/68", + "http://seclists.org/fulldisclosure/2021/May/70", + "https://access.redhat.com/security/cve/CVE-2021-23841", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "https://github.com/alexcrichton/openssl-src-rs", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://linux.oracle.com/cve/CVE-2021-23841.html", + "https://linux.oracle.com/errata/ELSA-2021-9561.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23841", + "https://rustsec.org/advisories/RUSTSEC-2021-0058", + "https://rustsec.org/advisories/RUSTSEC-2021-0058.html", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210219-0009", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20210513-0002", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://support.apple.com/kb/HT212528", + "https://support.apple.com/kb/HT212529", + "https://support.apple.com/kb/HT212534", + "https://ubuntu.com/security/notices/USN-4738-1", + "https://ubuntu.com/security/notices/USN-4745-1", + "https://www.cve.org/CVERecord?id=CVE-2021-23841", + "https://www.debian.org/security/2021/dsa-4855", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-03", + "https://www.tenable.com/security/tns-2021-09", + ], + "vulnerabilityId": "CVE-2021-23841", + }, + "category": "Image Vulnerability", + "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", + "name": "openssl: NULL pointer dereference in X509_issuer_and_serial_hash()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23841", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841", + }, + { + "type": "URL", + "value": "http://seclists.org/fulldisclosure/2021/May/67", + }, + { + "type": "URL", + "value": "http://seclists.org/fulldisclosure/2021/May/68", + }, + { + "type": "URL", + "value": "http://seclists.org/fulldisclosure/2021/May/70", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-23841", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + }, + { + "type": "URL", + "value": "https://github.com/alexcrichton/openssl-src-rs", + }, + { + "type": "URL", + "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-23841.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-9561.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0058", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0058.html", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202103-03", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210219-0009", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210219-0009/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210513-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210513-0002/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT212528", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT212529", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT212534", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-4738-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-4745-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23841", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2021/dsa-4855", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20210216.txt", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-03", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-09", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.1.1k-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.1d-r3", + "packageName": "libssl1.1", + "references": [ + "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://access.redhat.com/security/cve/CVE-2021-3449", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148", + "https://github.com/alexcrichton/openssl-src-rs", + "https://github.com/nodejs/node/pull/38083", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "https://linux.oracle.com/cve/CVE-2021-3449.html", + "https://linux.oracle.com/errata/ELSA-2021-9151.html", + "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3449", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://rustsec.org/advisories/RUSTSEC-2021-0055", + "https://rustsec.org/advisories/RUSTSEC-2021-0055.html", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006", + "https://security.netapp.com/advisory/ntap-20210326-0006/", + "https://security.netapp.com/advisory/ntap-20210513-0002", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "https://ubuntu.com/security/notices/USN-4891-1", + "https://ubuntu.com/security/notices/USN-5038-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3449", + "https://www.debian.org/security/2021/dsa-4875", + "https://www.openssl.org/news/secadv/20210325.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-05", + "https://www.tenable.com/security/tns-2021-06", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10", + ], + "vulnerabilityId": "CVE-2021-3449", + }, + "category": "Image Vulnerability", + "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", + "name": "openssl: NULL pointer dereference in signature_algorithms processing", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3449", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/03/27/1", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/03/27/2", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/03/28/3", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2021/03/28/4", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3449", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148", + }, + { + "type": "URL", + "value": "https://github.com/alexcrichton/openssl-src-rs", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/node/pull/38083", + }, + { + "type": "URL", + "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + }, + { + "type": "URL", + "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3449.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-9151.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449", + }, + { + "type": "URL", + "value": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0055", + }, + { + "type": "URL", + "value": "https://rustsec.org/advisories/RUSTSEC-2021-0055.html", + }, + { + "type": "URL", + "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202103-03", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210326-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210326-0006/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210513-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210513-0002/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-4891-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5038-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3449", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2021/dsa-4875", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20210325.txt", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-05", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-06", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-09", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2021-10", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.1.1j-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.1d-r3", + "packageName": "libssl1.1", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-23839", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30919ab80a478f2d81f2e9acdcca3fa4740cd547", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23839", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-23839", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-23839", + }, + "category": "Image Vulnerability", + "description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", + "name": "openssl: incorrect SSLv2 rollback protection", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23839", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23839", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-23839", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + }, + { + "type": "URL", + "value": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30919ab80a478f2d81f2e9acdcca3fa4740cd547", + }, + { + "type": "URL", + "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23839", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210219-0009/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23839", + }, + { + "type": "URL", + "value": "https://www.openssl.org/news/secadv/20210216.txt", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "9.3.0-r0", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "9.2.0-r4", + "packageName": "libstdc++", + "references": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", + "https://access.redhat.com/security/cve/CVE-2019-15847", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481", + "https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=457dac402027dd7e14543fbd59a75858422cf6c6", + "https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=e99bfdd2a8db732ea84cf0a6486707e5e821ad7e", + "https://linux.oracle.com/cve/CVE-2019-15847.html", + "https://linux.oracle.com/errata/ELSA-2020-1864.html", + "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + "https://www.cve.org/CVERecord?id=CVE-2019-15847", + ], + "vulnerabilityId": "CVE-2019-15847", + }, + "category": "Image Vulnerability", + "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libstdc++ to the fixed version: 9.3.0-r0 or remove the package from the image.", + "name": "gcc: POWER9 "DARN" RNG intrinsic produces repeated output", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2019-15847", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + }, + { + "type": "URL", + "value": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + }, + { + "type": "URL", + "value": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", + }, + { + "type": "URL", + "value": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2019-15847", + }, + { + "type": "URL", + "value": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481", + }, + { + "type": "URL", + "value": "https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=457dac402027dd7e14543fbd59a75858422cf6c6", + }, + { + "type": "URL", + "value": "https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=e99bfdd2a8db732ea84cf0a6486707e5e821ad7e", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2019-15847.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2020-1864.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2019-15847", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.1.24-r3", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.24-r2", + "packageName": "musl", + "references": [ + "http://www.openwall.com/lists/oss-security/2020/11/20/4", + "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", + "https://musl.libc.org/releases.html", + "https://ubuntu.com/security/notices/USN-5990-1", + "https://www.cve.org/CVERecord?id=CVE-2020-28928", + "https://www.openwall.com/lists/oss-security/2020/11/20/4", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2020-28928", + }, + "category": "Image Vulnerability", + "description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package musl to the fixed version: 1.1.24-r3 or remove the package from the image.", + "name": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinati ...", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-28928", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28928", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2020/11/20/4", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", + }, + { + "type": "URL", + "value": "https://musl.libc.org/releases.html", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5990-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-28928", + }, + { + "type": "URL", + "value": "https://www.openwall.com/lists/oss-security/2020/11/20/4", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.1.24-r3", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.1.24-r2", + "packageName": "musl-utils", + "references": [ + "http://www.openwall.com/lists/oss-security/2020/11/20/4", + "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", + "https://musl.libc.org/releases.html", + "https://ubuntu.com/security/notices/USN-5990-1", + "https://www.cve.org/CVERecord?id=CVE-2020-28928", + "https://www.openwall.com/lists/oss-security/2020/11/20/4", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2020-28928", + }, + "category": "Image Vulnerability", + "description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package musl-utils to the fixed version: 1.1.24-r3 or remove the package from the image.", + "name": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinati ...", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-28928", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28928", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2020/11/20/4", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", + }, + { + "type": "URL", + "value": "https://musl.libc.org/releases.html", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5990-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-28928", + }, + { + "type": "URL", + "value": "https://www.openwall.com/lists/oss-security/2020/11/20/4", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r10", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-28831", + "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", + "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", + "https://security.gentoo.org/glsa/202105-09", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://ubuntu.com/security/notices/USN-5179-2", + "https://ubuntu.com/security/notices/USN-6335-1", + "https://www.cve.org/CVERecord?id=CVE-2021-28831", + ], + "vulnerabilityId": "CVE-2021-28831", + }, + "category": "Image Vulnerability", + "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r10 or remove the package from the image.", + "name": "busybox: invalid free or segmentation fault via malformed gzip data", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-28831", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-28831", + }, + { + "type": "URL", + "value": "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202105-09", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-2", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6335-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-28831", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42378", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42378", + ], + "vulnerabilityId": "CVE-2021-42378", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42378", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42378", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42378", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42379", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42379", + ], + "vulnerabilityId": "CVE-2021-42379", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42379", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42379", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42379", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42380", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42380", + ], + "vulnerabilityId": "CVE-2021-42380", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42380", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42380", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42380", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42381", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42381", + ], + "vulnerabilityId": "CVE-2021-42381", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42381", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42381", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42381", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42382", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42382", + ], + "vulnerabilityId": "CVE-2021-42382", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42382", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42382", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42382", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42383", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-42383", + ], + "vulnerabilityId": "CVE-2021-42383", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42383", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42383", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42383", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42384", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42384", + ], + "vulnerabilityId": "CVE-2021-42384", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42384", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42384", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42384", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42385", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42385", + ], + "vulnerabilityId": "CVE-2021-42385", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42385", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42385", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42385", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42386", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42386", + ], + "vulnerabilityId": "CVE-2021-42386", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42386", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42386", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42386", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.31.1-r9", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42374", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42374", + ], + "vulnerabilityId": "CVE-2021-42374", + }, + "category": "Image Vulnerability", + "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: out-of-bounds read in unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42374", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42374", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42374", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.2.11-r4", + "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", + "installedVersion": "1.2.11-r3", + "packageName": "zlib", + "references": [ + "http://seclists.org/fulldisclosure/2022/Oct/37", + "http://seclists.org/fulldisclosure/2022/Oct/38", + "http://seclists.org/fulldisclosure/2022/Oct/41", + "http://seclists.org/fulldisclosure/2022/Oct/42", + "http://www.openwall.com/lists/oss-security/2022/08/05/2", + "http://www.openwall.com/lists/oss-security/2022/08/09/1", + "https://access.redhat.com/errata/RHSA-2022:8291", + "https://access.redhat.com/security/cve/CVE-2022-37434", + "https://bugzilla.redhat.com/2116639", + "https://bugzilla.redhat.com/show_bug.cgi?id=2053198", + "https://bugzilla.redhat.com/show_bug.cgi?id=2077431", + "https://bugzilla.redhat.com/show_bug.cgi?id=2081296", + "https://bugzilla.redhat.com/show_bug.cgi?id=2116639", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434", + "https://errata.almalinux.org/9/ALSA-2022-8291.html", + "https://errata.rockylinux.org/RLSA-2022:8291", + "https://github.com/curl/curl/issues/9271", + "https://github.com/ivd38/zlib_overflow", + "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063", + "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1", + "https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764", + "https://linux.oracle.com/cve/CVE-2022-37434.html", + "https://linux.oracle.com/errata/ELSA-2023-1095.html", + "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/", + "https://nvd.nist.gov/vuln/detail/CVE-2022-37434", + "https://security.netapp.com/advisory/ntap-20220901-0005/", + "https://security.netapp.com/advisory/ntap-20230427-0007/", + "https://support.apple.com/kb/HT213488", + "https://support.apple.com/kb/HT213489", + "https://support.apple.com/kb/HT213490", + "https://support.apple.com/kb/HT213491", + "https://support.apple.com/kb/HT213493", + "https://support.apple.com/kb/HT213494", + "https://ubuntu.com/security/notices/USN-5570-1", + "https://ubuntu.com/security/notices/USN-5570-2", + "https://ubuntu.com/security/notices/USN-5573-1", + "https://ubuntu.com/security/notices/USN-6736-1", + "https://ubuntu.com/security/notices/USN-6736-2", + "https://www.cve.org/CVERecord?id=CVE-2022-37434", + "https://www.debian.org/security/2022/dsa-5218", + ], + "vulnerabilityId": "CVE-2022-37434", + }, + "category": "Image Vulnerability", + "description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package zlib to the fixed version: 1.2.11-r4 or remove the package from the image.", + "name": "zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-37434", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434", + }, + { + "type": "URL", + "value": "http://seclists.org/fulldisclosure/2022/Oct/37", + }, + { + "type": "URL", + "value": "http://seclists.org/fulldisclosure/2022/Oct/38", + }, + { + "type": "URL", + "value": "http://seclists.org/fulldisclosure/2022/Oct/41", + }, + { + "type": "URL", + "value": "http://seclists.org/fulldisclosure/2022/Oct/42", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2022/08/05/2", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2022/08/09/1", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:8291", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-37434", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2116639", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2053198", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2077431", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2081296", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2116639", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-8291.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2022:8291", + }, + { + "type": "URL", + "value": "https://github.com/curl/curl/issues/9271", + }, + { + "type": "URL", + "value": "https://github.com/ivd38/zlib_overflow", + }, + { + "type": "URL", + "value": "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063", + }, + { + "type": "URL", + "value": "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-37434.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-1095.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220901-0005/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230427-0007/", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT213488", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT213489", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT213490", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT213491", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT213493", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT213494", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5570-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5570-2", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5573-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6736-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6736-2", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-37434", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2022/dsa-5218", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.12.3", + "foundIn": "Node.js", + "installedVersion": "5.5.2", + "packageName": "ajv", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-15366", + "https://errata.almalinux.org/8/ALSA-2021-0551.html", + "https://github.com/ajv-validator/ajv", + "https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f", + "https://github.com/ajv-validator/ajv/releases/tag/v6.12.3", + "https://github.com/ajv-validator/ajv/tags", + "https://hackerone.com/bugs?subject=user&report_id=894259", + "https://linux.oracle.com/cve/CVE-2020-15366.html", + "https://linux.oracle.com/errata/ELSA-2021-0551.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-15366", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://snyk.io/vuln/SNYK-JS-AJV-584908", + "https://www.cve.org/CVERecord?id=CVE-2020-15366", + ], + "vulnerabilityId": "CVE-2020-15366", + }, + "category": "NPM Package Vulnerability", + "description": "An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ajv to the fixed version: 6.12.3 or remove the package from the image.", + "name": "nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-15366", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15366", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-15366", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-0551.html", + }, + { + "type": "URL", + "value": "https://github.com/ajv-validator/ajv", + }, + { + "type": "URL", + "value": "https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f", + }, + { + "type": "URL", + "value": "https://github.com/ajv-validator/ajv/releases/tag/v6.12.3", + }, + { + "type": "URL", + "value": "https://github.com/ajv-validator/ajv/tags", + }, + { + "type": "URL", + "value": "https://hackerone.com/bugs?subject=user&report_id=894259", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2020-15366.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-0551.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15366", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-AJV-584908", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-15366", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "6.12.3", + "foundIn": "Node.js", + "installedVersion": "6.12.2", + "packageName": "ajv", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-15366", + "https://errata.almalinux.org/8/ALSA-2021-0551.html", + "https://github.com/ajv-validator/ajv", + "https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f", + "https://github.com/ajv-validator/ajv/releases/tag/v6.12.3", + "https://github.com/ajv-validator/ajv/tags", + "https://hackerone.com/bugs?subject=user&report_id=894259", + "https://linux.oracle.com/cve/CVE-2020-15366.html", + "https://linux.oracle.com/errata/ELSA-2021-0551.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-15366", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://snyk.io/vuln/SNYK-JS-AJV-584908", + "https://www.cve.org/CVERecord?id=CVE-2020-15366", + ], + "vulnerabilityId": "CVE-2020-15366", + }, + "category": "NPM Package Vulnerability", + "description": "An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ajv to the fixed version: 6.12.3 or remove the package from the image.", + "name": "nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-15366", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15366", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-15366", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-0551.html", + }, + { + "type": "URL", + "value": "https://github.com/ajv-validator/ajv", + }, + { + "type": "URL", + "value": "https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f", + }, + { + "type": "URL", + "value": "https://github.com/ajv-validator/ajv/releases/tag/v6.12.3", + }, + { + "type": "URL", + "value": "https://github.com/ajv-validator/ajv/tags", + }, + { + "type": "URL", + "value": "https://hackerone.com/bugs?subject=user&report_id=894259", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2020-15366.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-0551.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15366", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-AJV-584908", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-15366", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "foundIn": "Node.js", + "installedVersion": "3.0.0", + "packageName": "ansi-regex", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + ], + "vulnerabilityId": "CVE-2021-3807", + }, + "category": "NPM Package Vulnerability", + "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", + "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3807.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "foundIn": "Node.js", + "installedVersion": "3.0.0", + "packageName": "ansi-regex", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + ], + "vulnerabilityId": "CVE-2021-3807", + }, + "category": "NPM Package Vulnerability", + "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", + "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3807.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "foundIn": "Node.js", + "installedVersion": "3.0.0", + "packageName": "ansi-regex", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + ], + "vulnerabilityId": "CVE-2021-3807", + }, + "category": "NPM Package Vulnerability", + "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", + "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3807.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "foundIn": "Node.js", + "installedVersion": "3.0.0", + "packageName": "ansi-regex", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + ], + "vulnerabilityId": "CVE-2021-3807", + }, + "category": "NPM Package Vulnerability", + "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", + "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3807.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "foundIn": "Node.js", + "installedVersion": "4.1.0", + "packageName": "ansi-regex", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + ], + "vulnerabilityId": "CVE-2021-3807", + }, + "category": "NPM Package Vulnerability", + "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", + "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3807.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.2.2, 2.6.4", + "foundIn": "Node.js", + "installedVersion": "2.6.3", + "packageName": "async", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-43138", + "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "https://github.com/caolan/async", + "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + "https://github.com/caolan/async/pull/1828", + "https://jsfiddle.net/oz5twjd9", + "https://jsfiddle.net/oz5twjd9/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-43138", + ], + "vulnerabilityId": "CVE-2021-43138", + }, + "category": "NPM Package Vulnerability", + "description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package async to the fixed version: 3.2.2, 2.6.4 or remove the package from the image.", + "name": "async: Prototype Pollution in async", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/pull/1828", + }, + { + "type": "URL", + "value": "https://jsfiddle.net/oz5twjd9", + }, + { + "type": "URL", + "value": "https://jsfiddle.net/oz5twjd9/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-43138", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.2.2, 2.6.4", + "foundIn": "Node.js", + "installedVersion": "2.6.3", + "packageName": "async", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-43138", + "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "https://github.com/caolan/async", + "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + "https://github.com/caolan/async/pull/1828", + "https://jsfiddle.net/oz5twjd9", + "https://jsfiddle.net/oz5twjd9/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-43138", + ], + "vulnerabilityId": "CVE-2021-43138", + }, + "category": "NPM Package Vulnerability", + "description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package async to the fixed version: 3.2.2, 2.6.4 or remove the package from the image.", + "name": "async: Prototype Pollution in async", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/pull/1828", + }, + { + "type": "URL", + "value": "https://jsfiddle.net/oz5twjd9", + }, + { + "type": "URL", + "value": "https://jsfiddle.net/oz5twjd9/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-43138", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.2.2, 2.6.4", + "foundIn": "Node.js", + "installedVersion": "2.6.3", + "packageName": "async", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-43138", + "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "https://github.com/caolan/async", + "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + "https://github.com/caolan/async/pull/1828", + "https://jsfiddle.net/oz5twjd9", + "https://jsfiddle.net/oz5twjd9/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-43138", + ], + "vulnerabilityId": "CVE-2021-43138", + }, + "category": "NPM Package Vulnerability", + "description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package async to the fixed version: 3.2.2, 2.6.4 or remove the package from the image.", + "name": "async: Prototype Pollution in async", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/pull/1828", + }, + { + "type": "URL", + "value": "https://jsfiddle.net/oz5twjd9", + }, + { + "type": "URL", + "value": "https://jsfiddle.net/oz5twjd9/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-43138", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": ">=3.0.0", + "foundIn": "Node.js", + "installedVersion": "0.0.6", + "packageName": "base64url", + "references": [ + "https://github.com/brianloveswords/base64url/pull/25", + "https://hackerone.com/reports/321687", + ], + "vulnerabilityId": "NSWG-ECO-428", + }, + "category": "NPM Package Vulnerability", + "description": "\`base64url\` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package base64url to the fixed version: >=3.0.0 or remove the package from the image.", + "name": "Out-of-bounds Read", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "NSWG", + "value": "NSWG-ECO-428", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + }, + { + "type": "URL", + "value": "https://github.com/brianloveswords/base64url/pull/25", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/321687", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.0.0", + "foundIn": "Node.js", + "installedVersion": "0.0.6", + "packageName": "base64url", + "references": [ + "https://github.com/brianloveswords/base64url", + "https://github.com/brianloveswords/base64url/commit/4fbd954a0a69e9d898de2146557cc6e893e79542", + "https://github.com/brianloveswords/base64url/pull/25", + "https://hackerone.com/reports/321687", + ], + "vulnerabilityId": "GHSA-rvg8-pwq2-xj7q", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of \`base64url\` before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below. + + +## Recommendation + +Update to version 3.0.0 or later.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package base64url to the fixed version: 3.0.0 or remove the package from the image.", + "name": "Out-of-bounds Read in base64url", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "URL", + "value": "https://github.com/brianloveswords/base64url", + }, + { + "type": "URL", + "value": "https://github.com/brianloveswords/base64url/commit/4fbd954a0a69e9d898de2146557cc6e893e79542", + }, + { + "type": "URL", + "value": "https://github.com/brianloveswords/base64url/pull/25", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/321687", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.2.3, 2.2.1, 3.0.1, 4.0.3", + "foundIn": "Node.js", + "installedVersion": "1.2.2", + "packageName": "bl", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-8244", + "https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e", + "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190", + "https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466", + "https://hackerone.com/reports/966347", + "https://lists.debian.org/debian-lts-announce/2021/06/msg00028.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", + "https://ubuntu.com/security/notices/USN-5098-1", + "https://ubuntu.com/security/notices/USN-5159-1", + "https://www.cve.org/CVERecord?id=CVE-2020-8244", + ], + "vulnerabilityId": "CVE-2020-8244", + }, + "category": "NPM Package Vulnerability", + "description": "A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package bl to the fixed version: 1.2.3, 2.2.1, 3.0.1, 4.0.3 or remove the package from the image.", + "name": "nodejs-bl: buffer over-read vulnerability leads to corrupted BufferList which can result in uninitialized memory being leaked", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-8244", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-8244", + }, + { + "type": "URL", + "value": "https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e", + }, + { + "type": "URL", + "value": "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190", + }, + { + "type": "URL", + "value": "https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/966347", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2021/06/msg00028.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5098-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5159-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-8244", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.2.3, 2.2.1, 3.0.1, 4.0.3", + "foundIn": "Node.js", + "installedVersion": "4.0.2", + "packageName": "bl", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-8244", + "https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e", + "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190", + "https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466", + "https://hackerone.com/reports/966347", + "https://lists.debian.org/debian-lts-announce/2021/06/msg00028.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", + "https://ubuntu.com/security/notices/USN-5098-1", + "https://ubuntu.com/security/notices/USN-5159-1", + "https://www.cve.org/CVERecord?id=CVE-2020-8244", + ], + "vulnerabilityId": "CVE-2020-8244", + }, + "category": "NPM Package Vulnerability", + "description": "A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package bl to the fixed version: 1.2.3, 2.2.1, 3.0.1, 4.0.3 or remove the package from the image.", + "name": "nodejs-bl: buffer over-read vulnerability leads to corrupted BufferList which can result in uninitialized memory being leaked", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-8244", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-8244", + }, + { + "type": "URL", + "value": "https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e", + }, + { + "type": "URL", + "value": "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190", + }, + { + "type": "URL", + "value": "https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/966347", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2021/06/msg00028.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5098-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5159-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-8244", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.20.3", + "foundIn": "Node.js", + "installedVersion": "1.19.0", + "packageName": "body-parser", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-45590", + "https://github.com/expressjs/body-parser", + "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", + "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45590", + "https://www.cve.org/CVERecord?id=CVE-2024-45590", + ], + "vulnerabilityId": "CVE-2024-45590", + }, + "category": "NPM Package Vulnerability", + "description": "body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package body-parser to the fixed version: 1.20.3 or remove the package from the image.", + "name": "body-parser: Denial of Service Vulnerability in body-parser", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-45590", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45590", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-45590", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/body-parser", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45590", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-45590", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.0.3", + "foundIn": "Node.js", + "installedVersion": "2.3.2", + "packageName": "braces", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", + "https://github.com/micromatch/braces", + "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", + "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", + "https://github.com/micromatch/braces/issues/35", + "https://github.com/micromatch/braces/pull/37", + "https://github.com/micromatch/braces/pull/40", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "https://www.cve.org/CVERecord?id=CVE-2024-4068", + ], + "vulnerabilityId": "CVE-2024-4068", + }, + "category": "NPM Package Vulnerability", + "description": "The NPM package \`braces\`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In \`lib/parse.js,\` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package braces to the fixed version: 3.0.3 or remove the package from the image.", + "name": "braces: fails to limit the number of characters it can handle", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/issues/35", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/pull/37", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/pull/40", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-4068", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.5.5", + "foundIn": "Node.js", + "installedVersion": "1.5.3", + "packageName": "color-string", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-29060", + "https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3", + "https://github.com/Qix-/color-string/releases/tag/1.5.5", + "https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md", + "https://github.com/yetingli/SaveResults/blob/main/js/color-string.js", + "https://nvd.nist.gov/vuln/detail/CVE-2021-29060", + "https://snyk.io/vuln/SNYK-JS-COLORSTRING-1082939", + "https://www.cve.org/CVERecord?id=CVE-2021-29060", + "https://www.npmjs.com/package/color-string", + ], + "vulnerabilityId": "CVE-2021-29060", + }, + "category": "NPM Package Vulnerability", + "description": "A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package color-string to the fixed version: 1.5.5 or remove the package from the image.", + "name": "nodejs-color-string: Regular expression denial of service when the application is provided and checks a crafted invalid HWB string", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-29060", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-29060", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-29060", + }, + { + "type": "URL", + "value": "https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3", + }, + { + "type": "URL", + "value": "https://github.com/Qix-/color-string/releases/tag/1.5.5", + }, + { + "type": "URL", + "value": "https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md", + }, + { + "type": "URL", + "value": "https://github.com/yetingli/SaveResults/blob/main/js/color-string.js", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-29060", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-COLORSTRING-1082939", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-29060", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/color-string", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "0.7.0", + "foundIn": "Node.js", + "installedVersion": "0.3.1", + "packageName": "cookie", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-47764", + "https://github.com/jshttp/cookie", + "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", + "https://github.com/jshttp/cookie/pull/167", + "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + "https://www.cve.org/CVERecord?id=CVE-2024-47764", + ], + "vulnerabilityId": "CVE-2024-47764", + }, + "category": "NPM Package Vulnerability", + "description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package cookie to the fixed version: 0.7.0 or remove the package from the image.", + "name": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie/pull/167", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-47764", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "0.7.0", + "foundIn": "Node.js", + "installedVersion": "0.4.0", + "packageName": "cookie", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-47764", + "https://github.com/jshttp/cookie", + "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", + "https://github.com/jshttp/cookie/pull/167", + "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + "https://www.cve.org/CVERecord?id=CVE-2024-47764", + ], + "vulnerabilityId": "CVE-2024-47764", + }, + "category": "NPM Package Vulnerability", + "description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package cookie to the fixed version: 0.7.0 or remove the package from the image.", + "name": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie/pull/167", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-47764", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "4.2.0", + "foundIn": "Node.js", + "installedVersion": "3.3.0", + "packageName": "crypto-js", + "references": [ + "https://access.redhat.com/security/cve/CVE-2023-46233", + "https://github.com/brix/crypto-js", + "https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a", + "https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-46233", + "https://ubuntu.com/security/notices/USN-6753-1", + "https://www.cve.org/CVERecord?id=CVE-2023-46233", + ], + "vulnerabilityId": "CVE-2023-46233", + }, + "category": "NPM Package Vulnerability", + "description": "crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package crypto-js to the fixed version: 4.2.0 or remove the package from the image.", + "name": "crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-46233", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-46233", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2023-46233", + }, + { + "type": "URL", + "value": "https://github.com/brix/crypto-js", + }, + { + "type": "URL", + "value": "https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a", + }, + { + "type": "URL", + "value": "https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-46233", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6753-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-46233", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.6.9, 3.1.0, 3.2.7, 4.3.1", + "foundIn": "Node.js", + "installedVersion": "3.2.6", + "packageName": "debug", + "references": [ + "https://access.redhat.com/security/cve/CVE-2017-16137", + "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + "https://github.com/debug-js/debug/issues/797", + "https://github.com/visionmedia/debug", + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + "https://nodesecurity.io/advisories/534", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + "https://www.cve.org/CVERecord?id=CVE-2017-16137", + ], + "vulnerabilityId": "CVE-2017-16137", + }, + "category": "NPM Package Vulnerability", + "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package debug to the fixed version: 2.6.9, 3.1.0, 3.2.7, 4.3.1 or remove the package from the image.", + "name": "nodejs-debug: Regular expression Denial of Service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/issues/797", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug/issues/501", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug/pull/504", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/534", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2017-16137", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "2.6.9, 3.1.0, 3.2.7, 4.3.1", + "foundIn": "Node.js", + "installedVersion": "4.1.1", + "packageName": "debug", + "references": [ + "https://access.redhat.com/security/cve/CVE-2017-16137", + "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + "https://github.com/debug-js/debug/issues/797", + "https://github.com/visionmedia/debug", + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + "https://nodesecurity.io/advisories/534", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + "https://www.cve.org/CVERecord?id=CVE-2017-16137", + ], + "vulnerabilityId": "CVE-2017-16137", + }, + "category": "NPM Package Vulnerability", + "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package debug to the fixed version: 2.6.9, 3.1.0, 3.2.7, 4.3.1 or remove the package from the image.", + "name": "nodejs-debug: Regular expression Denial of Service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/issues/797", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug/issues/501", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug/pull/504", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/534", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2017-16137", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "2.6.9, 3.1.0, 3.2.7, 4.3.1", + "foundIn": "Node.js", + "installedVersion": "4.1.1", + "packageName": "debug", + "references": [ + "https://access.redhat.com/security/cve/CVE-2017-16137", + "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + "https://github.com/debug-js/debug/issues/797", + "https://github.com/visionmedia/debug", + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + "https://nodesecurity.io/advisories/534", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + "https://www.cve.org/CVERecord?id=CVE-2017-16137", + ], + "vulnerabilityId": "CVE-2017-16137", + }, + "category": "NPM Package Vulnerability", + "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package debug to the fixed version: 2.6.9, 3.1.0, 3.2.7, 4.3.1 or remove the package from the image.", + "name": "nodejs-debug: Regular expression Denial of Service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/issues/797", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug/issues/501", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug/pull/504", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/534", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2017-16137", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "2.6.9, 3.1.0, 3.2.7, 4.3.1", + "foundIn": "Node.js", + "installedVersion": "4.1.1", + "packageName": "debug", + "references": [ + "https://access.redhat.com/security/cve/CVE-2017-16137", + "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + "https://github.com/debug-js/debug/issues/797", + "https://github.com/visionmedia/debug", + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + "https://nodesecurity.io/advisories/534", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + "https://www.cve.org/CVERecord?id=CVE-2017-16137", + ], + "vulnerabilityId": "CVE-2017-16137", + }, + "category": "NPM Package Vulnerability", + "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package debug to the fixed version: 2.6.9, 3.1.0, 3.2.7, 4.3.1 or remove the package from the image.", + "name": "nodejs-debug: Regular expression Denial of Service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/issues/797", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug/issues/501", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug/pull/504", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/534", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2017-16137", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "2.6.9, 3.1.0, 3.2.7, 4.3.1", + "foundIn": "Node.js", + "installedVersion": "4.1.1", + "packageName": "debug", + "references": [ + "https://access.redhat.com/security/cve/CVE-2017-16137", + "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + "https://github.com/debug-js/debug/issues/797", + "https://github.com/visionmedia/debug", + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + "https://nodesecurity.io/advisories/534", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + "https://www.cve.org/CVERecord?id=CVE-2017-16137", + ], + "vulnerabilityId": "CVE-2017-16137", + }, + "category": "NPM Package Vulnerability", + "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package debug to the fixed version: 2.6.9, 3.1.0, 3.2.7, 4.3.1 or remove the package from the image.", + "name": "nodejs-debug: Regular expression Denial of Service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/issues/797", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug/issues/501", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug/pull/504", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/534", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2017-16137", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "2.6.9, 3.1.0, 3.2.7, 4.3.1", + "foundIn": "Node.js", + "installedVersion": "4.1.1", + "packageName": "debug", + "references": [ + "https://access.redhat.com/security/cve/CVE-2017-16137", + "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + "https://github.com/debug-js/debug/issues/797", + "https://github.com/visionmedia/debug", + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + "https://nodesecurity.io/advisories/534", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + "https://www.cve.org/CVERecord?id=CVE-2017-16137", + ], + "vulnerabilityId": "CVE-2017-16137", + }, + "category": "NPM Package Vulnerability", + "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package debug to the fixed version: 2.6.9, 3.1.0, 3.2.7, 4.3.1 or remove the package from the image.", + "name": "nodejs-debug: Regular expression Denial of Service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/issues/797", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug/issues/501", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug/pull/504", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/534", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2017-16137", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "2.6.9, 3.1.0, 3.2.7, 4.3.1", + "foundIn": "Node.js", + "installedVersion": "4.1.1", + "packageName": "debug", + "references": [ + "https://access.redhat.com/security/cve/CVE-2017-16137", + "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + "https://github.com/debug-js/debug/issues/797", + "https://github.com/visionmedia/debug", + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + "https://nodesecurity.io/advisories/534", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + "https://www.cve.org/CVERecord?id=CVE-2017-16137", + ], + "vulnerabilityId": "CVE-2017-16137", + }, + "category": "NPM Package Vulnerability", + "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package debug to the fixed version: 2.6.9, 3.1.0, 3.2.7, 4.3.1 or remove the package from the image.", + "name": "nodejs-debug: Regular expression Denial of Service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + }, + { + "type": "URL", + "value": "https://github.com/debug-js/debug/issues/797", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug/issues/501", + }, + { + "type": "URL", + "value": "https://github.com/visionmedia/debug/pull/504", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/534", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2017-16137", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "0.2.1", + "foundIn": "Node.js", + "installedVersion": "0.2.0", + "packageName": "decode-uri-component", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:6316", + "https://access.redhat.com/security/cve/CVE-2022-38900", + "https://bugzilla.redhat.com/2170644", + "https://errata.almalinux.org/9/ALSA-2023-6316.html", + "https://github.com/SamVerschueren/decode-uri-component", + "https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9", + "https://github.com/SamVerschueren/decode-uri-component/issues/5", + "https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1", + "https://github.com/advisories/GHSA-w573-4hg7-7wgq", + "https://github.com/sindresorhus/query-string/issues/345", + "https://linux.oracle.com/cve/CVE-2022-38900.html", + "https://linux.oracle.com/errata/ELSA-2023-6316.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU", + "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + "https://www.cve.org/CVERecord?id=CVE-2022-38900", + ], + "vulnerabilityId": "CVE-2022-38900", + }, + "category": "NPM Package Vulnerability", + "description": "decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package decode-uri-component to the fixed version: 0.2.1 or remove the package from the image.", + "name": "decode-uri-component: improper input validation resulting in DoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:6316", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2170644", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-6316.html", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component/issues/5", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/query-string/issues/345", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-38900.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-6316.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-38900", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "0.2.1", + "foundIn": "Node.js", + "installedVersion": "0.2.0", + "packageName": "decode-uri-component", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:6316", + "https://access.redhat.com/security/cve/CVE-2022-38900", + "https://bugzilla.redhat.com/2170644", + "https://errata.almalinux.org/9/ALSA-2023-6316.html", + "https://github.com/SamVerschueren/decode-uri-component", + "https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9", + "https://github.com/SamVerschueren/decode-uri-component/issues/5", + "https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1", + "https://github.com/advisories/GHSA-w573-4hg7-7wgq", + "https://github.com/sindresorhus/query-string/issues/345", + "https://linux.oracle.com/cve/CVE-2022-38900.html", + "https://linux.oracle.com/errata/ELSA-2023-6316.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU", + "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + "https://www.cve.org/CVERecord?id=CVE-2022-38900", + ], + "vulnerabilityId": "CVE-2022-38900", + }, + "category": "NPM Package Vulnerability", + "description": "decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package decode-uri-component to the fixed version: 0.2.1 or remove the package from the image.", + "name": "decode-uri-component: improper input validation resulting in DoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:6316", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2170644", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-6316.html", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component/issues/5", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/query-string/issues/345", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-38900.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-6316.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-38900", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "0.2.5", + "packageName": "dicer", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-24434", + "https://github.com/advisories/GHSA-wm7h-9275-46v2", + "https://github.com/mscdex/busboy/issues/250", + "https://github.com/mscdex/dicer", + "https://github.com/mscdex/dicer/commit/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac", + "https://github.com/mscdex/dicer/pull/22", + "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24434", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865", + "https://snyk.io/vuln/SNYK-JS-DICER-2311764", + "https://www.cve.org/CVERecord?id=CVE-2022-24434", + ], + "vulnerabilityId": "CVE-2022-24434", + }, + "category": "NPM Package Vulnerability", + "description": "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package dicer to the fixed version: undefined or remove the package from the image.", + "name": "dicer: nodejs service crash by sending a crafted payload", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24434", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24434", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24434", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-wm7h-9275-46v2", + }, + { + "type": "URL", + "value": "https://github.com/mscdex/busboy/issues/250", + }, + { + "type": "URL", + "value": "https://github.com/mscdex/dicer", + }, + { + "type": "URL", + "value": "https://github.com/mscdex/dicer/commit/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac", + }, + { + "type": "URL", + "value": "https://github.com/mscdex/dicer/pull/22", + }, + { + "type": "URL", + "value": "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24434", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-DICER-2311764", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24434", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.5.0", + "foundIn": "Node.js", + "installedVersion": "1.0.2", + "packageName": "diff", + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1552148", + "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0", + "https://snyk.io/vuln/npm:diff:20180305", + "https://www.npmjs.com/advisories/1631", + "https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0590", + ], + "vulnerabilityId": "GHSA-h6ch-v84p-w6p9", + }, + "category": "NPM Package Vulnerability", + "description": "A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package diff to the fixed version: 3.5.0 or remove the package from the image.", + "name": "Regular Expression Denial of Service (ReDoS)", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1552148", + }, + { + "type": "URL", + "value": "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/npm:diff:20180305", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1631", + }, + { + "type": "URL", + "value": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0590", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.2.1, 5.1.1", + "foundIn": "Node.js", + "installedVersion": "4.2.0", + "packageName": "dot-prop", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-8116", + "https://errata.almalinux.org/8/ALSA-2021-0548.html", + "https://github.com/advisories/GHSA-ff7x-qrg7-qggm", + "https://github.com/sindresorhus/dot-prop", + "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2", + "https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587", + "https://github.com/sindresorhus/dot-prop/issues/63", + "https://github.com/sindresorhus/dot-prop/tree/v4", + "https://hackerone.com/reports/719856", + "https://linux.oracle.com/cve/CVE-2020-8116.html", + "https://linux.oracle.com/errata/ELSA-2021-0548.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8116", + "https://www.cve.org/CVERecord?id=CVE-2020-8116", + ], + "vulnerabilityId": "CVE-2020-8116", + }, + "category": "NPM Package Vulnerability", + "description": "Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package dot-prop to the fixed version: 4.2.1, 5.1.1 or remove the package from the image.", + "name": "nodejs-dot-prop: prototype pollution", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-8116", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8116", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-8116", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-0548.html", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-ff7x-qrg7-qggm", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/dot-prop", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/dot-prop/issues/63", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/dot-prop/tree/v4", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/719856", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2020-8116.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-0548.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8116", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-8116", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.0.4", + "foundIn": "Node.js", + "installedVersion": "2.0.2", + "packageName": "dottie", + "references": [ + "https://github.com/mickhansen/dottie.js", + "https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js#L107", + "https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js%23L107", + "https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26132", + "https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763", + "https://www.cve.org/CVERecord?id=CVE-2023-26132", + ], + "vulnerabilityId": "CVE-2023-26132", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package dottie to the fixed version: 2.0.4 or remove the package from the image.", + "name": "Versions of the package dottie before 2.0.4 are vulnerable to Prototyp ...", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-26132", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26132", + }, + { + "type": "URL", + "value": "https://github.com/mickhansen/dottie.js", + }, + { + "type": "URL", + "value": "https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js#L107", + }, + { + "type": "URL", + "value": "https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js%23L107", + }, + { + "type": "URL", + "value": "https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26132", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-26132", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.6.0", + "foundIn": "Node.js", + "installedVersion": "3.4.1", + "packageName": "engine.io", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-36048", + "https://blog.caller.xyz/socketio-engineio-dos", + "https://blog.caller.xyz/socketio-engineio-dos/", + "https://github.com/bcaller/kill-engine-io", + "https://github.com/socketio/engine.io", + "https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b", + "https://nvd.nist.gov/vuln/detail/CVE-2020-36048", + "https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749", + "https://www.cve.org/CVERecord?id=CVE-2020-36048", + ], + "vulnerabilityId": "CVE-2020-36048", + }, + "category": "NPM Package Vulnerability", + "description": "Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package engine.io to the fixed version: 3.6.0 or remove the package from the image.", + "name": "yarnpkg-socket.io/engine.io: allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-36048", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-36048", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-36048", + }, + { + "type": "URL", + "value": "https://blog.caller.xyz/socketio-engineio-dos", + }, + { + "type": "URL", + "value": "https://blog.caller.xyz/socketio-engineio-dos/", + }, + { + "type": "URL", + "value": "https://github.com/bcaller/kill-engine-io", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-36048", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-36048", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.6.1, 6.2.1", + "foundIn": "Node.js", + "installedVersion": "3.4.1", + "packageName": "engine.io", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-41940", + "https://github.com/socketio/engine.io", + "https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6", + "https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085", + "https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w", + "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", + "https://www.cve.org/CVERecord?id=CVE-2022-41940", + ], + "vulnerabilityId": "CVE-2022-41940", + }, + "category": "NPM Package Vulnerability", + "description": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package engine.io to the fixed version: 3.6.1, 6.2.1 or remove the package from the image.", + "name": "engine.io: Specially crafted HTTP request can trigger an uncaught exception", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-41940", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-41940", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-41940", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "0.10.63", + "foundIn": "Node.js", + "installedVersion": "0.10.53", + "packageName": "es5-ext", + "references": [ + "https://github.com/medikoo/es5-ext", + "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2", + "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602", + "https://github.com/medikoo/es5-ext/issues/201", + "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h", + "https://nvd.nist.gov/vuln/detail/CVE-2024-27088", + ], + "vulnerabilityId": "CVE-2024-27088", + }, + "category": "NPM Package Vulnerability", + "description": "es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into \`function#copy\` or \`function#toStringTokens\` may cause the script to stall. The vulnerability is patched in v0.10.63.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package es5-ext to the fixed version: 0.10.63 or remove the package from the image.", + "name": "es5-ext contains ECMAScript 5 extensions. Passing functions with very ...", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-27088", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-27088", + }, + { + "type": "URL", + "value": "https://github.com/medikoo/es5-ext", + }, + { + "type": "URL", + "value": "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2", + }, + { + "type": "URL", + "value": "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602", + }, + { + "type": "URL", + "value": "https://github.com/medikoo/es5-ext/issues/201", + }, + { + "type": "URL", + "value": "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-27088", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "4.19.2, 5.0.0-beta.3", + "foundIn": "Node.js", + "installedVersion": "4.17.1", + "packageName": "express", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-29041", + "https://expressjs.com/en/4x/api.html#res.location", + "https://github.com/expressjs/express", + "https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd", + "https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94", + "https://github.com/expressjs/express/pull/5539", + "https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc", + "https://github.com/koajs/koa/issues/1800", + "https://nvd.nist.gov/vuln/detail/CVE-2024-29041", + "https://www.cve.org/CVERecord?id=CVE-2024-29041", + ], + "vulnerabilityId": "CVE-2024-29041", + }, + "category": "NPM Package Vulnerability", + "description": "Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using \`encodeurl\`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the \`location\` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is \`res.location()\` but this is also called from within \`res.redirect()\`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package express to the fixed version: 4.19.2, 5.0.0-beta.3 or remove the package from the image.", + "name": "express: cause malformed URLs to be evaluated", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-29041", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-29041", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-29041", + }, + { + "type": "URL", + "value": "https://expressjs.com/en/4x/api.html#res.location", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/pull/5539", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc", + }, + { + "type": "URL", + "value": "https://github.com/koajs/koa/issues/1800", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-29041", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-29041", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.20.0, 5.0.0", + "foundIn": "Node.js", + "installedVersion": "4.17.1", + "packageName": "express", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-43796", + "https://github.com/expressjs/express", + "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", + "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", + "https://www.cve.org/CVERecord?id=CVE-2024-43796", + ], + "vulnerabilityId": "CVE-2024-43796", + }, + "category": "NPM Package Vulnerability", + "description": "Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package express to the fixed version: 4.20.0, 5.0.0 or remove the package from the image.", + "name": "express: Improper Input Handling in Express Redirects", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-43796", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-43796", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-43796", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "6.0.0", + "foundIn": "Node.js", + "installedVersion": "0.1.3", + "packageName": "express-jwt", + "references": [ + "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", + "https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf", + "https://nvd.nist.gov/vuln/detail/CVE-2020-15084", + ], + "vulnerabilityId": "CVE-2020-15084", + }, + "category": "NPM Package Vulnerability", + "description": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package express-jwt to the fixed version: 6.0.0 or remove the package from the image.", + "name": "Authorization bypass in express-jwt", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-15084", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15084", + }, + { + "type": "URL", + "value": "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", + }, + { + "type": "URL", + "value": "https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15084", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.0.0", + "foundIn": "Node.js", + "installedVersion": "0.1.0", + "packageName": "getobject", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-28282", + "https://github.com/cowboy/node-getobject", + "https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48", + "https://github.com/cowboy/node-getobject/commit/84071748fa407caa8f824e0d0b9c1cde9ec56633 (v1.0.0)", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28282", + "https://www.cve.org/CVERecord?id=CVE-2020-28282", + "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282", + ], + "vulnerabilityId": "CVE-2020-28282", + }, + "category": "NPM Package Vulnerability", + "description": "Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package getobject to the fixed version: 1.0.0 or remove the package from the image.", + "name": "nodejs-getobject: Prototype pollution could result in DoS and RCE", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-28282", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28282", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-28282", + }, + { + "type": "URL", + "value": "https://github.com/cowboy/node-getobject", + }, + { + "type": "URL", + "value": "https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48", + }, + { + "type": "URL", + "value": "https://github.com/cowboy/node-getobject/commit/84071748fa407caa8f824e0d0b9c1cde9ec56633 (v1.0.0)", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28282", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-28282", + }, + { + "type": "URL", + "value": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "12.1.0, 11.8.5", + "foundIn": "Node.js", + "installedVersion": "6.7.1", + "packageName": "got", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2022-33987", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/sindresorhus/got", + "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc", + "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + "https://github.com/sindresorhus/got/pull/2047", + "https://github.com/sindresorhus/got/releases/tag/v11.8.5", + "https://github.com/sindresorhus/got/releases/tag/v12.1.0", + "https://linux.oracle.com/cve/CVE-2022-33987.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + "https://www.cve.org/CVERecord?id=CVE-2022-33987", + ], + "vulnerabilityId": "CVE-2022-33987", + }, + "category": "NPM Package Vulnerability", + "description": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package got to the fixed version: 12.1.0, 11.8.5 or remove the package from the image.", + "name": "nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/pull/2047", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/releases/tag/v11.8.5", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/releases/tag/v12.1.0", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-33987.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-33987", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "12.1.0, 11.8.5", + "foundIn": "Node.js", + "installedVersion": "8.3.2", + "packageName": "got", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2022-33987", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/sindresorhus/got", + "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc", + "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + "https://github.com/sindresorhus/got/pull/2047", + "https://github.com/sindresorhus/got/releases/tag/v11.8.5", + "https://github.com/sindresorhus/got/releases/tag/v12.1.0", + "https://linux.oracle.com/cve/CVE-2022-33987.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + "https://www.cve.org/CVERecord?id=CVE-2022-33987", + ], + "vulnerabilityId": "CVE-2022-33987", + }, + "category": "NPM Package Vulnerability", + "description": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package got to the fixed version: 12.1.0, 11.8.5 or remove the package from the image.", + "name": "nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/pull/2047", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/releases/tag/v11.8.5", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/releases/tag/v12.1.0", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-33987.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-33987", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.10.0", + "foundIn": "Node.js", + "installedVersion": "1.5.1", + "packageName": "growl", + "references": [ + "https://access.redhat.com/security/cve/CVE-2017-16042", + "https://github.com/tj/node-growl", + "https://github.com/tj/node-growl/commit/d71177d5331c9de4658aca62e0ac921f178b0669", + "https://github.com/tj/node-growl/issues/60", + "https://github.com/tj/node-growl/pull/61", + "https://github.com/tj/node-growl/pull/62", + "https://nodesecurity.io/advisories/146", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16042", + "https://www.cve.org/CVERecord?id=CVE-2017-16042", + "https://www.npmjs.com/advisories/146", + ], + "vulnerabilityId": "CVE-2017-16042", + }, + "category": "NPM Package Vulnerability", + "description": "Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package growl to the fixed version: 1.10.0 or remove the package from the image.", + "name": "nodejs-growl: Does not properly sanitize input before passing it to exec", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2017-16042", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16042", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2017-16042", + }, + { + "type": "URL", + "value": "https://github.com/tj/node-growl", + }, + { + "type": "URL", + "value": "https://github.com/tj/node-growl/commit/d71177d5331c9de4658aca62e0ac921f178b0669", + }, + { + "type": "URL", + "value": "https://github.com/tj/node-growl/issues/60", + }, + { + "type": "URL", + "value": "https://github.com/tj/node-growl/pull/61", + }, + { + "type": "URL", + "value": "https://github.com/tj/node-growl/pull/62", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/146", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16042", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2017-16042", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/146", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.3.0", + "foundIn": "Node.js", + "installedVersion": "1.1.0", + "packageName": "grunt", + "references": [ + "https://github.com/gruntjs/grunt/blob/master/lib/grunt/file.js%23L249", + "https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7", + "https://lists.debian.org/debian-lts-announce/2020/09/msg00008.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7729", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-607922", + "https://snyk.io/vuln/SNYK-JS-GRUNT-597546", + "https://ubuntu.com/security/notices/USN-4595-1", + "https://ubuntu.com/security/notices/USN-5847-1", + "https://usn.ubuntu.com/4595-1", + "https://usn.ubuntu.com/4595-1/", + "https://www.cve.org/CVERecord?id=CVE-2020-7729", + ], + "vulnerabilityId": "CVE-2020-7729", + }, + "category": "NPM Package Vulnerability", + "description": "The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package grunt to the fixed version: 1.3.0 or remove the package from the image.", + "name": "The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execut ...", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-7729", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7729", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt/blob/master/lib/grunt/file.js%23L249", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2020/09/msg00008.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7729", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-607922", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-GRUNT-597546", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-4595-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5847-1", + }, + { + "type": "URL", + "value": "https://usn.ubuntu.com/4595-1", + }, + { + "type": "URL", + "value": "https://usn.ubuntu.com/4595-1/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-7729", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.5.3", + "foundIn": "Node.js", + "installedVersion": "1.1.0", + "packageName": "grunt", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-1537", + "https://github.com/gruntjs/grunt", + "https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae", + "https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d", + "https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-1537", + "https://ubuntu.com/security/notices/USN-5847-1", + "https://www.cve.org/CVERecord?id=CVE-2022-1537", + ], + "vulnerabilityId": "CVE-2022-1537", + }, + "category": "NPM Package Vulnerability", + "description": "file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package grunt to the fixed version: 1.5.3 or remove the package from the image.", + "name": "gruntjs: race condition leading to arbitrary file write", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-1537", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-1537", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-1537", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-1537", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5847-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-1537", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.5.2", + "foundIn": "Node.js", + "installedVersion": "1.1.0", + "packageName": "grunt", + "references": [ + "https://github.com/gruntjs/grunt", + "https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665", + "https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665 (v1.5.0)", + "https://github.com/gruntjs/grunt/commit/b0ec6e12426fc8d5720dee1702f6a67455c5986c", + "https://github.com/gruntjs/grunt/pull/1740", + "https://github.com/gruntjs/grunt/pull/1743", + "https://huntr.dev/bounties/f55315e9-9f6d-4dbb-8c40-bae50c1ae92b", + "https://lists.debian.org/debian-lts-announce/2023/04/msg00008.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0436", + "https://ubuntu.com/security/notices/USN-5847-1", + "https://www.cve.org/CVERecord?id=CVE-2022-0436", + ], + "vulnerabilityId": "CVE-2022-0436", + }, + "category": "NPM Package Vulnerability", + "description": "Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package grunt to the fixed version: 1.5.2 or remove the package from the image.", + "name": "Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-0436", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-0436", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665 (v1.5.0)", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt/commit/b0ec6e12426fc8d5720dee1702f6a67455c5986c", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt/pull/1740", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt/pull/1743", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f55315e9-9f6d-4dbb-8c40-bae50c1ae92b", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/04/msg00008.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-0436", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5847-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-0436", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "2.8.9, 3.0.8", + "foundIn": "Node.js", + "installedVersion": "2.8.8", + "packageName": "hosted-git-info", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-23362", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-3074.html", + "https://github.com/npm/hosted-git-info", + "https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7", + "https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01", + "https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3", + "https://github.com/npm/hosted-git-info/commits/v2", + "https://github.com/npm/hosted-git-info/pull/76", + "https://linux.oracle.com/cve/CVE-2021-23362.html", + "https://linux.oracle.com/errata/ELSA-2021-3074.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23362", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356", + "https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355", + "https://www.cve.org/CVERecord?id=CVE-2021-23362", + ], + "vulnerabilityId": "CVE-2021-23362", + }, + "category": "NPM Package Vulnerability", + "description": "The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package hosted-git-info to the fixed version: 2.8.9, 3.0.8 or remove the package from the image.", + "name": "nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23362", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23362", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-23362", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-3074.html", + }, + { + "type": "URL", + "value": "https://github.com/npm/hosted-git-info", + }, + { + "type": "URL", + "value": "https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7", + }, + { + "type": "URL", + "value": "https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01", + }, + { + "type": "URL", + "value": "https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3", + }, + { + "type": "URL", + "value": "https://github.com/npm/hosted-git-info/commits/v2", + }, + { + "type": "URL", + "value": "https://github.com/npm/hosted-git-info/pull/76", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-23362.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-3074.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23362", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23362", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "2.8.9, 3.0.8", + "foundIn": "Node.js", + "installedVersion": "2.8.8", + "packageName": "hosted-git-info", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-23362", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-3074.html", + "https://github.com/npm/hosted-git-info", + "https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7", + "https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01", + "https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3", + "https://github.com/npm/hosted-git-info/commits/v2", + "https://github.com/npm/hosted-git-info/pull/76", + "https://linux.oracle.com/cve/CVE-2021-23362.html", + "https://linux.oracle.com/errata/ELSA-2021-3074.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23362", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356", + "https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355", + "https://www.cve.org/CVERecord?id=CVE-2021-23362", + ], + "vulnerabilityId": "CVE-2021-23362", + }, + "category": "NPM Package Vulnerability", + "description": "The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package hosted-git-info to the fixed version: 2.8.9, 3.0.8 or remove the package from the image.", + "name": "nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23362", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23362", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-23362", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-3074.html", + }, + { + "type": "URL", + "value": "https://github.com/npm/hosted-git-info", + }, + { + "type": "URL", + "value": "https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7", + }, + { + "type": "URL", + "value": "https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01", + }, + { + "type": "URL", + "value": "https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3", + }, + { + "type": "URL", + "value": "https://github.com/npm/hosted-git-info/commits/v2", + }, + { + "type": "URL", + "value": "https://github.com/npm/hosted-git-info/pull/76", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-23362.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-3074.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23362", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23362", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.1.1", + "foundIn": "Node.js", + "installedVersion": "3.8.1", + "packageName": "http-cache-semantics", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:2655", + "https://access.redhat.com/security/cve/CVE-2022-25881", + "https://bugzilla.redhat.com/2165824", + "https://bugzilla.redhat.com/2168631", + "https://bugzilla.redhat.com/2171935", + "https://bugzilla.redhat.com/2172190", + "https://bugzilla.redhat.com/2172204", + "https://bugzilla.redhat.com/2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2165824", + "https://bugzilla.redhat.com/show_bug.cgi?id=2168631", + "https://bugzilla.redhat.com/show_bug.cgi?id=2171935", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172190", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172204", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2178076", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25881", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807", + "https://errata.almalinux.org/9/ALSA-2023-2655.html", + "https://errata.rockylinux.org/RLSA-2023:2655", + "https://github.com/kornelski/http-cache-semantics", + "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83", + "https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74", + "https://linux.oracle.com/cve/CVE-2022-25881.html", + "https://linux.oracle.com/errata/ELSA-2023-2655.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + "https://security.netapp.com/advisory/ntap-20230622-0008", + "https://security.netapp.com/advisory/ntap-20230622-0008/", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332", + "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783", + "https://www.cve.org/CVERecord?id=CVE-2022-25881", + ], + "vulnerabilityId": "CVE-2022-25881", + }, + "category": "NPM Package Vulnerability", + "description": "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. + +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package http-cache-semantics to the fixed version: 4.1.1 or remove the package from the image.", + "name": "http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:2655", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2165824", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2168631", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2171935", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2172190", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2172204", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2172217", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2165824", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2168631", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2171935", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2172190", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2172204", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2172217", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2178076", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-2655.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:2655", + }, + { + "type": "URL", + "value": "https://github.com/kornelski/http-cache-semantics", + }, + { + "type": "URL", + "value": "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83", + }, + { + "type": "URL", + "value": "https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-25881.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-2655.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230622-0008", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230622-0008/", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25881", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.1.1", + "foundIn": "Node.js", + "installedVersion": "3.8.1", + "packageName": "http-cache-semantics", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:2655", + "https://access.redhat.com/security/cve/CVE-2022-25881", + "https://bugzilla.redhat.com/2165824", + "https://bugzilla.redhat.com/2168631", + "https://bugzilla.redhat.com/2171935", + "https://bugzilla.redhat.com/2172190", + "https://bugzilla.redhat.com/2172204", + "https://bugzilla.redhat.com/2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2165824", + "https://bugzilla.redhat.com/show_bug.cgi?id=2168631", + "https://bugzilla.redhat.com/show_bug.cgi?id=2171935", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172190", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172204", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2178076", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25881", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807", + "https://errata.almalinux.org/9/ALSA-2023-2655.html", + "https://errata.rockylinux.org/RLSA-2023:2655", + "https://github.com/kornelski/http-cache-semantics", + "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83", + "https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74", + "https://linux.oracle.com/cve/CVE-2022-25881.html", + "https://linux.oracle.com/errata/ELSA-2023-2655.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + "https://security.netapp.com/advisory/ntap-20230622-0008", + "https://security.netapp.com/advisory/ntap-20230622-0008/", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332", + "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783", + "https://www.cve.org/CVERecord?id=CVE-2022-25881", + ], + "vulnerabilityId": "CVE-2022-25881", + }, + "category": "NPM Package Vulnerability", + "description": "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. + +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package http-cache-semantics to the fixed version: 4.1.1 or remove the package from the image.", + "name": "http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:2655", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2165824", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2168631", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2171935", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2172190", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2172204", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2172217", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2165824", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2168631", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2171935", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2172190", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2172204", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2172217", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2178076", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-2655.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:2655", + }, + { + "type": "URL", + "value": "https://github.com/kornelski/http-cache-semantics", + }, + { + "type": "URL", + "value": "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83", + }, + { + "type": "URL", + "value": "https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-25881.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-2655.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230622-0008", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230622-0008/", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25881", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.3.6", + "foundIn": "Node.js", + "installedVersion": "1.3.5", + "packageName": "ini", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2020-7788", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/npm/ini", + "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1", + "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1 (v1.3.6)", + "https://linux.oracle.com/cve/CVE-2020-7788.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", + "https://snyk.io/vuln/SNYK-JS-INI-1048974", + "https://www.cve.org/CVERecord?id=CVE-2020-7788", + "https://www.npmjs.com/advisories/1589", + ], + "vulnerabilityId": "CVE-2020-7788", + }, + "category": "NPM Package Vulnerability", + "description": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ini to the fixed version: 1.3.6 or remove the package from the image.", + "name": "nodejs-ini: Prototype pollution via malicious INI file", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-7788", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-7788", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/npm/ini", + }, + { + "type": "URL", + "value": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1", + }, + { + "type": "URL", + "value": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1 (v1.3.6)", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2020-7788.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-INI-1048974", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-7788", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1589", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.3.6", + "foundIn": "Node.js", + "installedVersion": "1.3.5", + "packageName": "ini", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2020-7788", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/npm/ini", + "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1", + "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1 (v1.3.6)", + "https://linux.oracle.com/cve/CVE-2020-7788.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", + "https://snyk.io/vuln/SNYK-JS-INI-1048974", + "https://www.cve.org/CVERecord?id=CVE-2020-7788", + "https://www.npmjs.com/advisories/1589", + ], + "vulnerabilityId": "CVE-2020-7788", + }, + "category": "NPM Package Vulnerability", + "description": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ini to the fixed version: 1.3.6 or remove the package from the image.", + "name": "nodejs-ini: Prototype pollution via malicious INI file", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-7788", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-7788", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/npm/ini", + }, + { + "type": "URL", + "value": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1", + }, + { + "type": "URL", + "value": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1 (v1.3.6)", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2020-7788.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-INI-1048974", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-7788", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1589", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "1.1.5", + "packageName": "ip", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-29415", + "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", + "https://github.com/indutny/node-ip", + "https://github.com/indutny/node-ip/issues/150", + "https://github.com/indutny/node-ip/pull/143", + "https://github.com/indutny/node-ip/pull/144", + "https://nvd.nist.gov/vuln/detail/CVE-2024-29415", + "https://www.cve.org/CVERecord?id=CVE-2024-29415", + ], + "vulnerabilityId": "CVE-2024-29415", + }, + "category": "NPM Package Vulnerability", + "description": "The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ip to the fixed version: undefined or remove the package from the image.", + "name": "node-ip: Incomplete fix for CVE-2023-42282", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-29415", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-29415", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-29415", + }, + { + "type": "URL", + "value": "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip/issues/150", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip/pull/143", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip/pull/144", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-29415", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-29415", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.0.1, 1.1.9", + "foundIn": "Node.js", + "installedVersion": "1.1.5", + "packageName": "ip", + "references": [ + "https://access.redhat.com/security/cve/CVE-2023-42282", + "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", + "https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447", + "https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999", + "https://github.com/indutny/node-ip", + "https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa", + "https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894", + "https://github.com/indutny/node-ip/pull/138", + "https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-42282", + "https://security.netapp.com/advisory/ntap-20240315-0008/", + "https://ubuntu.com/security/notices/USN-6643-1", + "https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/", + "https://www.cve.org/CVERecord?id=CVE-2023-42282", + ], + "vulnerabilityId": "CVE-2023-42282", + }, + "category": "NPM Package Vulnerability", + "description": "The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ip to the fixed version: 2.0.1, 1.1.9 or remove the package from the image.", + "name": "nodejs-ip: arbitrary code execution via the isPublic() function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-42282", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-42282", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2023-42282", + }, + { + "type": "URL", + "value": "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", + }, + { + "type": "URL", + "value": "https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447", + }, + { + "type": "URL", + "value": "https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip/pull/138", + }, + { + "type": "URL", + "value": "https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-42282", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240315-0008/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6643-1", + }, + { + "type": "URL", + "value": "https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-42282", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "0.4.0", + "foundIn": "Node.js", + "installedVersion": "0.2.3", + "packageName": "json-schema", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-3918", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/kriszyp/json-schema", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0)", + "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a", + "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa", + "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9", + "https://linux.oracle.com/cve/CVE-2021-3918.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + "https://ubuntu.com/security/notices/USN-6103-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3918", + ], + "vulnerabilityId": "CVE-2021-3918", + }, + "category": "NPM Package Vulnerability", + "description": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package json-schema to the fixed version: 0.4.0 or remove the package from the image.", + "name": "nodejs-json-schema: Prototype pollution vulnerability", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0)", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3918.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6103-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3918", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "0.4.0", + "foundIn": "Node.js", + "installedVersion": "0.2.3", + "packageName": "json-schema", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-3918", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/kriszyp/json-schema", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0)", + "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a", + "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa", + "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9", + "https://linux.oracle.com/cve/CVE-2021-3918.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + "https://ubuntu.com/security/notices/USN-6103-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3918", + ], + "vulnerabilityId": "CVE-2021-3918", + }, + "category": "NPM Package Vulnerability", + "description": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package json-schema to the fixed version: 0.4.0 or remove the package from the image.", + "name": "nodejs-json-schema: Prototype pollution vulnerability", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0)", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3918.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6103-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3918", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.2.2, 1.0.2", + "foundIn": "Node.js", + "installedVersion": "2.1.3", + "packageName": "json5", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-46175", + "https://github.com/json5/json5", + "https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972", + "https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8", + "https://github.com/json5/json5/issues/199", + "https://github.com/json5/json5/issues/295", + "https://github.com/json5/json5/pull/298", + "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE", + "https://nvd.nist.gov/vuln/detail/CVE-2022-46175", + "https://ubuntu.com/security/notices/USN-6758-1", + "https://www.cve.org/CVERecord?id=CVE-2022-46175", + ], + "vulnerabilityId": "CVE-2022-46175", + }, + "category": "NPM Package Vulnerability", + "description": "JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The \`parse\` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named \`__proto__\`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by \`JSON5.parse\` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from \`JSON5.parse\`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. \`JSON5.parse\` should restrict parsing of \`__proto__\` keys when parsing JSON strings to objects. As a point of reference, the \`JSON.parse\` method included in JavaScript ignores \`__proto__\` keys. Simply changing \`JSON5.parse\` to \`JSON.parse\` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package json5 to the fixed version: 2.2.2, 1.0.2 or remove the package from the image.", + "name": "json5: Prototype Pollution in JSON5 via Parse Method", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-46175", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-46175", + }, + { + "type": "URL", + "value": "https://github.com/json5/json5", + }, + { + "type": "URL", + "value": "https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972", + }, + { + "type": "URL", + "value": "https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8", + }, + { + "type": "URL", + "value": "https://github.com/json5/json5/issues/199", + }, + { + "type": "URL", + "value": "https://github.com/json5/json5/issues/295", + }, + { + "type": "URL", + "value": "https://github.com/json5/json5/pull/298", + }, + { + "type": "URL", + "value": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6758-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-46175", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.2.2", + "foundIn": "Node.js", + "installedVersion": "0.1.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2015-9235", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://nodesecurity.io/advisories/17", + "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "https://www.cve.org/CVERecord?id=CVE-2015-9235", + "https://www.npmjs.com/advisories/17", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + ], + "vulnerabilityId": "CVE-2015-9235", + }, + "category": "NPM Package Vulnerability", + "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", + "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/17", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/17", + }, + { + "type": "URL", + "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "9.0.0", + "foundIn": "Node.js", + "installedVersion": "0.1.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-23539", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23539", + ], + "vulnerabilityId": "CVE-2022-23539", + }, + "category": "NPM Package Vulnerability", + "description": "Versions \`<=8.5.1\` of \`jsonwebtoken\` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the \`allowInvalidAsymmetricKeyTypes\` option to \`true\` in the \`sign()\` and/or \`verify()\` functions.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", + "name": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-23539", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": ">=4.2.2", + "foundIn": "Node.js", + "installedVersion": "0.1.0", + "packageName": "jsonwebtoken", + "references": [ + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + ], + "vulnerabilityId": "NSWG-ECO-17", + }, + "category": "NPM Package Vulnerability", + "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", + "name": "Verification Bypass", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "NSWG", + "value": "NSWG-ECO-17", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + }, + { + "type": "URL", + "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "9.0.0", + "foundIn": "Node.js", + "installedVersion": "0.1.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-23540", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23540", + ], + "vulnerabilityId": "CVE-2022-23540", + }, + "category": "NPM Package Vulnerability", + "description": "In versions \`<=8.5.1\` of \`jsonwebtoken\` library, lack of algorithm definition in the \`jwt.verify()\` function can lead to signature validation bypass due to defaulting to the \`none\` algorithm for signature verification. Users are affected if you do not specify algorithms in the \`jwt.verify()\` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the \`jwt.verify()\` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the \`none\` algorithm. If you need 'none' algorithm, you have to explicitly specify that in \`jwt.verify()\` options. +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", + "name": "jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-23540", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "9.0.0", + "foundIn": "Node.js", + "installedVersion": "0.1.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-23541", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23541", + ], + "vulnerabilityId": "CVE-2022-23541", + }, + "category": "NPM Package Vulnerability", + "description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions \`<= 8.5.1\` of \`jsonwebtoken\` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the \`secretOrPublicKey\` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", + "name": "jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-23541", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.2.2", + "foundIn": "Node.js", + "installedVersion": "0.4.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2015-9235", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://nodesecurity.io/advisories/17", + "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "https://www.cve.org/CVERecord?id=CVE-2015-9235", + "https://www.npmjs.com/advisories/17", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + ], + "vulnerabilityId": "CVE-2015-9235", + }, + "category": "NPM Package Vulnerability", + "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", + "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/17", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/17", + }, + { + "type": "URL", + "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "9.0.0", + "foundIn": "Node.js", + "installedVersion": "0.4.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-23539", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23539", + ], + "vulnerabilityId": "CVE-2022-23539", + }, + "category": "NPM Package Vulnerability", + "description": "Versions \`<=8.5.1\` of \`jsonwebtoken\` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the \`allowInvalidAsymmetricKeyTypes\` option to \`true\` in the \`sign()\` and/or \`verify()\` functions.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", + "name": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-23539", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": ">=4.2.2", + "foundIn": "Node.js", + "installedVersion": "0.4.0", + "packageName": "jsonwebtoken", + "references": [ + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + ], + "vulnerabilityId": "NSWG-ECO-17", + }, + "category": "NPM Package Vulnerability", + "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", + "name": "Verification Bypass", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "NSWG", + "value": "NSWG-ECO-17", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + }, + { + "type": "URL", + "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "9.0.0", + "foundIn": "Node.js", + "installedVersion": "0.4.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-23540", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23540", + ], + "vulnerabilityId": "CVE-2022-23540", + }, + "category": "NPM Package Vulnerability", + "description": "In versions \`<=8.5.1\` of \`jsonwebtoken\` library, lack of algorithm definition in the \`jwt.verify()\` function can lead to signature validation bypass due to defaulting to the \`none\` algorithm for signature verification. Users are affected if you do not specify algorithms in the \`jwt.verify()\` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the \`jwt.verify()\` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the \`none\` algorithm. If you need 'none' algorithm, you have to explicitly specify that in \`jwt.verify()\` options. +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", + "name": "jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-23540", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "9.0.0", + "foundIn": "Node.js", + "installedVersion": "0.4.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-23541", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23541", + ], + "vulnerabilityId": "CVE-2022-23541", + }, + "category": "NPM Package Vulnerability", + "description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions \`<= 8.5.1\` of \`jsonwebtoken\` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the \`secretOrPublicKey\` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", + "name": "jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-23541", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": ">=3.0.0", + "foundIn": "Node.js", + "installedVersion": "0.2.6", + "packageName": "jws", + "references": [ + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/brianloveswords/node-jws", + "https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e", + "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223", + "https://snyk.io/vuln/npm:jws:20160726", + "https://www.npmjs.com/advisories/88", + ], + "vulnerabilityId": "CVE-2016-1000223", + }, + "category": "NPM Package Vulnerability", + "description": "Since "algorithm" isn't enforced in \`jws.verify()\`, a malicious user could choose what algorithm is sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants. + +In addition, there is the \`none\` algorithm to be concerned about. In versions prior to 3.0.0, verification of the token could be bypassed when the \`alg\` field is set to \`none\`. + +*Edit ( 7/29/16 ): A previous version of this advisory incorrectly stated that the vulnerability was patched in version 2.0.0 instead of 3.0.0. The advisory has been updated to reflect this new information. Thanks to Fabien Catteau for reporting the error.*", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jws to the fixed version: >=3.0.0 or remove the package from the image.", + "name": "Forgeable Public/Private Tokens", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2016-1000223", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + }, + { + "type": "URL", + "value": "https://github.com/brianloveswords/node-jws", + }, + { + "type": "URL", + "value": "https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/npm:jws:20160726", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/88", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "0.22.0", + "packageName": "libxmljs2", + "references": [ + "https://github.com/marudor/libxmljs2", + "https://github.com/marudor/libxmljs2/issues/204", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34393", + "https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097", + "https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097/", + ], + "vulnerabilityId": "CVE-2024-34393", + }, + "category": "NPM Package Vulnerability", + "description": "libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of attrs() that was called on a parsed node. This vulnerability might lead to denial of service (on both 32-bit systems and 64-bit systems), data leak, infinite loop and remote code execution (on 32-bit systems with the XML_PARSE_HUGE flag enabled).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libxmljs2 to the fixed version: undefined or remove the package from the image.", + "name": "libxmljs2 type confusion vulnerability when parsing specially crafted XML", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-34393", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-34393", + }, + { + "type": "URL", + "value": "https://github.com/marudor/libxmljs2", + }, + { + "type": "URL", + "value": "https://github.com/marudor/libxmljs2/issues/204", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-34393", + }, + { + "type": "URL", + "value": "https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097", + }, + { + "type": "URL", + "value": "https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097/", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "0.22.0", + "packageName": "libxmljs2", + "references": [ + "https://github.com/marudor/libxmljs2", + "https://github.com/marudor/libxmljs2/issues/205", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34394", + "https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098", + "https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098/", + ], + "vulnerabilityId": "CVE-2024-34394", + }, + "category": "NPM Package Vulnerability", + "description": "libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the namespaces() function (which invokes XmlNode::get_local_namespaces()) on a grand-child of a node that refers to an entity. This vulnerability can lead to denial of service and remote code execution.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libxmljs2 to the fixed version: undefined or remove the package from the image.", + "name": "libxmljs2 vulnerable to type confusion when parsing specially crafted XML", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-34394", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-34394", + }, + { + "type": "URL", + "value": "https://github.com/marudor/libxmljs2", + }, + { + "type": "URL", + "value": "https://github.com/marudor/libxmljs2/issues/205", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-34394", + }, + { + "type": "URL", + "value": "https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098", + }, + { + "type": "URL", + "value": "https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098/", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.17.12", + "foundIn": "Node.js", + "installedVersion": "2.4.2", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/errata/RHSA-2019:3024", + "https://access.redhat.com/security/cve/CVE-2019-10744", + "https://github.com/lodash/lodash/pull/4336", + "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "https://security.netapp.com/advisory/ntap-20191004-0005", + "https://security.netapp.com/advisory/ntap-20191004-0005/", + "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2019-10744", + "https://www.npmjs.com/advisories/1065", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + ], + "vulnerabilityId": "CVE-2019-10744", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", + "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2019:3024", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/pull/4336", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20191004-0005", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20191004-0005/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + }, + { + "type": "URL", + "value": "https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS", + }, + { + "type": "URL", + "value": "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1065", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2020.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": ">=4.17.11", + "foundIn": "Node.js", + "installedVersion": "2.4.2", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2018-16487", + "https://github.com/advisories/GHSA-4xc9-xhrj-v574", + "https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad", + "https://hackerone.com/reports/380873", + "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", + "https://security.netapp.com/advisory/ntap-20190919-0004", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://www.cve.org/CVERecord?id=CVE-2018-16487", + "https://www.npmjs.com/advisories/782", + ], + "vulnerabilityId": "CVE-2018-16487", + }, + "category": "NPM Package Vulnerability", + "description": "A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: >=4.17.11 or remove the package from the image.", + "name": "lodash: Prototype pollution in utilities function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2018-16487", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2018-16487", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-4xc9-xhrj-v574", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/380873", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20190919-0004", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20190919-0004/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2018-16487", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/782", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.17.21", + "foundIn": "Node.js", + "installedVersion": "2.4.2", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-23337", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "https://www.cve.org/CVERecord?id=CVE-2021-23337", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-23337", + }, + "category": "NPM Package Vulnerability", + "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", + "name": "nodejs-lodash: command injection via template", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.17.11", + "foundIn": "Node.js", + "installedVersion": "2.4.2", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2019-1010266", + "https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347", + "https://github.com/lodash/lodash/issues/3359", + "https://github.com/lodash/lodash/wiki/Changelog", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", + "https://security.netapp.com/advisory/ntap-20190919-0004", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://snyk.io/vuln/SNYK-JS-LODASH-73639", + "https://www.cve.org/CVERecord?id=CVE-2019-1010266", + ], + "vulnerabilityId": "CVE-2019-1010266", + }, + "category": "NPM Package Vulnerability", + "description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.11 or remove the package from the image.", + "name": "lodash: uncontrolled resource consumption in Data handler causing denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2019-1010266", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2019-1010266", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/issues/3359", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/wiki/Changelog", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20190919-0004", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20190919-0004/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-73639", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2019-1010266", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.17.21", + "foundIn": "Node.js", + "installedVersion": "2.4.2", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-28500", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + "https://github.com/lodash/lodash/pull/5065", + "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + "https://www.cve.org/CVERecord?id=CVE-2020-28500", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2020-28500", + }, + "category": "NPM Package Vulnerability", + "description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", + "name": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/pull/5065", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": ">=4.17.5", + "foundIn": "Node.js", + "installedVersion": "2.4.2", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2018-3721", + "https://github.com/advisories/GHSA-fvqr-27wr-82fm", + "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", + "https://hackerone.com/reports/310443", + "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", + "https://security.netapp.com/advisory/ntap-20190919-0004", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://www.cve.org/CVERecord?id=CVE-2018-3721", + "https://www.npmjs.com/advisories/577", + ], + "vulnerabilityId": "CVE-2018-3721", + }, + "category": "NPM Package Vulnerability", + "description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: >=4.17.5 or remove the package from the image.", + "name": "lodash: Prototype pollution in utilities function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2018-3721", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2018-3721", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-fvqr-27wr-82fm", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/310443", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20190919-0004", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20190919-0004/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2018-3721", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/577", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "4.17.12", + "foundIn": "Node.js", + "installedVersion": "4.17.11", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/errata/RHSA-2019:3024", + "https://access.redhat.com/security/cve/CVE-2019-10744", + "https://github.com/lodash/lodash/pull/4336", + "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "https://security.netapp.com/advisory/ntap-20191004-0005", + "https://security.netapp.com/advisory/ntap-20191004-0005/", + "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2019-10744", + "https://www.npmjs.com/advisories/1065", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + ], + "vulnerabilityId": "CVE-2019-10744", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", + "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2019:3024", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/pull/4336", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20191004-0005", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20191004-0005/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + }, + { + "type": "URL", + "value": "https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS", + }, + { + "type": "URL", + "value": "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1065", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2020.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.17.19", + "foundIn": "Node.js", + "installedVersion": "4.17.11", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-8203", + "https://github.com/github/advisory-database/pull/2884", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + "https://github.com/lodash/lodash/issues/4744", + "https://github.com/lodash/lodash/issues/4874", + "https://github.com/lodash/lodash/wiki/Changelog#v41719", + "https://hackerone.com/reports/712065", + "https://hackerone.com/reports/864701", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "https://security.netapp.com/advisory/ntap-20200724-0006", + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + "https://www.cve.org/CVERecord?id=CVE-2020-8203", + "https://www.npmjs.com/advisories/1523", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2020-8203", + }, + "category": "NPM Package Vulnerability", + "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", + "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://github.com/github/advisory-database/pull/2884", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/issues/4744", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/issues/4874", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/wiki/Changelog#v41719", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/712065", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/864701", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200724-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200724-0006/", + }, + { + "type": "URL", + "value": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1523", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.17.21", + "foundIn": "Node.js", + "installedVersion": "4.17.11", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-23337", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "https://www.cve.org/CVERecord?id=CVE-2021-23337", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-23337", + }, + "category": "NPM Package Vulnerability", + "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", + "name": "nodejs-lodash: command injection via template", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.17.21", + "foundIn": "Node.js", + "installedVersion": "4.17.11", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-28500", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + "https://github.com/lodash/lodash/pull/5065", + "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + "https://www.cve.org/CVERecord?id=CVE-2020-28500", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2020-28500", + }, + "category": "NPM Package Vulnerability", + "description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", + "name": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/pull/5065", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.17.19", + "foundIn": "Node.js", + "installedVersion": "4.17.15", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-8203", + "https://github.com/github/advisory-database/pull/2884", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + "https://github.com/lodash/lodash/issues/4744", + "https://github.com/lodash/lodash/issues/4874", + "https://github.com/lodash/lodash/wiki/Changelog#v41719", + "https://hackerone.com/reports/712065", + "https://hackerone.com/reports/864701", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "https://security.netapp.com/advisory/ntap-20200724-0006", + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + "https://www.cve.org/CVERecord?id=CVE-2020-8203", + "https://www.npmjs.com/advisories/1523", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2020-8203", + }, + "category": "NPM Package Vulnerability", + "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", + "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://github.com/github/advisory-database/pull/2884", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/issues/4744", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/issues/4874", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/wiki/Changelog#v41719", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/712065", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/864701", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200724-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200724-0006/", + }, + { + "type": "URL", + "value": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1523", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.17.21", + "foundIn": "Node.js", + "installedVersion": "4.17.15", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-23337", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "https://www.cve.org/CVERecord?id=CVE-2021-23337", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-23337", + }, + "category": "NPM Package Vulnerability", + "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", + "name": "nodejs-lodash: command injection via template", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": ">=4.17.19", + "foundIn": "Node.js", + "installedVersion": "4.17.15", + "packageName": "lodash", + "references": [ + "https://github.com/lodash/lodash/pull/4759", + "https://hackerone.com/reports/712065", + "https://www.npmjs.com/advisories/1523", + ], + "vulnerabilityId": "NSWG-ECO-516", + }, + "category": "NPM Package Vulnerability", + "description": "Prototype pollution attack (lodash)", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: >=4.17.19 or remove the package from the image.", + "name": "Allocation of Resources Without Limits or Throttling", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "NSWG", + "value": "NSWG-ECO-516", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/pull/4759", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/712065", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1523", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.17.21", + "foundIn": "Node.js", + "installedVersion": "4.17.15", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-28500", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + "https://github.com/lodash/lodash/pull/5065", + "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + "https://www.cve.org/CVERecord?id=CVE-2020-28500", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2020-28500", + }, + "category": "NPM Package Vulnerability", + "description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", + "name": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/pull/5065", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "4.3.2", + "packageName": "lodash.set", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-8203", + "https://github.com/github/advisory-database/pull/2884", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + "https://github.com/lodash/lodash/issues/4744", + "https://github.com/lodash/lodash/issues/4874", + "https://github.com/lodash/lodash/wiki/Changelog#v41719", + "https://hackerone.com/reports/712065", + "https://hackerone.com/reports/864701", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "https://security.netapp.com/advisory/ntap-20200724-0006", + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + "https://www.cve.org/CVERecord?id=CVE-2020-8203", + "https://www.npmjs.com/advisories/1523", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2020-8203", + }, + "category": "NPM Package Vulnerability", + "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash.set to the fixed version: undefined or remove the package from the image.", + "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://github.com/github/advisory-database/pull/2884", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/issues/4744", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/issues/4874", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/wiki/Changelog#v41719", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/712065", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/864701", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200724-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200724-0006/", + }, + { + "type": "URL", + "value": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1523", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "0.6.11", + "packageName": "marsdb", + "references": [ + "https://github.com/bkimminich/juice-shop/issues/1173", + "https://www.npmjs.com/advisories/1122", + ], + "vulnerabilityId": "GHSA-5mrr-rgp6-x4gr", + }, + "category": "NPM Package Vulnerability", + "description": "All versions of \`marsdb\` are vulnerable to Command Injection. In the \`DocumentMatcher\` class, selectors on \`$where\` clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed. + + +## Recommendation + +No fix is currently available. Consider using an alternative package until a fix is made available.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package marsdb to the fixed version: undefined or remove the package from the image.", + "name": "Command Injection in marsdb", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "URL", + "value": "https://github.com/bkimminich/juice-shop/issues/1173", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1122", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.0.8", + "foundIn": "Node.js", + "installedVersion": "3.1.10", + "packageName": "micromatch", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067/", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/", + "https://github.com/micromatch/micromatch", + "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", + "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", + "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", + "https://github.com/micromatch/micromatch/issues/243", + "https://github.com/micromatch/micromatch/pull/247", + "https://github.com/micromatch/micromatch/pull/266", + "https://github.com/micromatch/micromatch/releases/tag/4.0.8", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + "https://www.cve.org/CVERecord?id=CVE-2024-4067", + ], + "vulnerabilityId": "CVE-2024-4067", + }, + "category": "NPM Package Vulnerability", + "description": "The NPM package \`micromatch\` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in \`micromatch.braces()\` in \`index.js\` because the pattern \`.*\` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package micromatch to the fixed version: 4.0.8 or remove the package from the image.", + "name": "micromatch: vulnerable to Regular Expression Denial of Service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://advisory.checkmarx.net/advisory/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://advisory.checkmarx.net/advisory/CVE-2024-4067/", + }, + { + "type": "URL", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/issues/243", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/pull/247", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/pull/266", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/releases/tag/4.0.8", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-4067", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "3.0.5", + "foundIn": "Node.js", + "installedVersion": "3.0.4", + "packageName": "minimatch", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2022-3517", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/grafana/grafana-image-renderer/issues/329", + "https://github.com/isaacs/minimatch", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6 (v3.0.5)", + "https://github.com/nodejs/node/issues/42510", + "https://linux.oracle.com/cve/CVE-2022-3517.html", + "https://linux.oracle.com/errata/ELSA-2023-1743.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + "https://ubuntu.com/security/notices/USN-6086-1", + "https://www.cve.org/CVERecord?id=CVE-2022-3517", + ], + "vulnerabilityId": "CVE-2022-3517", + }, + "category": "NPM Package Vulnerability", + "description": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package minimatch to the fixed version: 3.0.5 or remove the package from the image.", + "name": "nodejs-minimatch: ReDoS via the braceExpand function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0321", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:0321", + }, + { + "type": "URL", + "value": "https://github.com/grafana/grafana-image-renderer/issues/329", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/minimatch", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6 (v3.0.5)", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/node/issues/42510", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-3517.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-1743.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6086-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-3517", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.0.5", + "foundIn": "Node.js", + "installedVersion": "3.0.4", + "packageName": "minimatch", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2022-3517", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/grafana/grafana-image-renderer/issues/329", + "https://github.com/isaacs/minimatch", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6 (v3.0.5)", + "https://github.com/nodejs/node/issues/42510", + "https://linux.oracle.com/cve/CVE-2022-3517.html", + "https://linux.oracle.com/errata/ELSA-2023-1743.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + "https://ubuntu.com/security/notices/USN-6086-1", + "https://www.cve.org/CVERecord?id=CVE-2022-3517", + ], + "vulnerabilityId": "CVE-2022-3517", + }, + "category": "NPM Package Vulnerability", + "description": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package minimatch to the fixed version: 3.0.5 or remove the package from the image.", + "name": "nodejs-minimatch: ReDoS via the braceExpand function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0321", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:0321", + }, + { + "type": "URL", + "value": "https://github.com/grafana/grafana-image-renderer/issues/329", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/minimatch", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6 (v3.0.5)", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/node/issues/42510", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-3517.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-1743.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6086-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-3517", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.2.6, 0.2.4", + "foundIn": "Node.js", + "installedVersion": "0.0.10", + "packageName": "minimist", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906", + ], + "vulnerabilityId": "CVE-2021-44906", + }, + "category": "NPM Package Vulnerability", + "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", + "name": "minimist: prototype pollution", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0321", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:0321", + }, + { + "type": "URL", + "value": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-xvch-5gv4-984h", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commits/v0.2.4", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/issues/11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/pull/24", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/blob/master/index.js#L69", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/issues/164", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-44906.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + }, + { + "type": "URL", + "value": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-44906", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "0.2.1, 1.2.3", + "foundIn": "Node.js", + "installedVersion": "0.0.10", + "packageName": "minimist", + "references": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html", + "https://access.redhat.com/security/cve/CVE-2020-7598", + "https://errata.almalinux.org/8/ALSA-2020-2852.html", + "https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68", + "https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab", + "https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95", + "https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94", + "https://github.com/substack/minimist", + "https://linux.oracle.com/cve/CVE-2020-7598.html", + "https://linux.oracle.com/errata/ELSA-2020-2852.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7598", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://www.cve.org/CVERecord?id=CVE-2020-7598", + "https://www.npmjs.com/advisories/1179", + ], + "vulnerabilityId": "CVE-2020-7598", + }, + "category": "NPM Package Vulnerability", + "description": "minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package minimist to the fixed version: 0.2.1, 1.2.3 or remove the package from the image.", + "name": "nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-7598", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598", + }, + { + "type": "URL", + "value": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-7598", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2020-2852.html", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2020-7598.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2020-2852.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-7598", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1179", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.2.6, 0.2.4", + "foundIn": "Node.js", + "installedVersion": "1.2.5", + "packageName": "minimist", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906", + ], + "vulnerabilityId": "CVE-2021-44906", + }, + "category": "NPM Package Vulnerability", + "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", + "name": "minimist: prototype pollution", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0321", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:0321", + }, + { + "type": "URL", + "value": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-xvch-5gv4-984h", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commits/v0.2.4", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/issues/11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/pull/24", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/blob/master/index.js#L69", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/issues/164", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-44906.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + }, + { + "type": "URL", + "value": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-44906", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.2.6, 0.2.4", + "foundIn": "Node.js", + "installedVersion": "1.2.5", + "packageName": "minimist", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906", + ], + "vulnerabilityId": "CVE-2021-44906", + }, + "category": "NPM Package Vulnerability", + "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", + "name": "minimist: prototype pollution", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0321", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:0321", + }, + { + "type": "URL", + "value": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-xvch-5gv4-984h", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commits/v0.2.4", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/issues/11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/pull/24", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/blob/master/index.js#L69", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/issues/164", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-44906.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + }, + { + "type": "URL", + "value": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-44906", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.2.6, 0.2.4", + "foundIn": "Node.js", + "installedVersion": "1.2.5", + "packageName": "minimist", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906", + ], + "vulnerabilityId": "CVE-2021-44906", + }, + "category": "NPM Package Vulnerability", + "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", + "name": "minimist: prototype pollution", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0321", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:0321", + }, + { + "type": "URL", + "value": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-xvch-5gv4-984h", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commits/v0.2.4", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/issues/11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/pull/24", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/blob/master/index.js#L69", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/issues/164", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-44906.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + }, + { + "type": "URL", + "value": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-44906", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.19.3", + "foundIn": "Node.js", + "installedVersion": "2.0.0", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2017-18214", + "https://github.com/advisories/GHSA-446m-mv8f-q348", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb", + "https://github.com/moment/moment/issues/4163", + "https://github.com/moment/moment/pull/4326", + "https://nodesecurity.io/advisories/532", + "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", + "https://www.cve.org/CVERecord?id=CVE-2017-18214", + "https://www.npmjs.com/advisories/532", + "https://www.tenable.com/security/tns-2019-02", + ], + "vulnerabilityId": "CVE-2017-18214", + }, + "category": "NPM Package Vulnerability", + "description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package moment to the fixed version: 2.19.3 or remove the package from the image.", + "name": "nodejs-moment: Regular expression denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2017-18214", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2017-18214", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-446m-mv8f-q348", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/issues/4163", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/4326", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/532", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2017-18214", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/532", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2019-02", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.2", + "foundIn": "Node.js", + "installedVersion": "2.0.0", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09", + ], + "vulnerabilityId": "CVE-2022-24785", + }, + "category": "NPM Package Vulnerability", + "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", + "name": "Moment.js: Path traversal in moment.locale", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2022-09", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": ">=2.11.2", + "foundIn": "Node.js", + "installedVersion": "2.0.0", + "packageName": "moment", + "references": [ + "http://www.openwall.com/lists/oss-security/2016/04/20/11", + "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "http://www.securityfocus.com/bid/95849", + "https://access.redhat.com/security/cve/CVE-2016-4055", + "https://github.com/advisories/GHSA-87vv-r9j6-g5qv", + "https://github.com/moment/moment", + "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3Cdev.flink.apache.org%3E", + "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E", + "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E", + "https://nodesecurity.io/advisories/55", + "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", + "https://www.cve.org/CVERecord?id=CVE-2016-4055", + "https://www.npmjs.com/advisories/55", + "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS", + "https://www.tenable.com/security/tns-2019-02", + ], + "vulnerabilityId": "CVE-2016-4055", + }, + "category": "NPM Package Vulnerability", + "description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package moment to the fixed version: >=2.11.2 or remove the package from the image.", + "name": "moment.js: regular expression denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2016-4055", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2016/04/20/11", + }, + { + "type": "URL", + "value": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + }, + { + "type": "URL", + "value": "http://www.securityfocus.com/bid/95849", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2016-4055", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-87vv-r9j6-g5qv", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3Cdev.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3Cuser.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/55", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2016-4055", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/55", + }, + { + "type": "URL", + "value": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2019-02", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "2.29.2", + "foundIn": "Node.js", + "installedVersion": "2.24.0", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09", + ], + "vulnerabilityId": "CVE-2022-24785", + }, + "category": "NPM Package Vulnerability", + "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", + "name": "Moment.js: Path traversal in moment.locale", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2022-09", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.2", + "foundIn": "Node.js", + "installedVersion": "2.24.0", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09", + ], + "vulnerabilityId": "CVE-2022-24785", + }, + "category": "NPM Package Vulnerability", + "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", + "name": "Moment.js: Path traversal in moment.locale", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2022-09", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.2", + "foundIn": "Node.js", + "installedVersion": "2.24.0", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09", + ], + "vulnerabilityId": "CVE-2022-24785", + }, + "category": "NPM Package Vulnerability", + "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", + "name": "Moment.js: Path traversal in moment.locale", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2022-09", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.2", + "foundIn": "Node.js", + "installedVersion": "2.24.0", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09", + ], + "vulnerabilityId": "CVE-2022-24785", + }, + "category": "NPM Package Vulnerability", + "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", + "name": "Moment.js: Path traversal in moment.locale", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2022-09", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.4", + "foundIn": "Node.js", + "installedVersion": "2.24.0", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129", + ], + "vulnerabilityId": "CVE-2022-31129", + }, + "category": "NPM Package Vulnerability", + "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", + "name": "moment: inefficient parsing algorithm resulting in DoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6550-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-31129", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.4", + "foundIn": "Node.js", + "installedVersion": "2.24.0", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129", + ], + "vulnerabilityId": "CVE-2022-31129", + }, + "category": "NPM Package Vulnerability", + "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", + "name": "moment: inefficient parsing algorithm resulting in DoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6550-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-31129", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.4", + "foundIn": "Node.js", + "installedVersion": "2.24.0", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129", + ], + "vulnerabilityId": "CVE-2022-31129", + }, + "category": "NPM Package Vulnerability", + "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", + "name": "moment: inefficient parsing algorithm resulting in DoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6550-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-31129", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.4", + "foundIn": "Node.js", + "installedVersion": "2.24.0", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129", + ], + "vulnerabilityId": "CVE-2022-31129", + }, + "category": "NPM Package Vulnerability", + "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", + "name": "moment: inefficient parsing algorithm resulting in DoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6550-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-31129", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "0.5.35", + "foundIn": "Node.js", + "installedVersion": "0.5.28", + "packageName": "moment-timezone", + "references": [ + "https://github.com/moment/moment-timezone", + "https://github.com/moment/moment-timezone/commit/7915ac567ab19700e44ad6b5d8ef0b85e48a9e75", + "https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c", + ], + "vulnerabilityId": "GHSA-v78c-4p63-2j6c", + }, + "category": "NPM Package Vulnerability", + "description": "### Impact + +* if Alice uses \`grunt data\` (or \`grunt release\`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website +* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved) + +### Patches +Problem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint. + +### Workarounds +Specify the exact version of tzdata (like \`2014d\`, full command being \`grunt data:2014d\`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command. +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package moment-timezone to the fixed version: 0.5.35 or remove the package from the image.", + "name": "Cleartext Transmission of Sensitive Information in moment-timezone", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "URL", + "value": "https://github.com/moment/moment-timezone", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment-timezone/commit/7915ac567ab19700e44ad6b5d8ef0b85e48a9e75", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "0.5.35", + "foundIn": "Node.js", + "installedVersion": "0.5.28", + "packageName": "moment-timezone", + "references": [ + "https://github.com/moment/moment-timezone", + "https://github.com/moment/moment-timezone/commit/ce955a301ff372e8e9fb3a5b516620c60e7a082a", + "https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9", + ], + "vulnerabilityId": "GHSA-56x4-j7p9-fcf9", + }, + "category": "NPM Package Vulnerability", + "description": "### Impact + +All versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection. + +* if Alice uses tzdata pipeline to package moment-timezone on her own (for example via \`grunt data:2014d\`, where \`2014d\` stands for the version of the tzdata to be used from IANA's website), +* and Alice let's Mallory select the version (\`2014d\` in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task + +#### Am I affected? + +##### Do you build custom versions of moment-timezone with grunt? + +If no, you're not affected. + +##### Do you allow a third party to specify which particular version you want build? + +If yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task. + +### Description + +#### Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint + +The \`tasks/data-download.js\` script takes in a parameter from grunt and uses it to form a command line which is then executed: + +\`\`\` +6 module.exports = function (grunt) { +7 grunt.registerTask('data-download', '1. Download data from iana.org/time-zones.', function (version) { +8 version = version || 'latest'; + +10 var done = this.async(), +11 src = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz', +12 curl = path.resolve('temp/curl', version, 'data.tar.gz'), +13 dest = path.resolve('temp/download', version); +... +24 exec('curl ' + src + ' -o ' + curl + ' && cd ' + dest + ' && gzip -dc ' + curl + ' | tar -xf -', function (err) { +\`\`\` + +Ordinarily, one one run this script using something like \`grunt data-download:2014d\`, in which case version would have the value \`2014d\`. However, if an attacker were to provide additional content on the command line, they would be able to execute arbitrary code + +\`\`\` +root@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-download:2014d ; echo flag>/tmp/foo #' +\\Running "data-download:2014d ; echo flag>/tmp/foo #" (data-download) task +>> Downloading https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz +>> Downloaded https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz + +Done. +root@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/foo +flag +\`\`\` + +#### Command Injection via data-zdump.js + +The \`tasks/data-zdump.js\` script reads a list of files present in a temporary directory (created by previous tasks), and for each one, assembles and executes a command line without sanitization. As a result, an attacker able to influence the contents of that directory could gain code execution. This attack is exacerbated by timezone data being downloaded via cleartext FTP (described above), but beyond that, an attacker at iana.org able to modify the timezone files could disrupt any systems that build moment-timezone. + +\`\`\` +15 files = grunt.file.expand({ filter : 'isFile', cwd : 'temp/zic/' + version }, '**/*'); +... +27 function next () { +... +33 var file = files.pop(), +34 src = path.join(zicBase, file), +35 dest = path.join(zdumpBase, file); +36 exec('zdump -v ' + src, { maxBuffer: 20*1024*1024 }, function (err, stdout) { +\`\`\` + +In this case, an attacker able to add a file to \`temp/zic/2014d\` (for example) with a filename like \`Z; curl www.example.com\` would influence the called to exec on line 36 and run arbitrary code. There are a few minor challenges in exploiting this, since the string needs to be a valid filename. + +#### Command Injection via data-zic.js + +Similar to the vulnerability in /tasks/data-download.js, the /tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization. + +\`\`\` +10 var done = this.async(), +11 dest = path.resolve('temp/zic', version), +... +22 var file = files.shift(), +23 src = path.resolve('temp/download', version, file); +24 +25 exec('zic -d ' + dest + ' ' + src, function (err) { +\`\`\` + +As a result, an attacker able to influence that string can run arbitrary commands. Of course, it requires an attacker able to influence the command passed to grunt, so may be unlikely in practice. + +\`\`\` +root@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-zic:2014d; echo hi > /tmp/evil; echo ' +Running "data-zic:2014d; echo hi > /tmp/evil; echo " (data-zic) task +exec: zid -d /usr/src/app/moment-timezone/temp/zic/2014d; echo hi > /tmp/evil; echo /usr/src/app/moment-timezone/temp/download/2014d; echo hi > /tmp/evil; echo /africa +... + +root@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/evil +hi +\`\`\` + +### Patches + +The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affected versions. It switches \`exec\` to \`execFile\` so arbitrary bash fragments won't be executed any more. + +### References + +* https://knowledge-base.secureflag.com/vulnerabilities/code_injection/os_command_injection_nodejs.html +* https://auth0.com/blog/preventing-command-injection-attacks-in-node-js-apps/", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package moment-timezone to the fixed version: 0.5.35 or remove the package from the image.", + "name": "Command Injection in moment-timezone", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "URL", + "value": "https://github.com/moment/moment-timezone", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment-timezone/commit/ce955a301ff372e8e9fb3a5b516620c60e7a082a", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "1.2.3", + "foundIn": "Node.js", + "installedVersion": "1.2.2", + "packageName": "mout", + "references": [ + "https://github.com/mout/mout/blob/master/src/object/deepFillIn.js", + "https://github.com/mout/mout/blob/master/src/object/deepMixIn.js", + "https://github.com/mout/mout/commit/3fecf1333e6d71ae72edf48c71dc665e40df7605", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7792", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1050374", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050373", + "https://snyk.io/vuln/SNYK-JS-MOUT-1014544", + ], + "vulnerabilityId": "CVE-2020-7792", + }, + "category": "NPM Package Vulnerability", + "description": "This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package mout to the fixed version: 1.2.3 or remove the package from the image.", + "name": "Prototype Pollution in mout", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-7792", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7792", + }, + { + "type": "URL", + "value": "https://github.com/mout/mout/blob/master/src/object/deepFillIn.js", + }, + { + "type": "URL", + "value": "https://github.com/mout/mout/blob/master/src/object/deepMixIn.js", + }, + { + "type": "URL", + "value": "https://github.com/mout/mout/commit/3fecf1333e6d71ae72edf48c71dc665e40df7605", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7792", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1050374", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050373", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-MOUT-1014544", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.2.4", + "foundIn": "Node.js", + "installedVersion": "1.2.2", + "packageName": "mout", + "references": [ + "https://github.com/mout/mout", + "https://github.com/mout/mout/blob/master/src/object/deepFillIn.js", + "https://github.com/mout/mout/blob/master/src/object/deepMixIn.js", + "https://github.com/mout/mout/commit/17ffdc2a96417a63a0147156dc045e90d0d14c64", + "https://github.com/mout/mout/pull/279", + "https://nvd.nist.gov/vuln/detail/CVE-2022-21213", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2870623", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2870622", + "https://snyk.io/vuln/SNYK-JS-MOUT-2342654", + ], + "vulnerabilityId": "CVE-2022-21213", + }, + "category": "NPM Package Vulnerability", + "description": "This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7792](https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package mout to the fixed version: 1.2.4 or remove the package from the image.", + "name": "Prototype Pollution in mout", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-21213", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-21213", + }, + { + "type": "URL", + "value": "https://github.com/mout/mout", + }, + { + "type": "URL", + "value": "https://github.com/mout/mout/blob/master/src/object/deepFillIn.js", + }, + { + "type": "URL", + "value": "https://github.com/mout/mout/blob/master/src/object/deepMixIn.js", + }, + { + "type": "URL", + "value": "https://github.com/mout/mout/commit/17ffdc2a96417a63a0147156dc045e90d0d14c64", + }, + { + "type": "URL", + "value": "https://github.com/mout/mout/pull/279", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-21213", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2870623", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2870622", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-MOUT-2342654", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "1.3.3", + "packageName": "notevil", + "references": [ + "https://github.com/mmckegg/notevil", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23771", + "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587", + "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946", + ], + "vulnerabilityId": "CVE-2021-23771", + }, + "category": "NPM Package Vulnerability", + "description": "This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package notevil to the fixed version: undefined or remove the package from the image.", + "name": "Sandbox escape in notevil and argencoders-notevil", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23771", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23771", + }, + { + "type": "URL", + "value": "https://github.com/mmckegg/notevil", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23771", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "6.14.6", + "foundIn": "Node.js", + "installedVersion": "6.14.4", + "packageName": "npm", + "references": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html", + "https://access.redhat.com/security/cve/CVE-2020-15095", + "https://errata.almalinux.org/8/ALSA-2021-0548.html", + "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07", + "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc", + "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp", + "https://linux.oracle.com/cve/CVE-2020-15095.html", + "https://linux.oracle.com/errata/ELSA-2021-0548.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6", + "https://nvd.nist.gov/vuln/detail/CVE-2020-15095", + "https://security.gentoo.org/glsa/202101-07", + "https://www.cve.org/CVERecord?id=CVE-2020-15095", + ], + "vulnerabilityId": "CVE-2020-15095", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package npm to the fixed version: 6.14.6 or remove the package from the image.", + "name": "npm: sensitive information exposure through logs", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-15095", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15095", + }, + { + "type": "URL", + "value": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html", + }, + { + "type": "URL", + "value": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html", + }, + { + "type": "URL", + "value": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-15095", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-0548.html", + }, + { + "type": "URL", + "value": "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07", + }, + { + "type": "URL", + "value": "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc", + }, + { + "type": "URL", + "value": "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2020-15095.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-0548.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15095", + }, + { + "type": "URL", + "value": "https://security.gentoo.org/glsa/202101-07", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-15095", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.0.5, 8.1.1", + "foundIn": "Node.js", + "installedVersion": "4.0.3", + "packageName": "npm-registry-fetch", + "references": [ + "https://github.com/npm/npm-registry-fetch", + "https://github.com/npm/npm-registry-fetch/commit/18bf9b97fb1deecdba01ffb05580370846255c88", + "https://github.com/npm/npm-registry-fetch/pull/29", + "https://github.com/npm/npm-registry-fetch/security/advisories/GHSA-jmqm-f2gx-4fjv", + "https://snyk.io/vuln/SNYK-JS-NPMREGISTRYFETCH-575432", + ], + "vulnerabilityId": "GHSA-jmqm-f2gx-4fjv", + }, + "category": "NPM Package Vulnerability", + "description": "Affected versions of \`npm-registry-fetch\` are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like \`://[[:]@][:][:][/]\`. The password value is not redacted and is printed to stdout and also to any generated log files.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package npm-registry-fetch to the fixed version: 4.0.5, 8.1.1 or remove the package from the image.", + "name": "Sensitive information exposure through logs in npm-registry-fetch", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "URL", + "value": "https://github.com/npm/npm-registry-fetch", + }, + { + "type": "URL", + "value": "https://github.com/npm/npm-registry-fetch/commit/18bf9b97fb1deecdba01ffb05580370846255c88", + }, + { + "type": "URL", + "value": "https://github.com/npm/npm-registry-fetch/pull/29", + }, + { + "type": "URL", + "value": "https://github.com/npm/npm-registry-fetch/security/advisories/GHSA-jmqm-f2gx-4fjv", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-NPMREGISTRYFETCH-575432", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.0.1", + "foundIn": "Node.js", + "installedVersion": "1.0.0", + "packageName": "npm-user-validate", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-7754", + "https://errata.almalinux.org/8/ALSA-2021-0551.html", + "https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e", + "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p", + "https://linux.oracle.com/cve/CVE-2020-7754.html", + "https://linux.oracle.com/errata/ELSA-2021-0551.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7754", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353", + "https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352", + "https://www.cve.org/CVERecord?id=CVE-2020-7754", + ], + "vulnerabilityId": "CVE-2020-7754", + }, + "category": "NPM Package Vulnerability", + "description": "This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package npm-user-validate to the fixed version: 1.0.1 or remove the package from the image.", + "name": "nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-7754", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7754", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-7754", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-0551.html", + }, + { + "type": "URL", + "value": "https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e", + }, + { + "type": "URL", + "value": "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2020-7754.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-0551.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7754", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-7754", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.0.1", + "foundIn": "Node.js", + "installedVersion": "1.0.0", + "packageName": "npm-user-validate", + "references": [ + "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p", + ], + "vulnerabilityId": "GHSA-xgh6-85xh-479p", + }, + "category": "NPM Package Vulnerability", + "description": "\`npm-user-validate\` before version \`1.0.1\` is vulnerable to a Regular Expression Denial of Service (REDos). The regex that validates user emails took exponentially longer to process long input strings beginning with \`@\` characters. + +### Impact +The issue affects the \`email\` function. If you use this function to process arbitrary user input with no character limit the application may be susceptible to Denial of Service. + +### Patches +The issue is patched in version 1.0.1 by improving the regular expression used and also enforcing a 254 character limit. + +### Workarounds +Restrict the character length to a reasonable degree before passing a value to \`.emal()\`; Also, consider doing a more rigorous sanitizing/validation beforehand.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package npm-user-validate to the fixed version: 1.0.1 or remove the package from the image.", + "name": "Regular Expression Denial of Service in npm-user-validate", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "URL", + "value": "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "1.0.7", + "foundIn": "Node.js", + "installedVersion": "1.0.6", + "packageName": "path-parse", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-23343", + "https://bugzilla.redhat.com/show_bug.cgi?id=1956818", + "https://bugzilla.redhat.com/show_bug.cgi?id=1988342", + "https://bugzilla.redhat.com/show_bug.cgi?id=1988394", + "https://bugzilla.redhat.com/show_bug.cgi?id=1990409", + "https://bugzilla.redhat.com/show_bug.cgi?id=1990415", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993019", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993029", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993039", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993924", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22931", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22939", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22940", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23343", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32803", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32804", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3672", + "https://errata.almalinux.org/8/ALSA-2021-3666.html", + "https://errata.rockylinux.org/RLSA-2021:3666", + "https://github.com/jbgutierrez/path-parse", + "https://github.com/jbgutierrez/path-parse/commit/eca63a7b9a473bf6978a2f5b7b3343662d1506f7", + "https://github.com/jbgutierrez/path-parse/issues/8", + "https://github.com/jbgutierrez/path-parse/pull/10", + "https://linux.oracle.com/cve/CVE-2021-23343.html", + "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85%40%3Cdev.myfaces.apache.org%3E", + "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23343", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028", + "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067", + "https://www.cve.org/CVERecord?id=CVE-2021-23343", + ], + "vulnerabilityId": "CVE-2021-23343", + }, + "category": "NPM Package Vulnerability", + "description": "All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package path-parse to the fixed version: 1.0.7 or remove the package from the image.", + "name": "nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23343", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23343", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-23343", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1956818", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1988342", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1988394", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1990409", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1990415", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1993019", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1993029", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1993039", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1993924", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22931", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22939", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22940", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23343", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32803", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32804", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3672", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-3666.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2021:3666", + }, + { + "type": "URL", + "value": "https://github.com/jbgutierrez/path-parse", + }, + { + "type": "URL", + "value": "https://github.com/jbgutierrez/path-parse/commit/eca63a7b9a473bf6978a2f5b7b3343662d1506f7", + }, + { + "type": "URL", + "value": "https://github.com/jbgutierrez/path-parse/issues/8", + }, + { + "type": "URL", + "value": "https://github.com/jbgutierrez/path-parse/pull/10", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-23343.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-3666.html", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85%40%3Cdev.myfaces.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23343", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23343", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.0.7", + "foundIn": "Node.js", + "installedVersion": "1.0.6", + "packageName": "path-parse", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-23343", + "https://bugzilla.redhat.com/show_bug.cgi?id=1956818", + "https://bugzilla.redhat.com/show_bug.cgi?id=1988342", + "https://bugzilla.redhat.com/show_bug.cgi?id=1988394", + "https://bugzilla.redhat.com/show_bug.cgi?id=1990409", + "https://bugzilla.redhat.com/show_bug.cgi?id=1990415", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993019", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993029", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993039", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993924", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22931", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22939", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22940", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23343", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32803", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32804", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3672", + "https://errata.almalinux.org/8/ALSA-2021-3666.html", + "https://errata.rockylinux.org/RLSA-2021:3666", + "https://github.com/jbgutierrez/path-parse", + "https://github.com/jbgutierrez/path-parse/commit/eca63a7b9a473bf6978a2f5b7b3343662d1506f7", + "https://github.com/jbgutierrez/path-parse/issues/8", + "https://github.com/jbgutierrez/path-parse/pull/10", + "https://linux.oracle.com/cve/CVE-2021-23343.html", + "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85%40%3Cdev.myfaces.apache.org%3E", + "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23343", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028", + "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067", + "https://www.cve.org/CVERecord?id=CVE-2021-23343", + ], + "vulnerabilityId": "CVE-2021-23343", + }, + "category": "NPM Package Vulnerability", + "description": "All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package path-parse to the fixed version: 1.0.7 or remove the package from the image.", + "name": "nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23343", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23343", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-23343", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1956818", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1988342", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1988394", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1990409", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1990415", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1993019", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1993029", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1993039", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1993924", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22931", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22939", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22940", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23343", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32803", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32804", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3672", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-3666.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2021:3666", + }, + { + "type": "URL", + "value": "https://github.com/jbgutierrez/path-parse", + }, + { + "type": "URL", + "value": "https://github.com/jbgutierrez/path-parse/commit/eca63a7b9a473bf6978a2f5b7b3343662d1506f7", + }, + { + "type": "URL", + "value": "https://github.com/jbgutierrez/path-parse/issues/8", + }, + { + "type": "URL", + "value": "https://github.com/jbgutierrez/path-parse/pull/10", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-23343.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-3666.html", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85%40%3Cdev.myfaces.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23343", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23343", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0", + "foundIn": "Node.js", + "installedVersion": "0.1.7", + "packageName": "path-to-regexp", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-45296", + "https://github.com/pillarjs/path-to-regexp", + "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", + "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", + "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", + "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", + "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", + "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", + "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", + "https://www.cve.org/CVERecord?id=CVE-2024-45296", + ], + "vulnerabilityId": "CVE-2024-45296", + }, + "category": "NPM Package Vulnerability", + "description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package path-to-regexp to the fixed version: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 or remove the package from the image.", + "name": "path-to-regexp: Backtracking regular expressions cause ReDoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-45296", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-45296", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-45296", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.0.1", + "foundIn": "Node.js", + "installedVersion": "2.0.4", + "packageName": "pug", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-21353", + "https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0", + "https://github.com/pugjs/pug/issues/3312", + "https://github.com/pugjs/pug/pull/3314", + "https://github.com/pugjs/pug/releases/tag/pug%403.0.1", + "https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr", + "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", + "https://www.cve.org/CVERecord?id=CVE-2021-21353", + "https://www.npmjs.com/package/pug", + "https://www.npmjs.com/package/pug-code-gen", + ], + "vulnerabilityId": "CVE-2021-21353", + }, + "category": "NPM Package Vulnerability", + "description": "Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the \`pretty\` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the \`pretty\` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package pug to the fixed version: 3.0.1 or remove the package from the image.", + "name": "pug: user provided objects as input to pug templates can achieve remote code execution", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-21353", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-21353", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/issues/3312", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/pull/3314", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/releases/tag/pug%403.0.1", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-21353", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/pug", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/pug-code-gen", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.0.3", + "foundIn": "Node.js", + "installedVersion": "2.0.4", + "packageName": "pug", + "references": [ + "https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug", + "https://github.com/pugjs/pug", + "https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328", + "https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb", + "https://github.com/pugjs/pug/pull/3428", + "https://github.com/pugjs/pug/pull/3438", + "https://github.com/pugjs/pug/releases/tag/pug%403.0.3", + "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + "https://pugjs.org/api/reference.html", + "https://www.npmjs.com/package/pug-code-gen", + ], + "vulnerabilityId": "CVE-2024-36361", + }, + "category": "NPM Package Vulnerability", + "description": "Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package pug to the fixed version: 3.0.3 or remove the package from the image.", + "name": "Pug allows JavaScript code execution if an application accepts untrusted input", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-36361", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + }, + { + "type": "URL", + "value": "https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/pull/3428", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/pull/3438", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/releases/tag/pug%403.0.3", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + }, + { + "type": "URL", + "value": "https://pugjs.org/api/reference.html", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/pug-code-gen", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "2.0.3, 3.0.2", + "foundIn": "Node.js", + "installedVersion": "2.0.2", + "packageName": "pug-code-gen", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-21353", + "https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0", + "https://github.com/pugjs/pug/issues/3312", + "https://github.com/pugjs/pug/pull/3314", + "https://github.com/pugjs/pug/releases/tag/pug%403.0.1", + "https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr", + "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", + "https://www.cve.org/CVERecord?id=CVE-2021-21353", + "https://www.npmjs.com/package/pug", + "https://www.npmjs.com/package/pug-code-gen", + ], + "vulnerabilityId": "CVE-2021-21353", + }, + "category": "NPM Package Vulnerability", + "description": "Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the \`pretty\` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the \`pretty\` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package pug-code-gen to the fixed version: 2.0.3, 3.0.2 or remove the package from the image.", + "name": "pug: user provided objects as input to pug templates can achieve remote code execution", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-21353", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-21353", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/issues/3312", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/pull/3314", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/releases/tag/pug%403.0.1", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-21353", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/pug", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/pug-code-gen", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.0.3", + "foundIn": "Node.js", + "installedVersion": "2.0.2", + "packageName": "pug-code-gen", + "references": [ + "https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug", + "https://github.com/pugjs/pug", + "https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328", + "https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb", + "https://github.com/pugjs/pug/pull/3428", + "https://github.com/pugjs/pug/pull/3438", + "https://github.com/pugjs/pug/releases/tag/pug%403.0.3", + "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + "https://pugjs.org/api/reference.html", + "https://www.npmjs.com/package/pug-code-gen", + ], + "vulnerabilityId": "CVE-2024-36361", + }, + "category": "NPM Package Vulnerability", + "description": "Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package pug-code-gen to the fixed version: 3.0.3 or remove the package from the image.", + "name": "Pug allows JavaScript code execution if an application accepts untrusted input", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-36361", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + }, + { + "type": "URL", + "value": "https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/pull/3428", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/pull/3438", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/releases/tag/pug%403.0.3", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + }, + { + "type": "URL", + "value": "https://pugjs.org/api/reference.html", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/pug-code-gen", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4", + "foundIn": "Node.js", + "installedVersion": "6.5.2", + "packageName": "qs", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0050", + "https://access.redhat.com/security/cve/CVE-2022-24999", + "https://bugzilla.redhat.com/2044591", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/2150323", + "https://errata.almalinux.org/8/ALSA-2023-0050.html", + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs", + "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999", + "https://linux.oracle.com/cve/CVE-2022-24999.html", + "https://linux.oracle.com/errata/ELSA-2023-0050.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + "https://security.netapp.com/advisory/ntap-20230908-0005/", + "https://www.cve.org/CVERecord?id=CVE-2022-24999", + ], + "vulnerabilityId": "CVE-2022-24999", + }, + "category": "NPM Package Vulnerability", + "description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package qs to the fixed version: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 or remove the package from the image.", + "name": "express: "qs" prototype poisoning causes the hang of the node process", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0050", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2044591", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2150323", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2023-0050.html", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/releases/tag/4.17.3", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/pull/428", + }, + { + "type": "URL", + "value": "https://github.com/n8tz/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-24999.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-0050.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230908-0005/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24999", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4", + "foundIn": "Node.js", + "installedVersion": "6.5.2", + "packageName": "qs", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0050", + "https://access.redhat.com/security/cve/CVE-2022-24999", + "https://bugzilla.redhat.com/2044591", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/2150323", + "https://errata.almalinux.org/8/ALSA-2023-0050.html", + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs", + "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999", + "https://linux.oracle.com/cve/CVE-2022-24999.html", + "https://linux.oracle.com/errata/ELSA-2023-0050.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + "https://security.netapp.com/advisory/ntap-20230908-0005/", + "https://www.cve.org/CVERecord?id=CVE-2022-24999", + ], + "vulnerabilityId": "CVE-2022-24999", + }, + "category": "NPM Package Vulnerability", + "description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package qs to the fixed version: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 or remove the package from the image.", + "name": "express: "qs" prototype poisoning causes the hang of the node process", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0050", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2044591", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2150323", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2023-0050.html", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/releases/tag/4.17.3", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/pull/428", + }, + { + "type": "URL", + "value": "https://github.com/n8tz/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-24999.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-0050.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230908-0005/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24999", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4", + "foundIn": "Node.js", + "installedVersion": "6.7.0", + "packageName": "qs", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0050", + "https://access.redhat.com/security/cve/CVE-2022-24999", + "https://bugzilla.redhat.com/2044591", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/2150323", + "https://errata.almalinux.org/8/ALSA-2023-0050.html", + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs", + "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999", + "https://linux.oracle.com/cve/CVE-2022-24999.html", + "https://linux.oracle.com/errata/ELSA-2023-0050.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + "https://security.netapp.com/advisory/ntap-20230908-0005/", + "https://www.cve.org/CVERecord?id=CVE-2022-24999", + ], + "vulnerabilityId": "CVE-2022-24999", + }, + "category": "NPM Package Vulnerability", + "description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package qs to the fixed version: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 or remove the package from the image.", + "name": "express: "qs" prototype poisoning causes the hang of the node process", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0050", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2044591", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2150323", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2023-0050.html", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/releases/tag/4.17.3", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/pull/428", + }, + { + "type": "URL", + "value": "https://github.com/n8tz/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-24999.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-0050.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230908-0005/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24999", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "2.88.0", + "packageName": "request", + "references": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/", + ], + "vulnerabilityId": "CVE-2023-28155", + }, + "category": "NPM Package Vulnerability", + "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", + "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-28155", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + }, + { + "type": "URL", + "value": "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/pull/28", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/releases/tag/v3.0.0", + }, + { + "type": "URL", + "value": "https://github.com/github/advisory-database/pull/2500", + }, + { + "type": "URL", + "value": "https://github.com/request/request", + }, + { + "type": "URL", + "value": "https://github.com/request/request/blob/master/lib/redirect.js#L111", + }, + { + "type": "URL", + "value": "https://github.com/request/request/issues/3442", + }, + { + "type": "URL", + "value": "https://github.com/request/request/pull/3444", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007/", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "2.88.2", + "packageName": "request", + "references": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/", + ], + "vulnerabilityId": "CVE-2023-28155", + }, + "category": "NPM Package Vulnerability", + "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", + "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-28155", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + }, + { + "type": "URL", + "value": "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/pull/28", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/releases/tag/v3.0.0", + }, + { + "type": "URL", + "value": "https://github.com/github/advisory-database/pull/2500", + }, + { + "type": "URL", + "value": "https://github.com/request/request", + }, + { + "type": "URL", + "value": "https://github.com/request/request/blob/master/lib/redirect.js#L111", + }, + { + "type": "URL", + "value": "https://github.com/request/request/issues/3442", + }, + { + "type": "URL", + "value": "https://github.com/request/request/pull/3444", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007/", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "2.7.1", + "foundIn": "Node.js", + "installedVersion": "1.4.2", + "packageName": "sanitize-html", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-25887", + "https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c", + "https://github.com/apostrophecms/sanitize-html/pull/557", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25887", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102", + "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526", + "https://www.cve.org/CVERecord?id=CVE-2022-25887", + ], + "vulnerabilityId": "CVE-2022-25887", + }, + "category": "NPM Package Vulnerability", + "description": "The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sanitize-html to the fixed version: 2.7.1 or remove the package from the image.", + "name": "sanitize-html: insecure global regular expression replacement logic may lead to ReDoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-25887", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25887", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-25887", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/sanitize-html/pull/557", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25887", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25887", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": ">=1.4.3", + "foundIn": "Node.js", + "installedVersion": "1.4.2", + "packageName": "sanitize-html", + "references": [ + "https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf", + "https://github.com/apostrophecms/sanitize-html/issues/29", + "https://github.com/punkave/sanitize-html/issues/29", + "https://nodesecurity.io/advisories/135", + "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", + "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json", + "https://www.npmjs.com/advisories/135", + ], + "vulnerabilityId": "CVE-2016-1000237", + }, + "category": "NPM Package Vulnerability", + "description": "sanitize-html before 1.4.3 has XSS.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sanitize-html to the fixed version: >=1.4.3 or remove the package from the image.", + "name": "XSS - Sanitization not applied recursively", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2016-1000237", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/sanitize-html/issues/29", + }, + { + "type": "URL", + "value": "https://github.com/punkave/sanitize-html/issues/29", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/135", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", + }, + { + "type": "URL", + "value": "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/135", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.11.4", + "foundIn": "Node.js", + "installedVersion": "1.4.2", + "packageName": "sanitize-html", + "references": [ + "https://github.com/advisories/GHSA-xc6g-ggrc-qq4r", + "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))", + "https://github.com/punkave/sanitize-html/issues/100", + "https://nodesecurity.io/advisories/154", + "https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", + "https://www.npmjs.com/advisories/154", + ], + "vulnerabilityId": "CVE-2017-16016", + }, + "category": "NPM Package Vulnerability", + "description": "Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sanitize-html to the fixed version: 1.11.4 or remove the package from the image.", + "name": "Cross-Site Scripting in sanitize-html", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2017-16016", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-xc6g-ggrc-qq4r", + }, + { + "type": "URL", + "value": "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + }, + { + "type": "URL", + "value": "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))", + }, + { + "type": "URL", + "value": "https://github.com/punkave/sanitize-html/issues/100", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/154", + }, + { + "type": "URL", + "value": "https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/154", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "2.3.1", + "foundIn": "Node.js", + "installedVersion": "1.4.2", + "packageName": "sanitize-html", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-26539", + "https://advisory.checkmarx.net/advisory/CX-2021-4308", + "https://github.com/apostrophecms/sanitize-html", + "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22", + "https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da", + "https://github.com/apostrophecms/sanitize-html/pull/458", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", + "https://www.cve.org/CVERecord?id=CVE-2021-26539", + ], + "vulnerabilityId": "CVE-2021-26539", + }, + "category": "NPM Package Vulnerability", + "description": "Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.1 or remove the package from the image.", + "name": "sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-26539", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-26539", + }, + { + "type": "URL", + "value": "https://advisory.checkmarx.net/advisory/CX-2021-4308", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/sanitize-html", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/sanitize-html/pull/458", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-26539", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "2.3.2", + "foundIn": "Node.js", + "installedVersion": "1.4.2", + "packageName": "sanitize-html", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-26540", + "https://advisory.checkmarx.net/advisory/CX-2021-4309", + "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26", + "https://github.com/apostrophecms/sanitize-html/pull/460", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", + "https://www.cve.org/CVERecord?id=CVE-2021-26540", + ], + "vulnerabilityId": "CVE-2021-26540", + }, + "category": "NPM Package Vulnerability", + "description": "Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\\\example.com".", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.2 or remove the package from the image.", + "name": "sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-26540", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-26540", + }, + { + "type": "URL", + "value": "https://advisory.checkmarx.net/advisory/CX-2021-4309", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/sanitize-html/pull/460", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-26540", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "2.12.1", + "foundIn": "Node.js", + "installedVersion": "1.4.2", + "packageName": "sanitize-html", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-21501", + "https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf", + "https://github.com/apostrophecms/apostrophe/discussions/4436", + "https://github.com/apostrophecms/sanitize-html", + "https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4", + "https://github.com/apostrophecms/sanitize-html/pull/650", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21501", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557", + "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334", + "https://www.cve.org/CVERecord?id=CVE-2024-21501", + ], + "vulnerabilityId": "CVE-2024-21501", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sanitize-html to the fixed version: 2.12.1 or remove the package from the image.", + "name": "sanitize-html: Information Exposure when used on the backend", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-21501", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21501", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-21501", + }, + { + "type": "URL", + "value": "https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/apostrophe/discussions/4436", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/sanitize-html", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/sanitize-html/pull/650", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21501", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-21501", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": ">=1.11.4", + "foundIn": "Node.js", + "installedVersion": "1.4.2", + "packageName": "sanitize-html", + "references": [ + "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "https://github.com/punkave/sanitize-html/issues/100", + ], + "vulnerabilityId": "NSWG-ECO-154", + }, + "category": "NPM Package Vulnerability", + "description": "Sanitize-html is a library for scrubbing html input of malicious values. + +Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: + +If allowed at least one nonTextTags, the result is a potential XSS vulnerability. +PoC: + +\`\`\` +var sanitizeHtml = require('sanitize-html'); + +var dirty = '!!'; +var clean = sanitizeHtml(dirty, { + allowedTags: [ 'textarea' ] +}); + +console.log(clean); + +// !! +\`\`\`", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sanitize-html to the fixed version: >=1.11.4 or remove the package from the image.", + "name": "Cross Site Scripting", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "NSWG", + "value": "NSWG-ECO-154", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + }, + { + "type": "URL", + "value": "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + }, + { + "type": "URL", + "value": "https://github.com/punkave/sanitize-html/issues/100", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "5.7.1", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2216475", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230948", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230955", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230956", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/564", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/585", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/593", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "5.7.1", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2216475", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230948", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230955", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230956", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/564", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/585", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/593", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "5.7.1", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2216475", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230948", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230955", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230956", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/564", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/585", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/593", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "5.7.1", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2216475", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230948", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230955", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230956", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/564", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/585", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/593", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "5.7.1", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2216475", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230948", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230955", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230956", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/564", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/585", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/593", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "5.7.1", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2216475", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230948", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230955", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230956", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/564", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/585", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/593", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "5.7.1", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2216475", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230948", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230955", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230956", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/564", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/585", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/593", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "6.3.0", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2216475", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230948", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230955", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230956", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/564", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/585", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/593", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "7.3.2", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2216475", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230948", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230955", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2230956", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/564", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/585", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/593", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "0.19.0", + "foundIn": "Node.js", + "installedVersion": "0.17.1", + "packageName": "send", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-43799", + "https://github.com/pillarjs/send", + "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", + "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", + "https://www.cve.org/CVERecord?id=CVE-2024-43799", + ], + "vulnerabilityId": "CVE-2024-43799", + }, + "category": "NPM Package Vulnerability", + "description": "Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package send to the fixed version: 0.19.0 or remove the package from the image.", + "name": "send: Code Execution Vulnerability in Send Library", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-43799", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-43799", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/send", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-43799", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "6.29.0", + "foundIn": "Node.js", + "installedVersion": "5.21.6", + "packageName": "sequelize", + "references": [ + "https://csirt.divd.nl/CVE-2023-22578", + "https://csirt.divd.nl/DIVD-2022-00020", + "https://csirt.divd.nl/DIVD-2022-00020/", + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/discussions/15694", + "https://github.com/sequelize/sequelize/pull/15710", + "https://github.com/sequelize/sequelize/releases/tag/v6.29.0", + "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + "https://github.com/sequelize/sequelize/security/advisories/GHSA-f598-mfpv-gmfx", + "https://nvd.nist.gov/vuln/detail/CVE-2023-22578", + ], + "vulnerabilityId": "CVE-2023-22578", + }, + "category": "NPM Package Vulnerability", + "description": "Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sequelize to the fixed version: 6.29.0 or remove the package from the image.", + "name": "Sequelize - Default support for “raw attributes” when using parentheses", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-22578", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-22578", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/CVE-2023-22578", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/DIVD-2022-00020", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/DIVD-2022-00020/", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/discussions/15694", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/pull/15710", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/releases/tag/v6.29.0", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/security/advisories/GHSA-f598-mfpv-gmfx", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-22578", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.28.1", + "foundIn": "Node.js", + "installedVersion": "5.21.6", + "packageName": "sequelize", + "references": [ + "https://csirt.divd.nl/CVE-2023-22579", + "https://csirt.divd.nl/DIVD-2022-00020", + "https://csirt.divd.nl/DIVD-2022-00020/", + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/discussions/15698", + "https://github.com/sequelize/sequelize/pull/15375", + "https://github.com/sequelize/sequelize/pull/15699", + "https://github.com/sequelize/sequelize/releases/tag/v6.28.1", + "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + "https://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95", + "https://nvd.nist.gov/vuln/detail/CVE-2023-22579", + ], + "vulnerabilityId": "CVE-2023-22579", + }, + "category": "NPM Package Vulnerability", + "description": "Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sequelize to the fixed version: 6.28.1 or remove the package from the image.", + "name": "Unsafe fall-through in getWhereConditions", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-22579", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-22579", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/CVE-2023-22579", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/DIVD-2022-00020", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/DIVD-2022-00020/", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/discussions/15698", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/pull/15375", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/pull/15699", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/releases/tag/v6.28.1", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-22579", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.19.1", + "foundIn": "Node.js", + "installedVersion": "5.21.6", + "packageName": "sequelize", + "references": [ + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b", + "https://github.com/sequelize/sequelize/issues/14519", + "https://github.com/sequelize/sequelize/releases/tag/v6.19.1", + "https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw", + "https://nvd.nist.gov/vuln/detail/CVE-2023-25813", + "https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027", + ], + "vulnerabilityId": "CVE-2023-25813", + }, + "category": "NPM Package Vulnerability", + "description": "Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the \`replacements\` and the \`where\` option in the same query.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sequelize to the fixed version: 6.19.1 or remove the package from the image.", + "name": "Sequelize vulnerable to SQL Injection via replacements", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-25813", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-25813", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/issues/14519", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/releases/tag/v6.19.1", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-25813", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.28.1", + "foundIn": "Node.js", + "installedVersion": "5.21.6", + "packageName": "sequelize", + "references": [ + "https://csirt.divd.nl/CVE-2023-22580", + "https://csirt.divd.nl/DIVD-2022-00020", + "https://csirt.divd.nl/DIVD-2022-00020/", + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/pull/15375", + "https://github.com/sequelize/sequelize/pull/15699", + "https://github.com/sequelize/sequelize/releases/tag/v6.28.1", + "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + "https://nvd.nist.gov/vuln/detail/CVE-2023-22580", + ], + "vulnerabilityId": "CVE-2023-22580", + }, + "category": "NPM Package Vulnerability", + "description": "Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sequelize to the fixed version: 6.28.1 or remove the package from the image.", + "name": "Sequelize information disclosure vulnerability", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-22580", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-22580", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/CVE-2023-22580", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/DIVD-2022-00020", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/DIVD-2022-00020/", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/pull/15375", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/pull/15699", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/releases/tag/v6.28.1", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-22580", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.16.0, 2.1.0", + "foundIn": "Node.js", + "installedVersion": "1.14.1", + "packageName": "serve-static", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-43800", + "https://github.com/expressjs/serve-static", + "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", + "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", + "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", + "https://www.cve.org/CVERecord?id=CVE-2024-43800", + ], + "vulnerabilityId": "CVE-2024-43800", + }, + "category": "NPM Package Vulnerability", + "description": "serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package serve-static to the fixed version: 1.16.0, 2.1.0 or remove the package from the image.", + "name": "serve-static: Improper Sanitization in serve-static", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-43800", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-43800", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/serve-static", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-43800", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.0.1, 3.1.1, 2.8.2", + "foundIn": "Node.js", + "installedVersion": "3.1.0", + "packageName": "simple-get", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-0355", + "https://github.com/advisories/GHSA-wpg7-2c88-r8xv", + "https://github.com/feross/simple-get", + "https://github.com/feross/simple-get/commit/e4af095e06cd69a9235013e8507e220a79b9684f", + "https://github.com/feross/simple-get/pull/75#issuecomment-1027755026", + "https://github.com/feross/simple-get/pull/76#issuecomment-1027754710", + "https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31", + "https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31/", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0355", + "https://www.cve.org/CVERecord?id=CVE-2022-0355", + ], + "vulnerabilityId": "CVE-2022-0355", + }, + "category": "NPM Package Vulnerability", + "description": "Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1. + +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package simple-get to the fixed version: 4.0.1, 3.1.1, 2.8.2 or remove the package from the image.", + "name": "simple-get: exposure of sensitive information to an unauthorized actor", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-0355", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-0355", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-0355", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-wpg7-2c88-r8xv", + }, + { + "type": "URL", + "value": "https://github.com/feross/simple-get", + }, + { + "type": "URL", + "value": "https://github.com/feross/simple-get/commit/e4af095e06cd69a9235013e8507e220a79b9684f", + }, + { + "type": "URL", + "value": "https://github.com/feross/simple-get/pull/75#issuecomment-1027755026", + }, + { + "type": "URL", + "value": "https://github.com/feross/simple-get/pull/76#issuecomment-1027754710", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-0355", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-0355", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.5.1, 4.6.2", + "foundIn": "Node.js", + "installedVersion": "2.3.0", + "packageName": "socket.io", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-38355", + "https://github.com/socketio/socket.io", + "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", + "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", + "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38355", + "https://www.cve.org/CVERecord?id=CVE-2024-38355", + ], + "vulnerabilityId": "CVE-2024-38355", + }, + "category": "NPM Package Vulnerability", + "description": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit \`15af22fc22\` which has been included in \`socket.io@4.6.2\` (released in May 2023). The fix was backported in the 2.x branch as well with commit \`d30630ba10\`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors. +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package socket.io to the fixed version: 2.5.1, 4.6.2 or remove the package from the image.", + "name": "socket.io: Unhandled 'error' event", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-38355", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-38355", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-38355", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-38355", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-38355", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.4.0", + "foundIn": "Node.js", + "installedVersion": "2.3.0", + "packageName": "socket.io", + "references": [ + "https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7", + "https://github.com/socketio/socket.io/issues/3671", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28481", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357", + "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859", + ], + "vulnerabilityId": "CVE-2020-28481", + }, + "category": "NPM Package Vulnerability", + "description": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package socket.io to the fixed version: 2.4.0 or remove the package from the image.", + "name": "CORS misconfiguration in socket.io", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-28481", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28481", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io/issues/3671", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28481", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.0.5, 4.2.1, 3.3.3, 3.4.2", + "foundIn": "Node.js", + "installedVersion": "3.3.0", + "packageName": "socket.io-parser", + "references": [ + "https://csirt.divd.nl/CVE-2022-2421", + "https://csirt.divd.nl/DIVD-2022-00045", + "https://csirt.divd.nl/cases/DIVD-2022-00045", + "https://csirt.divd.nl/cves/CVE-2022-2421", + "https://github.com/socketio/socket.io-parser", + "https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14", + "https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4", + "https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050", + "https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983", + "https://nvd.nist.gov/vuln/detail/CVE-2022-2421", + ], + "vulnerabilityId": "CVE-2022-2421", + }, + "category": "NPM Package Vulnerability", + "description": "Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package socket.io-parser to the fixed version: 4.0.5, 4.2.1, 3.3.3, 3.4.2 or remove the package from the image.", + "name": "Insufficient validation when decoding a Socket.IO packet", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-2421", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-2421", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/CVE-2022-2421", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/DIVD-2022-00045", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/cases/DIVD-2022-00045", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/cves/CVE-2022-2421", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-2421", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.3.2, 3.4.1", + "foundIn": "Node.js", + "installedVersion": "3.3.0", + "packageName": "socket.io-parser", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-36049", + "https://blog.caller.xyz/socketio-engineio-dos", + "https://blog.caller.xyz/socketio-engineio-dos/", + "https://github.com/bcaller/kill-engine-io", + "https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55", + "https://github.com/socketio/socket.io-parser/releases/tag/3.3.2", + "https://github.com/socketio/socket.io-parser/releases/tag/3.4.1", + "https://nvd.nist.gov/vuln/detail/CVE-2020-36049", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056753", + "https://www.cve.org/CVERecord?id=CVE-2020-36049", + "https://www.npmjs.com/package/socket.io-parser", + ], + "vulnerabilityId": "CVE-2020-36049", + }, + "category": "NPM Package Vulnerability", + "description": "socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package socket.io-parser to the fixed version: 3.3.2, 3.4.1 or remove the package from the image.", + "name": "yarnpkg-socket.io-parser: a denial of service (memory consumption) via a large packet because a concatenation approach is used", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-36049", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-36049", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-36049", + }, + { + "type": "URL", + "value": "https://blog.caller.xyz/socketio-engineio-dos", + }, + { + "type": "URL", + "value": "https://blog.caller.xyz/socketio-engineio-dos/", + }, + { + "type": "URL", + "value": "https://github.com/bcaller/kill-engine-io", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/releases/tag/3.3.2", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/releases/tag/3.4.1", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-36049", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056753", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-36049", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/socket.io-parser", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.2.3, 3.4.3, 3.3.4", + "foundIn": "Node.js", + "installedVersion": "3.3.0", + "packageName": "socket.io-parser", + "references": [ + "https://github.com/socketio/socket.io-parser", + "https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9", + "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced", + "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3", + "https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4", + "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3", + "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9", + "https://nvd.nist.gov/vuln/detail/CVE-2023-32695", + ], + "vulnerabilityId": "CVE-2023-32695", + }, + "category": "NPM Package Vulnerability", + "description": "socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3. + +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package socket.io-parser to the fixed version: 4.2.3, 3.4.3, 3.3.4 or remove the package from the image.", + "name": "socket.io parser is a socket.io encoder and decoder written in JavaScr ...", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-32695", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-32695", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-32695", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.0.5, 4.2.1, 3.3.3, 3.4.2", + "foundIn": "Node.js", + "installedVersion": "3.4.0", + "packageName": "socket.io-parser", + "references": [ + "https://csirt.divd.nl/CVE-2022-2421", + "https://csirt.divd.nl/DIVD-2022-00045", + "https://csirt.divd.nl/cases/DIVD-2022-00045", + "https://csirt.divd.nl/cves/CVE-2022-2421", + "https://github.com/socketio/socket.io-parser", + "https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14", + "https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4", + "https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050", + "https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983", + "https://nvd.nist.gov/vuln/detail/CVE-2022-2421", + ], + "vulnerabilityId": "CVE-2022-2421", + }, + "category": "NPM Package Vulnerability", + "description": "Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package socket.io-parser to the fixed version: 4.0.5, 4.2.1, 3.3.3, 3.4.2 or remove the package from the image.", + "name": "Insufficient validation when decoding a Socket.IO packet", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-2421", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-2421", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/CVE-2022-2421", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/DIVD-2022-00045", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/cases/DIVD-2022-00045", + }, + { + "type": "URL", + "value": "https://csirt.divd.nl/cves/CVE-2022-2421", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-2421", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.3.2, 3.4.1", + "foundIn": "Node.js", + "installedVersion": "3.4.0", + "packageName": "socket.io-parser", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-36049", + "https://blog.caller.xyz/socketio-engineio-dos", + "https://blog.caller.xyz/socketio-engineio-dos/", + "https://github.com/bcaller/kill-engine-io", + "https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55", + "https://github.com/socketio/socket.io-parser/releases/tag/3.3.2", + "https://github.com/socketio/socket.io-parser/releases/tag/3.4.1", + "https://nvd.nist.gov/vuln/detail/CVE-2020-36049", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056753", + "https://www.cve.org/CVERecord?id=CVE-2020-36049", + "https://www.npmjs.com/package/socket.io-parser", + ], + "vulnerabilityId": "CVE-2020-36049", + }, + "category": "NPM Package Vulnerability", + "description": "socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package socket.io-parser to the fixed version: 3.3.2, 3.4.1 or remove the package from the image.", + "name": "yarnpkg-socket.io-parser: a denial of service (memory consumption) via a large packet because a concatenation approach is used", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-36049", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-36049", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-36049", + }, + { + "type": "URL", + "value": "https://blog.caller.xyz/socketio-engineio-dos", + }, + { + "type": "URL", + "value": "https://blog.caller.xyz/socketio-engineio-dos/", + }, + { + "type": "URL", + "value": "https://github.com/bcaller/kill-engine-io", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/releases/tag/3.3.2", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/releases/tag/3.4.1", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-36049", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056753", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-36049", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/socket.io-parser", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.2.3, 3.4.3, 3.3.4", + "foundIn": "Node.js", + "installedVersion": "3.4.0", + "packageName": "socket.io-parser", + "references": [ + "https://github.com/socketio/socket.io-parser", + "https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9", + "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced", + "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3", + "https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4", + "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3", + "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9", + "https://nvd.nist.gov/vuln/detail/CVE-2023-32695", + ], + "vulnerabilityId": "CVE-2023-32695", + }, + "category": "NPM Package Vulnerability", + "description": "socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3. + +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package socket.io-parser to the fixed version: 4.2.3, 3.4.3, 3.3.4 or remove the package from the image.", + "name": "socket.io parser is a socket.io encoder and decoder written in JavaScr ...", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-32695", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-32695", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3", + }, + { + "type": "URL", + "value": "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-32695", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.0.2, 7.1.1, 8.0.1", + "foundIn": "Node.js", + "installedVersion": "6.0.1", + "packageName": "ssri", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-27290", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf", + "https://errata.almalinux.org/8/ALSA-2021-3074.html", + "https://github.com/npm/ssri", + "https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2", + "https://github.com/npm/ssri/commit/809c84d09ea87c3857fa171d42914586899d4538", + "https://github.com/npm/ssri/commit/b30dfdb00bb94ddc49a25a85a18fb27afafdfbb1", + "https://github.com/npm/ssri/pull/20#issuecomment-842677644", + "https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf", + "https://linux.oracle.com/cve/CVE-2021-27290.html", + "https://linux.oracle.com/errata/ELSA-2021-3074.html", + "https://npmjs.com", + "https://nvd.nist.gov/vuln/detail/CVE-2021-27290", + "https://www.cve.org/CVERecord?id=CVE-2021-27290", + "https://www.npmjs.com/package/ssri", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-27290", + }, + "category": "NPM Package Vulnerability", + "description": "ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ssri to the fixed version: 6.0.2, 7.1.1, 8.0.1 or remove the package from the image.", + "name": "nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-27290", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-27290", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-27290", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-3074.html", + }, + { + "type": "URL", + "value": "https://github.com/npm/ssri", + }, + { + "type": "URL", + "value": "https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2", + }, + { + "type": "URL", + "value": "https://github.com/npm/ssri/commit/809c84d09ea87c3857fa171d42914586899d4538", + }, + { + "type": "URL", + "value": "https://github.com/npm/ssri/commit/b30dfdb00bb94ddc49a25a85a18fb27afafdfbb1", + }, + { + "type": "URL", + "value": "https://github.com/npm/ssri/pull/20#issuecomment-842677644", + }, + { + "type": "URL", + "value": "https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-27290.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-3074.html", + }, + { + "type": "URL", + "value": "https://npmjs.com", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-27290", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-27290", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/ssri", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.1.3", + "foundIn": "Node.js", + "installedVersion": "3.25.0", + "packageName": "swagger-ui-dist", + "references": [ + "https://github.com/swagger-api/swagger-ui", + "https://nvd.nist.gov/vuln/detail/CVE-2021-46708", + "https://security.netapp.com/advisory/ntap-20220407-0004", + "https://security.netapp.com/advisory/ntap-20220407-0004/", + "https://security.snyk.io/vuln/SNYK-JS-SWAGGERUIDIST-2314884", + "https://www.npmjs.com/package/swagger-ui-dist/v/4.1.3", + ], + "vulnerabilityId": "CVE-2021-46708", + }, + "category": "NPM Package Vulnerability", + "description": "The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package swagger-ui-dist to the fixed version: 4.1.3 or remove the package from the image.", + "name": "Spoofing attack in swagger-ui-dist", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-46708", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-46708", + }, + { + "type": "URL", + "value": "https://github.com/swagger-api/swagger-ui", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-46708", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220407-0004", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220407-0004/", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SWAGGERUIDIST-2314884", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/swagger-ui-dist/v/4.1.3", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.1.3", + "foundIn": "Node.js", + "installedVersion": "3.25.0", + "packageName": "swagger-ui-dist", + "references": [ + "https://github.com/domaindrivendev/Swashbuckle.AspNetCore/commit/401c7cb81e5efe835ceb8aae23e82057d57c7d29", + "https://github.com/swagger-api/swagger-ui", + "https://github.com/swagger-api/swagger-ui/commit/01a3e55960f864a0acf6a8d06e5ddaf6776a7f76", + "https://github.com/swagger-api/swagger-ui/issues/4872", + "https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx", + ], + "vulnerabilityId": "GHSA-qrmm-w75w-3wpx", + }, + "category": "NPM Package Vulnerability", + "description": "SwaggerUI supports displaying remote OpenAPI definitions through the \`?url\` parameter. This enables robust demonstration capabilities on sites like \`petstore.swagger.io\`, \`editor.swagger.io\`, and similar sites, where users often want to see what their OpenAPI definitions would look like rendered. + +However, this functionality may pose a risk for users who host their own SwaggerUI instances. In particular, including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances. + +An example scenario abusing this functionality could take the following form: +- \`https://example.com/api-docs\` hosts a version of SwaggerUI with \`?url=\` query parameter enabled. +- Users will trust the domain \`https://example.com\` and the contents of the OpenAPI definition. +- A malicious actor may craft a similar OpenAPI definition and service that responds to the defined APIs at \`https://evildomain\`. +- Users mistakenly click a phishing URL like \`https://example.com/api-docs?url=https://evildomain/fakeapi.yaml\` and enters sensitive data via the "Try-it-out" feature. + +We do want to stress that this attack vector is limited to scenarios that actively trick users into divulging sensitive information. The ease of this is highly contextual and, therefore, the threat model may be different for individual users and organizations. It is *not* possible to perform non-interactive attacks (e.g., cross-site scripting or code injection) through this mechanism. + +### Resolution +We've made the decision to [disable query parameters (#4872)](https://github.com/swagger-api/swagger-ui/issues/4872) by default starting with SwaggerUI version \`4.1.3\`. Please update to this version when it becomes available (**ETA: 2021 December**). Users will still be able to be re-enable the options at their discretion. We'll continue to enable query parameters on the Swagger demo sites. + +### Workaround +If you host a version of SwaggerUI and wish to mitigate this issue immediately, you are encouraged to add the following custom plugin code: + +\`\`\`js +SwaggerUI({ + // ...other configuration options, + plugins: [function UrlParamDisablePlugin() { + return { + statePlugins: { + spec: { + wrapActions: { + // Remove the ?url parameter from loading an external OpenAPI definition. + updateUrl: (oriAction) => (payload) => { + const url = new URL(window.location.href) + if (url.searchParams.has('url')) { + url.searchParams.delete('url') + window.location.replace(url.toString()) + } + return oriAction(payload) + } + } + } + } + } + }], +}) +\`\`\` + +### Future UX work + +Through the exploration of this issue, it became apparent that users may not be aware to which web server the Try-it-out function will send requests. While this information is currently presented at the top of the page, understanding may improve by displaying it closer to the "Execute" button where requests are actually made. We'll be exploring these UX improvements over the coming months and welcome community input. Please create a Feature Request under the GitHub Issue tab to start a conversation with us and the community. + +## Reflected XSS attack + +**Warning** in versions < 3.38.0, it is possible to combine the URL options (as mentioned above) with a vulnerability in DOMPurify (https://www.cvedetails.com/cve/CVE-2020-26870/) to create a reflected XSS vector. If your version of Swagger UI is older than 3.38.0, we suggest you upgrade or implement the workaround as mentioned above. +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package swagger-ui-dist to the fixed version: 4.1.3 or remove the package from the image.", + "name": "Server side request forgery in SwaggerUI", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "URL", + "value": "https://github.com/domaindrivendev/Swashbuckle.AspNetCore/commit/401c7cb81e5efe835ceb8aae23e82057d57c7d29", + }, + { + "type": "URL", + "value": "https://github.com/swagger-api/swagger-ui", + }, + { + "type": "URL", + "value": "https://github.com/swagger-api/swagger-ui/commit/01a3e55960f864a0acf6a8d06e5ddaf6776a7f76", + }, + { + "type": "URL", + "value": "https://github.com/swagger-api/swagger-ui/issues/4872", + }, + { + "type": "URL", + "value": "https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "3.2.3, 4.4.15, 5.0.7, 6.1.2", + "foundIn": "Node.js", + "installedVersion": "4.4.13", + "packageName": "tar", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-32803", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-3666.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/46fe35083e2676e31c4e0a81639dce6da7aaa356", + "https://github.com/isaacs/node-tar/commit/5987d9a41f6bfbf1ddab1098e1fdcf1a5618f571", + "https://github.com/isaacs/node-tar/commit/85d3a942b4064e4ff171f91696fced7975167349", + "https://github.com/isaacs/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", + "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", + "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw", + "https://linux.oracle.com/cve/CVE-2021-32803.html", + "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", + "https://www.cve.org/CVERecord?id=CVE-2021-32803", + "https://www.npmjs.com/advisories/1771", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-32803", + }, + "category": "NPM Package Vulnerability", + "description": "The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. \`node-tar\` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary \`stat\` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the \`node-tar\` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where \`node-tar\` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass \`node-tar\` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 3.2.3, 4.4.15, 5.0.7, 6.1.2 or remove the package from the image.", + "name": "nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-32803", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-32803", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-3666.html", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/46fe35083e2676e31c4e0a81639dce6da7aaa356", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/5987d9a41f6bfbf1ddab1098e1fdcf1a5618f571", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/85d3a942b4064e4ff171f91696fced7975167349", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-32803.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-3666.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-32803", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1771", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/tar", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.2.3, 4.4.15, 5.0.7, 6.1.2", + "foundIn": "Node.js", + "installedVersion": "4.4.13", + "packageName": "tar", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-32803", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-3666.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/46fe35083e2676e31c4e0a81639dce6da7aaa356", + "https://github.com/isaacs/node-tar/commit/5987d9a41f6bfbf1ddab1098e1fdcf1a5618f571", + "https://github.com/isaacs/node-tar/commit/85d3a942b4064e4ff171f91696fced7975167349", + "https://github.com/isaacs/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", + "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", + "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw", + "https://linux.oracle.com/cve/CVE-2021-32803.html", + "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", + "https://www.cve.org/CVERecord?id=CVE-2021-32803", + "https://www.npmjs.com/advisories/1771", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-32803", + }, + "category": "NPM Package Vulnerability", + "description": "The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. \`node-tar\` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary \`stat\` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the \`node-tar\` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where \`node-tar\` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass \`node-tar\` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 3.2.3, 4.4.15, 5.0.7, 6.1.2 or remove the package from the image.", + "name": "nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-32803", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-32803", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-3666.html", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/46fe35083e2676e31c4e0a81639dce6da7aaa356", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/5987d9a41f6bfbf1ddab1098e1fdcf1a5618f571", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/85d3a942b4064e4ff171f91696fced7975167349", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-32803.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-3666.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-32803", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1771", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/tar", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.2.2, 4.4.14, 5.0.6, 6.1.1", + "foundIn": "Node.js", + "installedVersion": "4.4.13", + "packageName": "tar", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-32804", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-3666.html", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", + "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", + "https://linux.oracle.com/cve/CVE-2021-32804.html", + "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", + "https://www.cve.org/CVERecord?id=CVE-2021-32804", + "https://www.npmjs.com/advisories/1770", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-32804", + }, + "category": "NPM Package Vulnerability", + "description": "The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the \`preservePaths\` flag is not set to \`true\`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example \`/home/user/.bashrc\` would turn into \`home/user/.bashrc\`. This logic was insufficient when file paths contained repeated path roots such as \`////home/user/.bashrc\`. \`node-tar\` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. \`///home/user/.bashrc\`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom \`onentry\` method which sanitizes the \`entry.path\` or a \`filter\` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 3.2.2, 4.4.14, 5.0.6, 6.1.1 or remove the package from the image.", + "name": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-32804", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-32804", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-3666.html", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-32804.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-3666.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-32804", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1770", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/tar", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.2.2, 4.4.14, 5.0.6, 6.1.1", + "foundIn": "Node.js", + "installedVersion": "4.4.13", + "packageName": "tar", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-32804", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-3666.html", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", + "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", + "https://linux.oracle.com/cve/CVE-2021-32804.html", + "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", + "https://www.cve.org/CVERecord?id=CVE-2021-32804", + "https://www.npmjs.com/advisories/1770", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-32804", + }, + "category": "NPM Package Vulnerability", + "description": "The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the \`preservePaths\` flag is not set to \`true\`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example \`/home/user/.bashrc\` would turn into \`home/user/.bashrc\`. This logic was insufficient when file paths contained repeated path roots such as \`////home/user/.bashrc\`. \`node-tar\` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. \`///home/user/.bashrc\`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom \`onentry\` method which sanitizes the \`entry.path\` or a \`filter\` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 3.2.2, 4.4.14, 5.0.6, 6.1.1 or remove the package from the image.", + "name": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-32804", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-32804", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-3666.html", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-32804.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-3666.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-32804", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1770", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/tar", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.4.16, 5.0.8, 6.1.7", + "foundIn": "Node.js", + "installedVersion": "4.4.13", + "packageName": "tar", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-37701", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", + "https://linux.oracle.com/cve/CVE-2021-37701.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", + "https://www.cve.org/CVERecord?id=CVE-2021-37701", + "https://www.debian.org/security/2021/dsa-5008", + "https://www.npmjs.com/advisories/1779", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-37701", + }, + "category": "NPM Package Vulnerability", + "description": "The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \`\\\` and \`/\` characters as path separators, however \`\\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at \`FOO\`, followed by a symbolic link named \`foo\`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the \`FOO\` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 4.4.16, 5.0.8, 6.1.7 or remove the package from the image.", + "name": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-37701", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-37701", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-37701.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-37701", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2021/dsa-5008", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1779", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/tar", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.4.16, 5.0.8, 6.1.7", + "foundIn": "Node.js", + "installedVersion": "4.4.13", + "packageName": "tar", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-37701", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", + "https://linux.oracle.com/cve/CVE-2021-37701.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", + "https://www.cve.org/CVERecord?id=CVE-2021-37701", + "https://www.debian.org/security/2021/dsa-5008", + "https://www.npmjs.com/advisories/1779", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-37701", + }, + "category": "NPM Package Vulnerability", + "description": "The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \`\\\` and \`/\` characters as path separators, however \`\\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at \`FOO\`, followed by a symbolic link named \`foo\`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the \`FOO\` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 4.4.16, 5.0.8, 6.1.7 or remove the package from the image.", + "name": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-37701", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-37701", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-37701.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-37701", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2021/dsa-5008", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1779", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/tar", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.4.18, 5.0.10, 6.1.9", + "foundIn": "Node.js", + "installedVersion": "4.4.13", + "packageName": "tar", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-37712", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/isaacs/node-tar/commit/1739408d3122af897caefd09662bce2ea477533b", + "https://github.com/isaacs/node-tar/commit/2f1bca027286c23e110b8dfc7efc10756fa3db5a", + "https://github.com/isaacs/node-tar/commit/3aaf19b2501bbddb145d92b3322c80dcaed3c35f", + "https://github.com/isaacs/node-tar/commit/b6162c7fafe797f856564ef37f4b82747f051455", + "https://github.com/isaacs/node-tar/commit/bb93ba243746f705092905da1955ac3b0509ba1e", + "https://github.com/isaacs/node-tar/commit/d56f790bda9fea807dd80c5083f24771dbdd6eb1", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", + "https://linux.oracle.com/cve/CVE-2021-37712.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", + "https://www.cve.org/CVERecord?id=CVE-2021-37712", + "https://www.debian.org/security/2021/dsa-5008", + "https://www.npmjs.com/advisories/1780", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-37712", + }, + "category": "NPM Package Vulnerability", + "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 4.4.18, 5.0.10, 6.1.9 or remove the package from the image.", + "name": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-37712", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-37712", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/1739408d3122af897caefd09662bce2ea477533b", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/2f1bca027286c23e110b8dfc7efc10756fa3db5a", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/3aaf19b2501bbddb145d92b3322c80dcaed3c35f", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/b6162c7fafe797f856564ef37f4b82747f051455", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/bb93ba243746f705092905da1955ac3b0509ba1e", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/d56f790bda9fea807dd80c5083f24771dbdd6eb1", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-37712.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-37712", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2021/dsa-5008", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1780", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/tar", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.4.18, 5.0.10, 6.1.9", + "foundIn": "Node.js", + "installedVersion": "4.4.13", + "packageName": "tar", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-37712", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/isaacs/node-tar/commit/1739408d3122af897caefd09662bce2ea477533b", + "https://github.com/isaacs/node-tar/commit/2f1bca027286c23e110b8dfc7efc10756fa3db5a", + "https://github.com/isaacs/node-tar/commit/3aaf19b2501bbddb145d92b3322c80dcaed3c35f", + "https://github.com/isaacs/node-tar/commit/b6162c7fafe797f856564ef37f4b82747f051455", + "https://github.com/isaacs/node-tar/commit/bb93ba243746f705092905da1955ac3b0509ba1e", + "https://github.com/isaacs/node-tar/commit/d56f790bda9fea807dd80c5083f24771dbdd6eb1", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", + "https://linux.oracle.com/cve/CVE-2021-37712.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", + "https://www.cve.org/CVERecord?id=CVE-2021-37712", + "https://www.debian.org/security/2021/dsa-5008", + "https://www.npmjs.com/advisories/1780", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-37712", + }, + "category": "NPM Package Vulnerability", + "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 4.4.18, 5.0.10, 6.1.9 or remove the package from the image.", + "name": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-37712", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-37712", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/1739408d3122af897caefd09662bce2ea477533b", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/2f1bca027286c23e110b8dfc7efc10756fa3db5a", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/3aaf19b2501bbddb145d92b3322c80dcaed3c35f", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/b6162c7fafe797f856564ef37f4b82747f051455", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/bb93ba243746f705092905da1955ac3b0509ba1e", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/d56f790bda9fea807dd80c5083f24771dbdd6eb1", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-37712.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-37712", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2021/dsa-5008", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1780", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/tar", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.4.18, 5.0.10, 6.1.9", + "foundIn": "Node.js", + "installedVersion": "4.4.13", + "packageName": "tar", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-37713", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946", + "https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc", + "https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh", + "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", + "https://www.cve.org/CVERecord?id=CVE-2021-37713", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-37713", + }, + "category": "NPM Package Vulnerability", + "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain \`..\` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as \`C:some\\path\`. If the drive letter does not match the extraction target, for example \`D:\\extraction\\dir\`, then the result of \`path.resolve(extractionDirectory, entryPath)\` would resolve against the current working directory on the \`C:\` drive, rather than the extraction target directory. Additionally, a \`..\` portion of the path could occur immediately after the drive letter, such as \`C:../foo\`, and was not properly sanitized by the logic that checked for \`..\` within the normalized and split portions of the path. This only affects users of \`node-tar\` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 4.4.18, 5.0.10, 6.1.9 or remove the package from the image.", + "name": "nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-37713", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-37713", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-37713", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/tar", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.4.18, 5.0.10, 6.1.9", + "foundIn": "Node.js", + "installedVersion": "4.4.13", + "packageName": "tar", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-37713", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946", + "https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc", + "https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh", + "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", + "https://www.cve.org/CVERecord?id=CVE-2021-37713", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-37713", + }, + "category": "NPM Package Vulnerability", + "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain \`..\` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as \`C:some\\path\`. If the drive letter does not match the extraction target, for example \`D:\\extraction\\dir\`, then the result of \`path.resolve(extractionDirectory, entryPath)\` would resolve against the current working directory on the \`C:\` drive, rather than the extraction target directory. Additionally, a \`..\` portion of the path could occur immediately after the drive letter, such as \`C:../foo\`, and was not properly sanitized by the logic that checked for \`..\` within the normalized and split portions of the path. This only affects users of \`node-tar\` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 4.4.18, 5.0.10, 6.1.9 or remove the package from the image.", + "name": "nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-37713", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-37713", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-37713", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/tar", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.2.1", + "foundIn": "Node.js", + "installedVersion": "4.4.13", + "packageName": "tar", + "references": [ + "https://access.redhat.com/errata/RHSA-2024:6147", + "https://access.redhat.com/security/cve/CVE-2024-28863", + "https://bugzilla.redhat.com/2293200", + "https://bugzilla.redhat.com/2296417", + "https://errata.almalinux.org/9/ALSA-2024-6147.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + "https://linux.oracle.com/cve/CVE-2024-28863.html", + "https://linux.oracle.com/errata/ELSA-2024-6148.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "https://security.netapp.com/advisory/ntap-20240524-0005", + "https://security.netapp.com/advisory/ntap-20240524-0005/", + "https://www.cve.org/CVERecord?id=CVE-2024-28863", + ], + "vulnerabilityId": "CVE-2024-28863", + }, + "category": "NPM Package Vulnerability", + "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 6.2.1 or remove the package from the image.", + "name": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-28863", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2024:6147", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-28863", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2293200", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2296417", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2024-6147.html", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2024-28863.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2024-6148.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240524-0005", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240524-0005/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-28863", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "6.2.1", + "foundIn": "Node.js", + "installedVersion": "4.4.13", + "packageName": "tar", + "references": [ + "https://access.redhat.com/errata/RHSA-2024:6147", + "https://access.redhat.com/security/cve/CVE-2024-28863", + "https://bugzilla.redhat.com/2293200", + "https://bugzilla.redhat.com/2296417", + "https://errata.almalinux.org/9/ALSA-2024-6147.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + "https://linux.oracle.com/cve/CVE-2024-28863.html", + "https://linux.oracle.com/errata/ELSA-2024-6148.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "https://security.netapp.com/advisory/ntap-20240524-0005", + "https://security.netapp.com/advisory/ntap-20240524-0005/", + "https://www.cve.org/CVERecord?id=CVE-2024-28863", + ], + "vulnerabilityId": "CVE-2024-28863", + }, + "category": "NPM Package Vulnerability", + "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 6.2.1 or remove the package from the image.", + "name": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-28863", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2024:6147", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-28863", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2293200", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2296417", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2024-6147.html", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2024-28863.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2024-6148.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240524-0005", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240524-0005/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-28863", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.1.3", + "foundIn": "Node.js", + "installedVersion": "2.4.3", + "packageName": "tough-cookie", + "references": [ + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136", + ], + "vulnerabilityId": "CVE-2023-26136", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", + "name": "tough-cookie: prototype pollution in cookie memstore", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-26136", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2023-26136", + }, + { + "type": "URL", + "value": "https://github.com/salesforce/tough-cookie", + }, + { + "type": "URL", + "value": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + }, + { + "type": "URL", + "value": "https://github.com/salesforce/tough-cookie/issues/282", + }, + { + "type": "URL", + "value": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-26136", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.1.3", + "foundIn": "Node.js", + "installedVersion": "2.5.0", + "packageName": "tough-cookie", + "references": [ + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136", + ], + "vulnerabilityId": "CVE-2023-26136", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", + "name": "tough-cookie: prototype pollution in cookie memstore", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-26136", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2023-26136", + }, + { + "type": "URL", + "value": "https://github.com/salesforce/tough-cookie", + }, + { + "type": "URL", + "value": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + }, + { + "type": "URL", + "value": "https://github.com/salesforce/tough-cookie/issues/282", + }, + { + "type": "URL", + "value": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-26136", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "3.0.1, 4.0.1", + "foundIn": "Node.js", + "installedVersion": "1.0.0", + "packageName": "trim-newlines", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-33623", + "https://github.com/sindresorhus/trim-newlines", + "https://github.com/sindresorhus/trim-newlines/commit/25246c6ce5eea1c82d448998733a6302a4350d91", + "https://github.com/sindresorhus/trim-newlines/commit/b10d5f4afef832b16bc56d49fc52c68cbd403869", + "https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00033.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-33623", + "https://security.netapp.com/advisory/ntap-20210702-0007", + "https://security.netapp.com/advisory/ntap-20210702-0007/", + "https://ubuntu.com/security/notices/USN-5999-1", + "https://www.cve.org/CVERecord?id=CVE-2021-33623", + "https://www.npmjs.com/package/trim-newlines", + ], + "vulnerabilityId": "CVE-2021-33623", + }, + "category": "NPM Package Vulnerability", + "description": "The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package trim-newlines to the fixed version: 3.0.1, 4.0.1 or remove the package from the image.", + "name": "nodejs-trim-newlines: ReDoS in .end() method", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-33623", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-33623", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-33623", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/trim-newlines", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/trim-newlines/commit/25246c6ce5eea1c82d448998733a6302a4350d91", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/trim-newlines/commit/b10d5f4afef832b16bc56d49fc52c68cbd403869", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2022/12/msg00033.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-33623", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210702-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210702-0007/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5999-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-33623", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/trim-newlines", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "13.7.0", + "foundIn": "Node.js", + "installedVersion": "10.11.0", + "packageName": "validator", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-3765", + "https://github.com/validatorjs/validator.js", + "https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1", + "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", + "https://www.cve.org/CVERecord?id=CVE-2021-3765", + ], + "vulnerabilityId": "CVE-2021-3765", + }, + "category": "NPM Package Vulnerability", + "description": "validator.js is vulnerable to Inefficient Regular Expression Complexity", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package validator to the fixed version: 13.7.0 or remove the package from the image.", + "name": "validator: Inefficient Regular Expression Complexity in Validator.js", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3765", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3765", + }, + { + "type": "URL", + "value": "https://github.com/validatorjs/validator.js", + }, + { + "type": "URL", + "value": "https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3765", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.2.4", + "foundIn": "Node.js", + "installedVersion": "1.2.3", + "packageName": "word-wrap", + "references": [ + "https://access.redhat.com/security/cve/CVE-2023-26115", + "https://github.com/jonschlinkert/word-wrap", + "https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39", + "https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39", + "https://github.com/jonschlinkert/word-wrap/commit/420dce9a2412b21881202b73a3c34f0edc53cb2e", + "https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26115", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657", + "https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973", + "https://www.cve.org/CVERecord?id=CVE-2023-26115", + ], + "vulnerabilityId": "CVE-2023-26115", + }, + "category": "NPM Package Vulnerability", + "description": "All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable. + +", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package word-wrap to the fixed version: 1.2.4 or remove the package from the image.", + "name": "word-wrap: ReDoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-26115", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26115", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2023-26115", + }, + { + "type": "URL", + "value": "https://github.com/jonschlinkert/word-wrap", + }, + { + "type": "URL", + "value": "https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39", + }, + { + "type": "URL", + "value": "https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39", + }, + { + "type": "URL", + "value": "https://github.com/jonschlinkert/word-wrap/commit/420dce9a2412b21881202b73a3c34f0edc53cb2e", + }, + { + "type": "URL", + "value": "https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26115", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-26115", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "foundIn": "Node.js", + "installedVersion": "6.1.4", + "packageName": "ws", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-37890", + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", + "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", + "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", + "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", + "https://github.com/websockets/ws/issues/2230", + "https://github.com/websockets/ws/pull/2231", + "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + "https://nodejs.org/api/http.html#servermaxheaderscount", + "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "https://www.cve.org/CVERecord?id=CVE-2024-37890", + ], + "vulnerabilityId": "CVE-2024-37890", + }, + "category": "NPM Package Vulnerability", + "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ws to the fixed version: 5.2.4, 6.2.3, 7.5.10, 8.17.1 or remove the package from the image.", + "name": "nodejs-ws: denial of service when handling a request with many HTTP headers", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-37890", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-37890", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/issues/2230", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/pull/2231", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + }, + { + "type": "URL", + "value": "https://nodejs.org/api/http.html#servermaxheaderscount", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-37890", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "7.4.6, 6.2.2, 5.2.3", + "foundIn": "Node.js", + "installedVersion": "6.1.4", + "packageName": "ws", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-32640", + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff", + "https://github.com/websockets/ws/issues/1895", + "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693", + "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3E", + "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-32640", + "https://security.netapp.com/advisory/ntap-20210706-0005", + "https://security.netapp.com/advisory/ntap-20210706-0005/", + "https://www.cve.org/CVERecord?id=CVE-2021-32640", + ], + "vulnerabilityId": "CVE-2021-32640", + }, + "category": "NPM Package Vulnerability", + "description": "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [\`--max-http-header-size=size\`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [\`maxHeaderSize\`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ws to the fixed version: 7.4.6, 6.2.2, 5.2.3 or remove the package from the image.", + "name": "nodejs-ws: Specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-32640", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32640", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-32640", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/issues/1895", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32640", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210706-0005", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210706-0005/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-32640", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "foundIn": "Node.js", + "installedVersion": "7.2.3", + "packageName": "ws", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-37890", + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", + "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", + "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", + "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", + "https://github.com/websockets/ws/issues/2230", + "https://github.com/websockets/ws/pull/2231", + "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + "https://nodejs.org/api/http.html#servermaxheaderscount", + "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "https://www.cve.org/CVERecord?id=CVE-2024-37890", + ], + "vulnerabilityId": "CVE-2024-37890", + }, + "category": "NPM Package Vulnerability", + "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ws to the fixed version: 5.2.4, 6.2.3, 7.5.10, 8.17.1 or remove the package from the image.", + "name": "nodejs-ws: denial of service when handling a request with many HTTP headers", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-37890", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-37890", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/issues/2230", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/pull/2231", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + }, + { + "type": "URL", + "value": "https://nodejs.org/api/http.html#servermaxheaderscount", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-37890", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "7.4.6, 6.2.2, 5.2.3", + "foundIn": "Node.js", + "installedVersion": "7.2.3", + "packageName": "ws", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-32640", + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff", + "https://github.com/websockets/ws/issues/1895", + "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693", + "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3E", + "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-32640", + "https://security.netapp.com/advisory/ntap-20210706-0005", + "https://security.netapp.com/advisory/ntap-20210706-0005/", + "https://www.cve.org/CVERecord?id=CVE-2021-32640", + ], + "vulnerabilityId": "CVE-2021-32640", + }, + "category": "NPM Package Vulnerability", + "description": "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [\`--max-http-header-size=size\`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [\`maxHeaderSize\`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ws to the fixed version: 7.4.6, 6.2.2, 5.2.3 or remove the package from the image.", + "name": "nodejs-ws: Specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-32640", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32640", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-32640", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/issues/1895", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32640", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210706-0005", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210706-0005/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-32640", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.6.2", + "foundIn": "Node.js", + "installedVersion": "1.5.5", + "packageName": "xmlhttprequest-ssl", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-28502", + "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js#L480", + "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480", + "https://github.com/driverdan/node-XMLHttpRequest/commit/983cfc244c7567ad6a59e366e55a8037e0497fe6", + "https://github.com/mjwwit/node-XMLHttpRequest/blob/ae38832a0f1347c5e96dda665402509a3458e302/lib/XMLHttpRequest.js#L531", + "https://github.com/mjwwit/node-XMLHttpRequest/commit/ee1e81fc67729c7c0eba5537ed7fe1e30a6b3291", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28502", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938", + "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935", + "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936", + "https://www.cve.org/CVERecord?id=CVE-2020-28502", + ], + "vulnerabilityId": "CVE-2020-28502", + }, + "category": "NPM Package Vulnerability", + "description": "This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package xmlhttprequest-ssl to the fixed version: 1.6.2 or remove the package from the image.", + "name": "nodejs-xmlhttprequest: Code injection through user input to xhr.send", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-28502", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28502", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-28502", + }, + { + "type": "URL", + "value": "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js#L480", + }, + { + "type": "URL", + "value": "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480", + }, + { + "type": "URL", + "value": "https://github.com/driverdan/node-XMLHttpRequest/commit/983cfc244c7567ad6a59e366e55a8037e0497fe6", + }, + { + "type": "URL", + "value": "https://github.com/mjwwit/node-XMLHttpRequest/blob/ae38832a0f1347c5e96dda665402509a3458e302/lib/XMLHttpRequest.js#L531", + }, + { + "type": "URL", + "value": "https://github.com/mjwwit/node-XMLHttpRequest/commit/ee1e81fc67729c7c0eba5537ed7fe1e30a6b3291", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28502", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-28502", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.6.1", + "foundIn": "Node.js", + "installedVersion": "1.5.5", + "packageName": "xmlhttprequest-ssl", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-31597", + "https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2", + "https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1", + "https://nvd.nist.gov/vuln/detail/CVE-2021-31597", + "https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt", + "https://security.netapp.com/advisory/ntap-20210618-0004", + "https://security.netapp.com/advisory/ntap-20210618-0004/", + "https://www.cve.org/CVERecord?id=CVE-2021-31597", + ], + "vulnerabilityId": "CVE-2021-31597", + }, + "category": "NPM Package Vulnerability", + "description": "The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package xmlhttprequest-ssl to the fixed version: 1.6.1 or remove the package from the image.", + "name": "xmlhttprequest-ssl: SSL certificate validation disabled by default", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-31597", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-31597", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-31597", + }, + { + "type": "URL", + "value": "https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2", + }, + { + "type": "URL", + "value": "https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-31597", + }, + { + "type": "URL", + "value": "https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210618-0004", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210618-0004/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-31597", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.2.2, 4.0.1, 5.0.5", + "foundIn": "Node.js", + "installedVersion": "3.2.1", + "packageName": "y18n", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-7774", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-0551.html", + "https://github.com/yargs/y18n", + "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3", + "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25", + "https://github.com/yargs/y18n/issues/96", + "https://github.com/yargs/y18n/pull/108", + "https://linux.oracle.com/cve/CVE-2020-7774.html", + "https://linux.oracle.com/errata/ELSA-2021-0551.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", + "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", + "https://www.cve.org/CVERecord?id=CVE-2020-7774", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + ], + "vulnerabilityId": "CVE-2020-7774", + }, + "category": "NPM Package Vulnerability", + "description": "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package y18n to the fixed version: 3.2.2, 4.0.1, 5.0.5 or remove the package from the image.", + "name": "nodejs-y18n: prototype pollution vulnerability", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-7774", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-7774", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-0551.html", + }, + { + "type": "URL", + "value": "https://github.com/yargs/y18n", + }, + { + "type": "URL", + "value": "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3", + }, + { + "type": "URL", + "value": "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25", + }, + { + "type": "URL", + "value": "https://github.com/yargs/y18n/issues/96", + }, + { + "type": "URL", + "value": "https://github.com/yargs/y18n/pull/108", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2020-7774.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-0551.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-7774", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.2.2, 4.0.1, 5.0.5", + "foundIn": "Node.js", + "installedVersion": "4.0.0", + "packageName": "y18n", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-7774", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-0551.html", + "https://github.com/yargs/y18n", + "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3", + "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25", + "https://github.com/yargs/y18n/issues/96", + "https://github.com/yargs/y18n/pull/108", + "https://linux.oracle.com/cve/CVE-2020-7774.html", + "https://linux.oracle.com/errata/ELSA-2021-0551.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", + "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", + "https://www.cve.org/CVERecord?id=CVE-2020-7774", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + ], + "vulnerabilityId": "CVE-2020-7774", + }, + "category": "NPM Package Vulnerability", + "description": "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package y18n to the fixed version: 3.2.2, 4.0.1, 5.0.5 or remove the package from the image.", + "name": "nodejs-y18n: prototype pollution vulnerability", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-7774", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-7774", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-0551.html", + }, + { + "type": "URL", + "value": "https://github.com/yargs/y18n", + }, + { + "type": "URL", + "value": "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3", + }, + { + "type": "URL", + "value": "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25", + }, + { + "type": "URL", + "value": "https://github.com/yargs/y18n/issues/96", + }, + { + "type": "URL", + "value": "https://github.com/yargs/y18n/pull/108", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2020-7774.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-0551.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-7774", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.2.2, 4.0.1, 5.0.5", + "foundIn": "Node.js", + "installedVersion": "4.0.0", + "packageName": "y18n", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-7774", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-0551.html", + "https://github.com/yargs/y18n", + "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3", + "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25", + "https://github.com/yargs/y18n/issues/96", + "https://github.com/yargs/y18n/pull/108", + "https://linux.oracle.com/cve/CVE-2020-7774.html", + "https://linux.oracle.com/errata/ELSA-2021-0551.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", + "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", + "https://www.cve.org/CVERecord?id=CVE-2020-7774", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + ], + "vulnerabilityId": "CVE-2020-7774", + }, + "category": "NPM Package Vulnerability", + "description": "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package y18n to the fixed version: 3.2.2, 4.0.1, 5.0.5 or remove the package from the image.", + "name": "nodejs-y18n: prototype pollution vulnerability", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-7774", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-7774", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-0551.html", + }, + { + "type": "URL", + "value": "https://github.com/yargs/y18n", + }, + { + "type": "URL", + "value": "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3", + }, + { + "type": "URL", + "value": "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25", + }, + { + "type": "URL", + "value": "https://github.com/yargs/y18n/issues/96", + }, + { + "type": "URL", + "value": "https://github.com/yargs/y18n/pull/108", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2020-7774.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-0551.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-7774", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "13.1.2, 15.0.1, 18.1.1, 5.0.1", + "foundIn": "Node.js", + "installedVersion": "11.1.1", + "packageName": "yargs-parser", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-7608", + "https://errata.almalinux.org/8/ALSA-2021-0548.html", + "https://github.com/yargs/yargs-parser", + "https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36", + "https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2", + "https://linux.oracle.com/cve/CVE-2020-7608.html", + "https://linux.oracle.com/errata/ELSA-2021-0548.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", + "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381", + "https://www.cve.org/CVERecord?id=CVE-2020-7608", + "https://www.npmjs.com/advisories/1500", + ], + "vulnerabilityId": "CVE-2020-7608", + }, + "category": "NPM Package Vulnerability", + "description": "yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package yargs-parser to the fixed version: 13.1.2, 15.0.1, 18.1.1, 5.0.1 or remove the package from the image.", + "name": "nodejs-yargs-parser: prototype pollution vulnerability", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-7608", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-7608", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-0548.html", + }, + { + "type": "URL", + "value": "https://github.com/yargs/yargs-parser", + }, + { + "type": "URL", + "value": "https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36", + }, + { + "type": "URL", + "value": "https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2020-7608.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-0548.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-7608", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1500", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "13.1.2, 15.0.1, 18.1.1, 5.0.1", + "foundIn": "Node.js", + "installedVersion": "9.0.2", + "packageName": "yargs-parser", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-7608", + "https://errata.almalinux.org/8/ALSA-2021-0548.html", + "https://github.com/yargs/yargs-parser", + "https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36", + "https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2", + "https://linux.oracle.com/cve/CVE-2020-7608.html", + "https://linux.oracle.com/errata/ELSA-2021-0548.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", + "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381", + "https://www.cve.org/CVERecord?id=CVE-2020-7608", + "https://www.npmjs.com/advisories/1500", + ], + "vulnerabilityId": "CVE-2020-7608", + }, + "category": "NPM Package Vulnerability", + "description": "yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package yargs-parser to the fixed version: 13.1.2, 15.0.1, 18.1.1, 5.0.1 or remove the package from the image.", + "name": "nodejs-yargs-parser: prototype pollution vulnerability", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-7608", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-7608", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2021-0548.html", + }, + { + "type": "URL", + "value": "https://github.com/yargs/yargs-parser", + }, + { + "type": "URL", + "value": "https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36", + }, + { + "type": "URL", + "value": "https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2020-7608.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2021-0548.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-7608", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1500", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.22.13", + "foundIn": "Node.js", + "installedVersion": "1.22.4", + "packageName": "yarn", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-4435", + "https://bugzilla.redhat.com/show_bug.cgi?id=2262284", + "https://github.com/yarnpkg/yarn", + "https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1", + "https://github.com/yarnpkg/yarn/releases/tag/v1.22.13", + "https://nvd.nist.gov/vuln/detail/CVE-2021-4435", + "https://www.cve.org/CVERecord?id=CVE-2021-4435", + ], + "vulnerabilityId": "CVE-2021-4435", + }, + "category": "NPM Package Vulnerability", + "description": "An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.", + "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package yarn to the fixed version: 1.22.13 or remove the package from the image.", + "name": "yarn: untrusted search path", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-4435", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-4435", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-4435", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2262284", + }, + { + "type": "URL", + "value": "https://github.com/yarnpkg/yarn", + }, + { + "type": "URL", + "value": "https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1", + }, + { + "type": "URL", + "value": "https://github.com/yarnpkg/yarn/releases/tag/v1.22.13", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-4435", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-4435", + }, + ], + "severity": "HIGH", + }, +] +`; + +exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` +[ + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "busybox", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42378", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42378", + ], + "vulnerabilityId": "CVE-2021-42378", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42378", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42378", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42378", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "busybox", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42379", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42379", + ], + "vulnerabilityId": "CVE-2021-42379", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42379", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42379", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42379", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "busybox", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42380", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42380", + ], + "vulnerabilityId": "CVE-2021-42380", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42380", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42380", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42380", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "busybox", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42381", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42381", + ], + "vulnerabilityId": "CVE-2021-42381", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42381", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42381", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42381", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "busybox", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42382", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42382", + ], + "vulnerabilityId": "CVE-2021-42382", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42382", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42382", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42382", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "busybox", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42383", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-42383", + ], + "vulnerabilityId": "CVE-2021-42383", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42383", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42383", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42383", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "busybox", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42384", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42384", + ], + "vulnerabilityId": "CVE-2021-42384", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42384", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42384", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42384", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "busybox", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42385", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42385", + ], + "vulnerabilityId": "CVE-2021-42385", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42385", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42385", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42385", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "busybox", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42386", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42386", + ], + "vulnerabilityId": "CVE-2021-42386", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42386", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42386", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42386", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "busybox", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42374", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42374", + ], + "vulnerabilityId": "CVE-2021-42374", + }, + "category": "Image Vulnerability", + "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: out-of-bounds read in unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42374", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42374", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42374", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42378", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42378", + ], + "vulnerabilityId": "CVE-2021-42378", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42378", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42378", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42378", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42379", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42379", + ], + "vulnerabilityId": "CVE-2021-42379", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42379", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42379", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42379", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42380", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42380", + ], + "vulnerabilityId": "CVE-2021-42380", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42380", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42380", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42380", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42381", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42381", + ], + "vulnerabilityId": "CVE-2021-42381", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42381", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42381", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42381", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42382", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42382", + ], + "vulnerabilityId": "CVE-2021-42382", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42382", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42382", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42382", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42383", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-42383", + ], + "vulnerabilityId": "CVE-2021-42383", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42383", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42383", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42383", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42384", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42384", + ], + "vulnerabilityId": "CVE-2021-42384", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42384", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42384", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42384", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42385", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42385", + ], + "vulnerabilityId": "CVE-2021-42385", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42385", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42385", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42385", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42386", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42386", + ], + "vulnerabilityId": "CVE-2021-42386", + }, + "category": "Image Vulnerability", + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc()", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42386", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42386", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42386", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.31.1-r11", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.31.1-r10", + "packageName": "ssl_client", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-42374", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42374", + ], + "vulnerabilityId": "CVE-2021-42374", + }, + "category": "Image Vulnerability", + "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", + "name": "busybox: out-of-bounds read in unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-42374", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-42374", + }, + { + "type": "URL", + "value": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + }, + { + "type": "URL", + "value": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20211223-0002/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5179-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-42374", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.2.11-r4", + "foundIn": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "installedVersion": "1.2.11-r3", + "packageName": "zlib", + "references": [ + "http://seclists.org/fulldisclosure/2022/Oct/37", + "http://seclists.org/fulldisclosure/2022/Oct/38", + "http://seclists.org/fulldisclosure/2022/Oct/41", + "http://seclists.org/fulldisclosure/2022/Oct/42", + "http://www.openwall.com/lists/oss-security/2022/08/05/2", + "http://www.openwall.com/lists/oss-security/2022/08/09/1", + "https://access.redhat.com/errata/RHSA-2022:8291", + "https://access.redhat.com/security/cve/CVE-2022-37434", + "https://bugzilla.redhat.com/2116639", + "https://bugzilla.redhat.com/show_bug.cgi?id=2053198", + "https://bugzilla.redhat.com/show_bug.cgi?id=2077431", + "https://bugzilla.redhat.com/show_bug.cgi?id=2081296", + "https://bugzilla.redhat.com/show_bug.cgi?id=2116639", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434", + "https://errata.almalinux.org/9/ALSA-2022-8291.html", + "https://errata.rockylinux.org/RLSA-2022:8291", + "https://github.com/curl/curl/issues/9271", + "https://github.com/ivd38/zlib_overflow", + "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063", + "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1", + "https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764", + "https://linux.oracle.com/cve/CVE-2022-37434.html", + "https://linux.oracle.com/errata/ELSA-2023-1095.html", + "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/", + "https://nvd.nist.gov/vuln/detail/CVE-2022-37434", + "https://security.netapp.com/advisory/ntap-20220901-0005/", + "https://security.netapp.com/advisory/ntap-20230427-0007/", + "https://support.apple.com/kb/HT213488", + "https://support.apple.com/kb/HT213489", + "https://support.apple.com/kb/HT213490", + "https://support.apple.com/kb/HT213491", + "https://support.apple.com/kb/HT213493", + "https://support.apple.com/kb/HT213494", + "https://ubuntu.com/security/notices/USN-5570-1", + "https://ubuntu.com/security/notices/USN-5570-2", + "https://ubuntu.com/security/notices/USN-5573-1", + "https://ubuntu.com/security/notices/USN-6736-1", + "https://ubuntu.com/security/notices/USN-6736-2", + "https://www.cve.org/CVERecord?id=CVE-2022-37434", + "https://www.debian.org/security/2022/dsa-5218", + ], + "vulnerabilityId": "CVE-2022-37434", + }, + "category": "Image Vulnerability", + "description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package zlib to the fixed version: 1.2.11-r4 or remove the package from the image.", + "name": "zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-37434", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434", + }, + { + "type": "URL", + "value": "http://seclists.org/fulldisclosure/2022/Oct/37", + }, + { + "type": "URL", + "value": "http://seclists.org/fulldisclosure/2022/Oct/38", + }, + { + "type": "URL", + "value": "http://seclists.org/fulldisclosure/2022/Oct/41", + }, + { + "type": "URL", + "value": "http://seclists.org/fulldisclosure/2022/Oct/42", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2022/08/05/2", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2022/08/09/1", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:8291", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-37434", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2116639", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2053198", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2077431", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2081296", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2116639", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-8291.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2022:8291", + }, + { + "type": "URL", + "value": "https://github.com/curl/curl/issues/9271", + }, + { + "type": "URL", + "value": "https://github.com/ivd38/zlib_overflow", + }, + { + "type": "URL", + "value": "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063", + }, + { + "type": "URL", + "value": "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-37434.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-1095.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220901-0005/", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230427-0007/", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT213488", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT213489", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT213490", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT213491", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT213493", + }, + { + "type": "URL", + "value": "https://support.apple.com/kb/HT213494", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5570-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5570-2", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5573-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6736-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6736-2", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-37434", + }, + { + "type": "URL", + "value": "https://www.debian.org/security/2022/dsa-5218", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "foundIn": "Node.js", + "installedVersion": "3.0.0", + "packageName": "ansi-regex", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + ], + "vulnerabilityId": "CVE-2021-3807", + }, + "category": "NPM Package Vulnerability", + "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", + "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3807.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "foundIn": "Node.js", + "installedVersion": "3.0.0", + "packageName": "ansi-regex", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + ], + "vulnerabilityId": "CVE-2021-3807", + }, + "category": "NPM Package Vulnerability", + "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", + "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3807.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "foundIn": "Node.js", + "installedVersion": "4.1.0", + "packageName": "ansi-regex", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + ], + "vulnerabilityId": "CVE-2021-3807", + }, + "category": "NPM Package Vulnerability", + "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", + "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3807.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "foundIn": "Node.js", + "installedVersion": "4.1.0", + "packageName": "ansi-regex", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + ], + "vulnerabilityId": "CVE-2021-3807", + }, + "category": "NPM Package Vulnerability", + "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", + "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3807.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "foundIn": "Node.js", + "installedVersion": "4.1.0", + "packageName": "ansi-regex", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + ], + "vulnerabilityId": "CVE-2021-3807", + }, + "category": "NPM Package Vulnerability", + "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", + "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3807.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "foundIn": "Node.js", + "installedVersion": "4.1.0", + "packageName": "ansi-regex", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + ], + "vulnerabilityId": "CVE-2021-3807", + }, + "category": "NPM Package Vulnerability", + "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", + "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + }, + { + "type": "URL", + "value": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3807.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0002/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3807", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.2.2, 2.6.4", + "foundIn": "Node.js", + "installedVersion": "2.6.3", + "packageName": "async", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-43138", + "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "https://github.com/caolan/async", + "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + "https://github.com/caolan/async/pull/1828", + "https://jsfiddle.net/oz5twjd9", + "https://jsfiddle.net/oz5twjd9/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-43138", + ], + "vulnerabilityId": "CVE-2021-43138", + }, + "category": "NPM Package Vulnerability", + "description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package async to the fixed version: 3.2.2, 2.6.4 or remove the package from the image.", + "name": "async: Prototype Pollution in async", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/pull/1828", + }, + { + "type": "URL", + "value": "https://jsfiddle.net/oz5twjd9", + }, + { + "type": "URL", + "value": "https://jsfiddle.net/oz5twjd9/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-43138", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.2.2, 2.6.4", + "foundIn": "Node.js", + "installedVersion": "2.6.3", + "packageName": "async", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-43138", + "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "https://github.com/caolan/async", + "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + "https://github.com/caolan/async/pull/1828", + "https://jsfiddle.net/oz5twjd9", + "https://jsfiddle.net/oz5twjd9/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-43138", + ], + "vulnerabilityId": "CVE-2021-43138", + }, + "category": "NPM Package Vulnerability", + "description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package async to the fixed version: 3.2.2, 2.6.4 or remove the package from the image.", + "name": "async: Prototype Pollution in async", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/pull/1828", + }, + { + "type": "URL", + "value": "https://jsfiddle.net/oz5twjd9", + }, + { + "type": "URL", + "value": "https://jsfiddle.net/oz5twjd9/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-43138", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.2.2, 2.6.4", + "foundIn": "Node.js", + "installedVersion": "2.6.3", + "packageName": "async", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-43138", + "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "https://github.com/caolan/async", + "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + "https://github.com/caolan/async/pull/1828", + "https://jsfiddle.net/oz5twjd9", + "https://jsfiddle.net/oz5twjd9/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-43138", + ], + "vulnerabilityId": "CVE-2021-43138", + }, + "category": "NPM Package Vulnerability", + "description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package async to the fixed version: 3.2.2, 2.6.4 or remove the package from the image.", + "name": "async: Prototype Pollution in async", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/pull/1828", + }, + { + "type": "URL", + "value": "https://jsfiddle.net/oz5twjd9", + }, + { + "type": "URL", + "value": "https://jsfiddle.net/oz5twjd9/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-43138", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.2.2, 2.6.4", + "foundIn": "Node.js", + "installedVersion": "3.2.1", + "packageName": "async", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-43138", + "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "https://github.com/caolan/async", + "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + "https://github.com/caolan/async/pull/1828", + "https://jsfiddle.net/oz5twjd9", + "https://jsfiddle.net/oz5twjd9/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-43138", + ], + "vulnerabilityId": "CVE-2021-43138", + }, + "category": "NPM Package Vulnerability", + "description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package async to the fixed version: 3.2.2, 2.6.4 or remove the package from the image.", + "name": "async: Prototype Pollution in async", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + }, + { + "type": "URL", + "value": "https://github.com/caolan/async/pull/1828", + }, + { + "type": "URL", + "value": "https://jsfiddle.net/oz5twjd9", + }, + { + "type": "URL", + "value": "https://jsfiddle.net/oz5twjd9/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-43138", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": ">=3.0.0", + "foundIn": "Node.js", + "installedVersion": "0.0.6", + "packageName": "base64url", + "references": [ + "https://github.com/brianloveswords/base64url/pull/25", + "https://hackerone.com/reports/321687", + ], + "vulnerabilityId": "NSWG-ECO-428", + }, + "category": "NPM Package Vulnerability", + "description": "\`base64url\` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package base64url to the fixed version: >=3.0.0 or remove the package from the image.", + "name": "Out-of-bounds Read", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "NSWG", + "value": "NSWG-ECO-428", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + }, + { + "type": "URL", + "value": "https://github.com/brianloveswords/base64url/pull/25", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/321687", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.0.0", + "foundIn": "Node.js", + "installedVersion": "0.0.6", + "packageName": "base64url", + "references": [ + "https://github.com/brianloveswords/base64url", + "https://github.com/brianloveswords/base64url/commit/4fbd954a0a69e9d898de2146557cc6e893e79542", + "https://github.com/brianloveswords/base64url/pull/25", + "https://hackerone.com/reports/321687", + ], + "vulnerabilityId": "GHSA-rvg8-pwq2-xj7q", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of \`base64url\` before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below. + + +## Recommendation + +Update to version 3.0.0 or later.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package base64url to the fixed version: 3.0.0 or remove the package from the image.", + "name": "Out-of-bounds Read in base64url", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "URL", + "value": "https://github.com/brianloveswords/base64url", + }, + { + "type": "URL", + "value": "https://github.com/brianloveswords/base64url/commit/4fbd954a0a69e9d898de2146557cc6e893e79542", + }, + { + "type": "URL", + "value": "https://github.com/brianloveswords/base64url/pull/25", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/321687", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.20.3", + "foundIn": "Node.js", + "installedVersion": "1.19.0", + "packageName": "body-parser", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-45590", + "https://github.com/expressjs/body-parser", + "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", + "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45590", + "https://www.cve.org/CVERecord?id=CVE-2024-45590", + ], + "vulnerabilityId": "CVE-2024-45590", + }, + "category": "NPM Package Vulnerability", + "description": "body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package body-parser to the fixed version: 1.20.3 or remove the package from the image.", + "name": "body-parser: Denial of Service Vulnerability in body-parser", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-45590", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45590", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-45590", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/body-parser", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45590", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-45590", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.0.3", + "foundIn": "Node.js", + "installedVersion": "2.3.2", + "packageName": "braces", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", + "https://github.com/micromatch/braces", + "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", + "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", + "https://github.com/micromatch/braces/issues/35", + "https://github.com/micromatch/braces/pull/37", + "https://github.com/micromatch/braces/pull/40", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "https://www.cve.org/CVERecord?id=CVE-2024-4068", + ], + "vulnerabilityId": "CVE-2024-4068", + }, + "category": "NPM Package Vulnerability", + "description": "The NPM package \`braces\`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In \`lib/parse.js,\` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package braces to the fixed version: 3.0.3 or remove the package from the image.", + "name": "braces: fails to limit the number of characters it can handle", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/issues/35", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/pull/37", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/pull/40", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-4068", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.0.3", + "foundIn": "Node.js", + "installedVersion": "3.0.2", + "packageName": "braces", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", + "https://github.com/micromatch/braces", + "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", + "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", + "https://github.com/micromatch/braces/issues/35", + "https://github.com/micromatch/braces/pull/37", + "https://github.com/micromatch/braces/pull/40", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "https://www.cve.org/CVERecord?id=CVE-2024-4068", + ], + "vulnerabilityId": "CVE-2024-4068", + }, + "category": "NPM Package Vulnerability", + "description": "The NPM package \`braces\`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In \`lib/parse.js,\` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package braces to the fixed version: 3.0.3 or remove the package from the image.", + "name": "braces: fails to limit the number of characters it can handle", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/issues/35", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/pull/37", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/pull/40", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-4068", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.0.3", + "foundIn": "Node.js", + "installedVersion": "3.0.2", + "packageName": "braces", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", + "https://github.com/micromatch/braces", + "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", + "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", + "https://github.com/micromatch/braces/issues/35", + "https://github.com/micromatch/braces/pull/37", + "https://github.com/micromatch/braces/pull/40", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "https://www.cve.org/CVERecord?id=CVE-2024-4068", + ], + "vulnerabilityId": "CVE-2024-4068", + }, + "category": "NPM Package Vulnerability", + "description": "The NPM package \`braces\`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In \`lib/parse.js,\` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package braces to the fixed version: 3.0.3 or remove the package from the image.", + "name": "braces: fails to limit the number of characters it can handle", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/issues/35", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/pull/37", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/braces/pull/40", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-4068", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "0.7.0", + "foundIn": "Node.js", + "installedVersion": "0.4.0", + "packageName": "cookie", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-47764", + "https://github.com/jshttp/cookie", + "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", + "https://github.com/jshttp/cookie/pull/167", + "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + "https://www.cve.org/CVERecord?id=CVE-2024-47764", + ], + "vulnerabilityId": "CVE-2024-47764", + }, + "category": "NPM Package Vulnerability", + "description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package cookie to the fixed version: 0.7.0 or remove the package from the image.", + "name": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie/pull/167", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-47764", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "0.7.0", + "foundIn": "Node.js", + "installedVersion": "0.4.1", + "packageName": "cookie", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-47764", + "https://github.com/jshttp/cookie", + "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", + "https://github.com/jshttp/cookie/pull/167", + "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + "https://www.cve.org/CVERecord?id=CVE-2024-47764", + ], + "vulnerabilityId": "CVE-2024-47764", + }, + "category": "NPM Package Vulnerability", + "description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package cookie to the fixed version: 0.7.0 or remove the package from the image.", + "name": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie/pull/167", + }, + { + "type": "URL", + "value": "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-47764", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "4.2.0", + "foundIn": "Node.js", + "installedVersion": "3.3.0", + "packageName": "crypto-js", + "references": [ + "https://access.redhat.com/security/cve/CVE-2023-46233", + "https://github.com/brix/crypto-js", + "https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a", + "https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-46233", + "https://ubuntu.com/security/notices/USN-6753-1", + "https://www.cve.org/CVERecord?id=CVE-2023-46233", + ], + "vulnerabilityId": "CVE-2023-46233", + }, + "category": "NPM Package Vulnerability", + "description": "crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package crypto-js to the fixed version: 4.2.0 or remove the package from the image.", + "name": "crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-46233", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-46233", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2023-46233", + }, + { + "type": "URL", + "value": "https://github.com/brix/crypto-js", + }, + { + "type": "URL", + "value": "https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a", + }, + { + "type": "URL", + "value": "https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-46233", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6753-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-46233", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "0.2.1", + "foundIn": "Node.js", + "installedVersion": "0.2.0", + "packageName": "decode-uri-component", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:6316", + "https://access.redhat.com/security/cve/CVE-2022-38900", + "https://bugzilla.redhat.com/2170644", + "https://errata.almalinux.org/9/ALSA-2023-6316.html", + "https://github.com/SamVerschueren/decode-uri-component", + "https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9", + "https://github.com/SamVerschueren/decode-uri-component/issues/5", + "https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1", + "https://github.com/advisories/GHSA-w573-4hg7-7wgq", + "https://github.com/sindresorhus/query-string/issues/345", + "https://linux.oracle.com/cve/CVE-2022-38900.html", + "https://linux.oracle.com/errata/ELSA-2023-6316.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU", + "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + "https://www.cve.org/CVERecord?id=CVE-2022-38900", + ], + "vulnerabilityId": "CVE-2022-38900", + }, + "category": "NPM Package Vulnerability", + "description": "decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package decode-uri-component to the fixed version: 0.2.1 or remove the package from the image.", + "name": "decode-uri-component: improper input validation resulting in DoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:6316", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2170644", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-6316.html", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component/issues/5", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/query-string/issues/345", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-38900.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-6316.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-38900", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "0.2.1", + "foundIn": "Node.js", + "installedVersion": "0.2.0", + "packageName": "decode-uri-component", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:6316", + "https://access.redhat.com/security/cve/CVE-2022-38900", + "https://bugzilla.redhat.com/2170644", + "https://errata.almalinux.org/9/ALSA-2023-6316.html", + "https://github.com/SamVerschueren/decode-uri-component", + "https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9", + "https://github.com/SamVerschueren/decode-uri-component/issues/5", + "https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1", + "https://github.com/advisories/GHSA-w573-4hg7-7wgq", + "https://github.com/sindresorhus/query-string/issues/345", + "https://linux.oracle.com/cve/CVE-2022-38900.html", + "https://linux.oracle.com/errata/ELSA-2023-6316.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU", + "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + "https://www.cve.org/CVERecord?id=CVE-2022-38900", + ], + "vulnerabilityId": "CVE-2022-38900", + }, + "category": "NPM Package Vulnerability", + "description": "decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package decode-uri-component to the fixed version: 0.2.1 or remove the package from the image.", + "name": "decode-uri-component: improper input validation resulting in DoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:6316", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2170644", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-6316.html", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component/issues/5", + }, + { + "type": "URL", + "value": "https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/query-string/issues/345", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-38900.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-6316.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-38900", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "0.2.5", + "packageName": "dicer", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-24434", + "https://github.com/advisories/GHSA-wm7h-9275-46v2", + "https://github.com/mscdex/busboy/issues/250", + "https://github.com/mscdex/dicer", + "https://github.com/mscdex/dicer/commit/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac", + "https://github.com/mscdex/dicer/pull/22", + "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24434", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865", + "https://snyk.io/vuln/SNYK-JS-DICER-2311764", + "https://www.cve.org/CVERecord?id=CVE-2022-24434", + ], + "vulnerabilityId": "CVE-2022-24434", + }, + "category": "NPM Package Vulnerability", + "description": "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package dicer to the fixed version: undefined or remove the package from the image.", + "name": "dicer: nodejs service crash by sending a crafted payload", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24434", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24434", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24434", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-wm7h-9275-46v2", + }, + { + "type": "URL", + "value": "https://github.com/mscdex/busboy/issues/250", + }, + { + "type": "URL", + "value": "https://github.com/mscdex/dicer", + }, + { + "type": "URL", + "value": "https://github.com/mscdex/dicer/commit/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac", + }, + { + "type": "URL", + "value": "https://github.com/mscdex/dicer/pull/22", + }, + { + "type": "URL", + "value": "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24434", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-DICER-2311764", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24434", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.5.0", + "foundIn": "Node.js", + "installedVersion": "1.0.2", + "packageName": "diff", + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1552148", + "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0", + "https://snyk.io/vuln/npm:diff:20180305", + "https://www.npmjs.com/advisories/1631", + "https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0590", + ], + "vulnerabilityId": "GHSA-h6ch-v84p-w6p9", + }, + "category": "NPM Package Vulnerability", + "description": "A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package diff to the fixed version: 3.5.0 or remove the package from the image.", + "name": "Regular Expression Denial of Service (ReDoS)", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=1552148", + }, + { + "type": "URL", + "value": "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/npm:diff:20180305", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1631", + }, + { + "type": "URL", + "value": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0590", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.0.4", + "foundIn": "Node.js", + "installedVersion": "2.0.2", + "packageName": "dottie", + "references": [ + "https://github.com/mickhansen/dottie.js", + "https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js#L107", + "https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js%23L107", + "https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26132", + "https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763", + "https://www.cve.org/CVERecord?id=CVE-2023-26132", + ], + "vulnerabilityId": "CVE-2023-26132", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package dottie to the fixed version: 2.0.4 or remove the package from the image.", + "name": "Versions of the package dottie before 2.0.4 are vulnerable to Prototyp ...", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-26132", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26132", + }, + { + "type": "URL", + "value": "https://github.com/mickhansen/dottie.js", + }, + { + "type": "URL", + "value": "https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js#L107", + }, + { + "type": "URL", + "value": "https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js%23L107", + }, + { + "type": "URL", + "value": "https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26132", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-26132", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.1.2, 5.2.1, 6.1.1", + "foundIn": "Node.js", + "installedVersion": "4.1.1", + "packageName": "engine.io", + "references": [ + "https://github.com/socketio/engine.io", + "https://github.com/socketio/engine.io/commit/66f889fc1d966bf5bfa0de1939069153643874ab", + "https://github.com/socketio/engine.io/commit/a70800d7e96da32f6e6622804ef659ebc58659db", + "https://github.com/socketio/engine.io/commit/c0e194d44933bd83bf9a4b126fca68ba7bf5098c", + "https://github.com/socketio/engine.io/releases/tag/4.1.2", + "https://github.com/socketio/engine.io/releases/tag/5.2.1", + "https://github.com/socketio/engine.io/releases/tag/6.1.1", + "https://github.com/socketio/engine.io/security/advisories/GHSA-273r-mgr4-v34f", + "https://nvd.nist.gov/vuln/detail/CVE-2022-21676", + "https://security.netapp.com/advisory/ntap-20220209-0002", + "https://security.netapp.com/advisory/ntap-20220209-0002/", + ], + "vulnerabilityId": "CVE-2022-21676", + }, + "category": "NPM Package Vulnerability", + "description": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the \`engine.io\` package starting from version \`4.0.0\`, including those who uses depending packages like \`socket.io\`. Versions prior to \`4.0.0\` are not impacted. A fix has been released for each major branch, namely \`4.1.2\` for the \`4.x.x\` branch, \`5.2.1\` for the \`5.x.x\` branch, and \`6.1.1\` for the \`6.x.x\` branch. There is no known workaround except upgrading to a safe version.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package engine.io to the fixed version: 4.1.2, 5.2.1, 6.1.1 or remove the package from the image.", + "name": "Uncaught Exception in engine.io", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-21676", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-21676", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io/commit/66f889fc1d966bf5bfa0de1939069153643874ab", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io/commit/a70800d7e96da32f6e6622804ef659ebc58659db", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io/commit/c0e194d44933bd83bf9a4b126fca68ba7bf5098c", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io/releases/tag/4.1.2", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io/releases/tag/5.2.1", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io/releases/tag/6.1.1", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io/security/advisories/GHSA-273r-mgr4-v34f", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-21676", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220209-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220209-0002/", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.6.1, 6.2.1", + "foundIn": "Node.js", + "installedVersion": "4.1.1", + "packageName": "engine.io", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-41940", + "https://github.com/socketio/engine.io", + "https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6", + "https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085", + "https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w", + "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", + "https://www.cve.org/CVERecord?id=CVE-2022-41940", + ], + "vulnerabilityId": "CVE-2022-41940", + }, + "category": "NPM Package Vulnerability", + "description": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package engine.io to the fixed version: 3.6.1, 6.2.1 or remove the package from the image.", + "name": "engine.io: Specially crafted HTTP request can trigger an uncaught exception", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-41940", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-41940", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085", + }, + { + "type": "URL", + "value": "https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-41940", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "0.10.63", + "foundIn": "Node.js", + "installedVersion": "0.10.53", + "packageName": "es5-ext", + "references": [ + "https://github.com/medikoo/es5-ext", + "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2", + "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602", + "https://github.com/medikoo/es5-ext/issues/201", + "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h", + "https://nvd.nist.gov/vuln/detail/CVE-2024-27088", + ], + "vulnerabilityId": "CVE-2024-27088", + }, + "category": "NPM Package Vulnerability", + "description": "es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into \`function#copy\` or \`function#toStringTokens\` may cause the script to stall. The vulnerability is patched in v0.10.63.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package es5-ext to the fixed version: 0.10.63 or remove the package from the image.", + "name": "es5-ext contains ECMAScript 5 extensions. Passing functions with very ...", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-27088", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-27088", + }, + { + "type": "URL", + "value": "https://github.com/medikoo/es5-ext", + }, + { + "type": "URL", + "value": "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2", + }, + { + "type": "URL", + "value": "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602", + }, + { + "type": "URL", + "value": "https://github.com/medikoo/es5-ext/issues/201", + }, + { + "type": "URL", + "value": "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-27088", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "4.19.2, 5.0.0-beta.3", + "foundIn": "Node.js", + "installedVersion": "4.17.1", + "packageName": "express", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-29041", + "https://expressjs.com/en/4x/api.html#res.location", + "https://github.com/expressjs/express", + "https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd", + "https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94", + "https://github.com/expressjs/express/pull/5539", + "https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc", + "https://github.com/koajs/koa/issues/1800", + "https://nvd.nist.gov/vuln/detail/CVE-2024-29041", + "https://www.cve.org/CVERecord?id=CVE-2024-29041", + ], + "vulnerabilityId": "CVE-2024-29041", + }, + "category": "NPM Package Vulnerability", + "description": "Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using \`encodeurl\`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the \`location\` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is \`res.location()\` but this is also called from within \`res.redirect()\`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package express to the fixed version: 4.19.2, 5.0.0-beta.3 or remove the package from the image.", + "name": "express: cause malformed URLs to be evaluated", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-29041", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-29041", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-29041", + }, + { + "type": "URL", + "value": "https://expressjs.com/en/4x/api.html#res.location", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/pull/5539", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc", + }, + { + "type": "URL", + "value": "https://github.com/koajs/koa/issues/1800", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-29041", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-29041", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.20.0, 5.0.0", + "foundIn": "Node.js", + "installedVersion": "4.17.1", + "packageName": "express", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-43796", + "https://github.com/expressjs/express", + "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", + "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", + "https://www.cve.org/CVERecord?id=CVE-2024-43796", + ], + "vulnerabilityId": "CVE-2024-43796", + }, + "category": "NPM Package Vulnerability", + "description": "Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package express to the fixed version: 4.20.0, 5.0.0 or remove the package from the image.", + "name": "express: Improper Input Handling in Express Redirects", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-43796", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-43796", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-43796", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "6.0.0", + "foundIn": "Node.js", + "installedVersion": "0.1.3", + "packageName": "express-jwt", + "references": [ + "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", + "https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf", + "https://nvd.nist.gov/vuln/detail/CVE-2020-15084", + ], + "vulnerabilityId": "CVE-2020-15084", + }, + "category": "NPM Package Vulnerability", + "description": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package express-jwt to the fixed version: 6.0.0 or remove the package from the image.", + "name": "Authorization bypass in express-jwt", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-15084", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15084", + }, + { + "type": "URL", + "value": "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", + }, + { + "type": "URL", + "value": "https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15084", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "16.5.4, 17.1.3", + "foundIn": "Node.js", + "installedVersion": "16.5.3", + "packageName": "file-type", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-36313", + "https://github.com/sindresorhus/file-type", + "https://github.com/sindresorhus/file-type/commit/2c4d1200c99dffb7d515b9b9951ef43c22bf7e47", + "https://github.com/sindresorhus/file-type/commit/8f981c32e2750d2516457e305e502ee2ad715759#diff-c853b2249e99790d8725774cf63c90c5ab17112067df6e267f3701d7bf591d12", + "https://github.com/sindresorhus/file-type/commit/d86835680f4cccbee1a60628783c36700ec9e254", + "https://github.com/sindresorhus/file-type/compare/v12.4.2...v13.0.0#diff-c853b2249e99790d8725774cf63c90c5ab17112067df6e267f3701d7bf591d12R611-R613", + "https://github.com/sindresorhus/file-type/releases/tag/v16.5.4", + "https://github.com/sindresorhus/file-type/releases/tag/v17.1.3", + "https://nvd.nist.gov/vuln/detail/CVE-2022-36313", + "https://security.netapp.com/advisory/ntap-20220909-0005", + "https://security.netapp.com/advisory/ntap-20220909-0005/", + "https://security.snyk.io/vuln/SNYK-JS-FILETYPE-2958042", + "https://www.cve.org/CVERecord?id=CVE-2022-36313", + "https://www.npmjs.com/package/file-type", + ], + "vulnerabilityId": "CVE-2022-36313", + }, + "category": "NPM Package Vulnerability", + "description": "An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package file-type to the fixed version: 16.5.4, 17.1.3 or remove the package from the image.", + "name": "file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-36313", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-36313", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-36313", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/file-type", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/file-type/commit/2c4d1200c99dffb7d515b9b9951ef43c22bf7e47", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/file-type/commit/8f981c32e2750d2516457e305e502ee2ad715759#diff-c853b2249e99790d8725774cf63c90c5ab17112067df6e267f3701d7bf591d12", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/file-type/commit/d86835680f4cccbee1a60628783c36700ec9e254", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/file-type/compare/v12.4.2...v13.0.0#diff-c853b2249e99790d8725774cf63c90c5ab17112067df6e267f3701d7bf591d12R611-R613", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/file-type/releases/tag/v16.5.4", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/file-type/releases/tag/v17.1.3", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-36313", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220909-0005", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220909-0005/", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-FILETYPE-2958042", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-36313", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/file-type", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "12.1.0, 11.8.5", + "foundIn": "Node.js", + "installedVersion": "6.7.1", + "packageName": "got", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2022-33987", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/sindresorhus/got", + "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc", + "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + "https://github.com/sindresorhus/got/pull/2047", + "https://github.com/sindresorhus/got/releases/tag/v11.8.5", + "https://github.com/sindresorhus/got/releases/tag/v12.1.0", + "https://linux.oracle.com/cve/CVE-2022-33987.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + "https://www.cve.org/CVERecord?id=CVE-2022-33987", + ], + "vulnerabilityId": "CVE-2022-33987", + }, + "category": "NPM Package Vulnerability", + "description": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package got to the fixed version: 12.1.0, 11.8.5 or remove the package from the image.", + "name": "nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/pull/2047", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/releases/tag/v11.8.5", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/releases/tag/v12.1.0", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-33987.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-33987", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "12.1.0, 11.8.5", + "foundIn": "Node.js", + "installedVersion": "8.3.2", + "packageName": "got", + "references": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2022-33987", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/sindresorhus/got", + "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc", + "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + "https://github.com/sindresorhus/got/pull/2047", + "https://github.com/sindresorhus/got/releases/tag/v11.8.5", + "https://github.com/sindresorhus/got/releases/tag/v12.1.0", + "https://linux.oracle.com/cve/CVE-2022-33987.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + "https://www.cve.org/CVERecord?id=CVE-2022-33987", + ], + "vulnerabilityId": "CVE-2022-33987", + }, + "category": "NPM Package Vulnerability", + "description": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package got to the fixed version: 12.1.0, 11.8.5 or remove the package from the image.", + "name": "nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2022:6595", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1907444", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1945459", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/1964461", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2007557", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2098556", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2102001", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105422", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105426", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105428", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2105430", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/pull/2047", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/releases/tag/v11.8.5", + }, + { + "type": "URL", + "value": "https://github.com/sindresorhus/got/releases/tag/v12.1.0", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-33987.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-6595.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-33987", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.10.0", + "foundIn": "Node.js", + "installedVersion": "1.5.1", + "packageName": "growl", + "references": [ + "https://access.redhat.com/security/cve/CVE-2017-16042", + "https://github.com/tj/node-growl", + "https://github.com/tj/node-growl/commit/d71177d5331c9de4658aca62e0ac921f178b0669", + "https://github.com/tj/node-growl/issues/60", + "https://github.com/tj/node-growl/pull/61", + "https://github.com/tj/node-growl/pull/62", + "https://nodesecurity.io/advisories/146", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16042", + "https://www.cve.org/CVERecord?id=CVE-2017-16042", + "https://www.npmjs.com/advisories/146", + ], + "vulnerabilityId": "CVE-2017-16042", + }, + "category": "NPM Package Vulnerability", + "description": "Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package growl to the fixed version: 1.10.0 or remove the package from the image.", + "name": "nodejs-growl: Does not properly sanitize input before passing it to exec", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2017-16042", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16042", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2017-16042", + }, + { + "type": "URL", + "value": "https://github.com/tj/node-growl", + }, + { + "type": "URL", + "value": "https://github.com/tj/node-growl/commit/d71177d5331c9de4658aca62e0ac921f178b0669", + }, + { + "type": "URL", + "value": "https://github.com/tj/node-growl/issues/60", + }, + { + "type": "URL", + "value": "https://github.com/tj/node-growl/pull/61", + }, + { + "type": "URL", + "value": "https://github.com/tj/node-growl/pull/62", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/146", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16042", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2017-16042", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/146", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.5.3", + "foundIn": "Node.js", + "installedVersion": "1.4.1", + "packageName": "grunt", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-1537", + "https://github.com/gruntjs/grunt", + "https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae", + "https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d", + "https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-1537", + "https://ubuntu.com/security/notices/USN-5847-1", + "https://www.cve.org/CVERecord?id=CVE-2022-1537", + ], + "vulnerabilityId": "CVE-2022-1537", + }, + "category": "NPM Package Vulnerability", + "description": "file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package grunt to the fixed version: 1.5.3 or remove the package from the image.", + "name": "gruntjs: race condition leading to arbitrary file write", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-1537", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-1537", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-1537", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-1537", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5847-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-1537", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.5.2", + "foundIn": "Node.js", + "installedVersion": "1.4.1", + "packageName": "grunt", + "references": [ + "https://github.com/gruntjs/grunt", + "https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665", + "https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665 (v1.5.0)", + "https://github.com/gruntjs/grunt/commit/b0ec6e12426fc8d5720dee1702f6a67455c5986c", + "https://github.com/gruntjs/grunt/pull/1740", + "https://github.com/gruntjs/grunt/pull/1743", + "https://huntr.dev/bounties/f55315e9-9f6d-4dbb-8c40-bae50c1ae92b", + "https://lists.debian.org/debian-lts-announce/2023/04/msg00008.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0436", + "https://ubuntu.com/security/notices/USN-5847-1", + "https://www.cve.org/CVERecord?id=CVE-2022-0436", + ], + "vulnerabilityId": "CVE-2022-0436", + }, + "category": "NPM Package Vulnerability", + "description": "Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package grunt to the fixed version: 1.5.2 or remove the package from the image.", + "name": "Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-0436", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-0436", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665 (v1.5.0)", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt/commit/b0ec6e12426fc8d5720dee1702f6a67455c5986c", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt/pull/1740", + }, + { + "type": "URL", + "value": "https://github.com/gruntjs/grunt/pull/1743", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f55315e9-9f6d-4dbb-8c40-bae50c1ae92b", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/04/msg00008.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-0436", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5847-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-0436", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "4.1.2", + "packageName": "hbs", + "references": [ + "https://github.com/pillarjs/hbs", + "https://nvd.nist.gov/vuln/detail/CVE-2021-32822", + "https://securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs", + "https://securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs/", + ], + "vulnerabilityId": "CVE-2021-32822", + }, + "category": "NPM Package Vulnerability", + "description": "The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulnerability. hbs mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options a file disclosure vulnerability may be triggered in downstream applications. For an example PoC see the referenced GHSL-2021-020.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package hbs to the fixed version: undefined or remove the package from the image.", + "name": "Insertion of Sensitive Information into Externally-Accessible File or Directory and Exposure of Sensitive Information to an Unauthorized Actor in hbs", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-32822", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32822", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/hbs", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32822", + }, + { + "type": "URL", + "value": "https://securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs", + }, + { + "type": "URL", + "value": "https://securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs/", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.1.1", + "foundIn": "Node.js", + "installedVersion": "3.8.1", + "packageName": "http-cache-semantics", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:2655", + "https://access.redhat.com/security/cve/CVE-2022-25881", + "https://bugzilla.redhat.com/2165824", + "https://bugzilla.redhat.com/2168631", + "https://bugzilla.redhat.com/2171935", + "https://bugzilla.redhat.com/2172190", + "https://bugzilla.redhat.com/2172204", + "https://bugzilla.redhat.com/2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2165824", + "https://bugzilla.redhat.com/show_bug.cgi?id=2168631", + "https://bugzilla.redhat.com/show_bug.cgi?id=2171935", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172190", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172204", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2178076", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25881", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807", + "https://errata.almalinux.org/9/ALSA-2023-2655.html", + "https://errata.rockylinux.org/RLSA-2023:2655", + "https://github.com/kornelski/http-cache-semantics", + "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83", + "https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74", + "https://linux.oracle.com/cve/CVE-2022-25881.html", + "https://linux.oracle.com/errata/ELSA-2023-2655.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + "https://security.netapp.com/advisory/ntap-20230622-0008", + "https://security.netapp.com/advisory/ntap-20230622-0008/", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332", + "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783", + "https://www.cve.org/CVERecord?id=CVE-2022-25881", + ], + "vulnerabilityId": "CVE-2022-25881", + }, + "category": "NPM Package Vulnerability", + "description": "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. + +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package http-cache-semantics to the fixed version: 4.1.1 or remove the package from the image.", + "name": "http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:2655", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2165824", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2168631", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2171935", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2172190", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2172204", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2172217", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2165824", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2168631", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2171935", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2172190", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2172204", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2172217", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2178076", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-2655.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:2655", + }, + { + "type": "URL", + "value": "https://github.com/kornelski/http-cache-semantics", + }, + { + "type": "URL", + "value": "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83", + }, + { + "type": "URL", + "value": "https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-25881.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-2655.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230622-0008", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230622-0008/", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25881", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.1.1", + "foundIn": "Node.js", + "installedVersion": "3.8.1", + "packageName": "http-cache-semantics", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:2655", + "https://access.redhat.com/security/cve/CVE-2022-25881", + "https://bugzilla.redhat.com/2165824", + "https://bugzilla.redhat.com/2168631", + "https://bugzilla.redhat.com/2171935", + "https://bugzilla.redhat.com/2172190", + "https://bugzilla.redhat.com/2172204", + "https://bugzilla.redhat.com/2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2165824", + "https://bugzilla.redhat.com/show_bug.cgi?id=2168631", + "https://bugzilla.redhat.com/show_bug.cgi?id=2171935", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172190", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172204", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2178076", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25881", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807", + "https://errata.almalinux.org/9/ALSA-2023-2655.html", + "https://errata.rockylinux.org/RLSA-2023:2655", + "https://github.com/kornelski/http-cache-semantics", + "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83", + "https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74", + "https://linux.oracle.com/cve/CVE-2022-25881.html", + "https://linux.oracle.com/errata/ELSA-2023-2655.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + "https://security.netapp.com/advisory/ntap-20230622-0008", + "https://security.netapp.com/advisory/ntap-20230622-0008/", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332", + "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783", + "https://www.cve.org/CVERecord?id=CVE-2022-25881", + ], + "vulnerabilityId": "CVE-2022-25881", + }, + "category": "NPM Package Vulnerability", + "description": "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. + +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package http-cache-semantics to the fixed version: 4.1.1 or remove the package from the image.", + "name": "http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:2655", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2165824", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2168631", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2171935", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2172190", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2172204", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2172217", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2165824", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2168631", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2171935", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2172190", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2172204", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2172217", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2178076", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-2655.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:2655", + }, + { + "type": "URL", + "value": "https://github.com/kornelski/http-cache-semantics", + }, + { + "type": "URL", + "value": "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83", + }, + { + "type": "URL", + "value": "https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-25881.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-2655.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230622-0008", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230622-0008/", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25881", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "1.1.5", + "packageName": "ip", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-29415", + "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", + "https://github.com/indutny/node-ip", + "https://github.com/indutny/node-ip/issues/150", + "https://github.com/indutny/node-ip/pull/143", + "https://github.com/indutny/node-ip/pull/144", + "https://nvd.nist.gov/vuln/detail/CVE-2024-29415", + "https://www.cve.org/CVERecord?id=CVE-2024-29415", + ], + "vulnerabilityId": "CVE-2024-29415", + }, + "category": "NPM Package Vulnerability", + "description": "The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ip to the fixed version: undefined or remove the package from the image.", + "name": "node-ip: Incomplete fix for CVE-2023-42282", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-29415", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-29415", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-29415", + }, + { + "type": "URL", + "value": "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip/issues/150", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip/pull/143", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip/pull/144", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-29415", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-29415", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.0.1, 1.1.9", + "foundIn": "Node.js", + "installedVersion": "1.1.5", + "packageName": "ip", + "references": [ + "https://access.redhat.com/security/cve/CVE-2023-42282", + "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", + "https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447", + "https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999", + "https://github.com/indutny/node-ip", + "https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa", + "https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894", + "https://github.com/indutny/node-ip/pull/138", + "https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-42282", + "https://security.netapp.com/advisory/ntap-20240315-0008/", + "https://ubuntu.com/security/notices/USN-6643-1", + "https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/", + "https://www.cve.org/CVERecord?id=CVE-2023-42282", + ], + "vulnerabilityId": "CVE-2023-42282", + }, + "category": "NPM Package Vulnerability", + "description": "The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ip to the fixed version: 2.0.1, 1.1.9 or remove the package from the image.", + "name": "nodejs-ip: arbitrary code execution via the isPublic() function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-42282", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-42282", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2023-42282", + }, + { + "type": "URL", + "value": "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", + }, + { + "type": "URL", + "value": "https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447", + }, + { + "type": "URL", + "value": "https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip/pull/138", + }, + { + "type": "URL", + "value": "https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-42282", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240315-0008/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6643-1", + }, + { + "type": "URL", + "value": "https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-42282", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "0.4.0", + "foundIn": "Node.js", + "installedVersion": "0.2.3", + "packageName": "json-schema", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-3918", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/kriszyp/json-schema", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0)", + "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a", + "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa", + "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9", + "https://linux.oracle.com/cve/CVE-2021-3918.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + "https://ubuntu.com/security/notices/USN-6103-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3918", + ], + "vulnerabilityId": "CVE-2021-3918", + }, + "category": "NPM Package Vulnerability", + "description": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package json-schema to the fixed version: 0.4.0 or remove the package from the image.", + "name": "nodejs-json-schema: Prototype pollution vulnerability", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0)", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3918.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6103-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3918", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "0.4.0", + "foundIn": "Node.js", + "installedVersion": "0.2.3", + "packageName": "json-schema", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-3918", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/kriszyp/json-schema", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0)", + "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a", + "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa", + "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9", + "https://linux.oracle.com/cve/CVE-2021-3918.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + "https://ubuntu.com/security/notices/USN-6103-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3918", + ], + "vulnerabilityId": "CVE-2021-3918", + }, + "category": "NPM Package Vulnerability", + "description": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package json-schema to the fixed version: 0.4.0 or remove the package from the image.", + "name": "nodejs-json-schema: Prototype pollution vulnerability", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0)", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a", + }, + { + "type": "URL", + "value": "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-3918.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2022-0350.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6103-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3918", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.2.2, 1.0.2", + "foundIn": "Node.js", + "installedVersion": "2.2.0", + "packageName": "json5", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-46175", + "https://github.com/json5/json5", + "https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972", + "https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8", + "https://github.com/json5/json5/issues/199", + "https://github.com/json5/json5/issues/295", + "https://github.com/json5/json5/pull/298", + "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE", + "https://nvd.nist.gov/vuln/detail/CVE-2022-46175", + "https://ubuntu.com/security/notices/USN-6758-1", + "https://www.cve.org/CVERecord?id=CVE-2022-46175", + ], + "vulnerabilityId": "CVE-2022-46175", + }, + "category": "NPM Package Vulnerability", + "description": "JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The \`parse\` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named \`__proto__\`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by \`JSON5.parse\` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from \`JSON5.parse\`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. \`JSON5.parse\` should restrict parsing of \`__proto__\` keys when parsing JSON strings to objects. As a point of reference, the \`JSON.parse\` method included in JavaScript ignores \`__proto__\` keys. Simply changing \`JSON5.parse\` to \`JSON.parse\` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package json5 to the fixed version: 2.2.2, 1.0.2 or remove the package from the image.", + "name": "json5: Prototype Pollution in JSON5 via Parse Method", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-46175", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-46175", + }, + { + "type": "URL", + "value": "https://github.com/json5/json5", + }, + { + "type": "URL", + "value": "https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972", + }, + { + "type": "URL", + "value": "https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8", + }, + { + "type": "URL", + "value": "https://github.com/json5/json5/issues/199", + }, + { + "type": "URL", + "value": "https://github.com/json5/json5/issues/295", + }, + { + "type": "URL", + "value": "https://github.com/json5/json5/pull/298", + }, + { + "type": "URL", + "value": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6758-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-46175", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.2.2", + "foundIn": "Node.js", + "installedVersion": "0.1.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2015-9235", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://nodesecurity.io/advisories/17", + "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "https://www.cve.org/CVERecord?id=CVE-2015-9235", + "https://www.npmjs.com/advisories/17", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + ], + "vulnerabilityId": "CVE-2015-9235", + }, + "category": "NPM Package Vulnerability", + "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", + "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/17", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/17", + }, + { + "type": "URL", + "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "9.0.0", + "foundIn": "Node.js", + "installedVersion": "0.1.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-23539", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23539", + ], + "vulnerabilityId": "CVE-2022-23539", + }, + "category": "NPM Package Vulnerability", + "description": "Versions \`<=8.5.1\` of \`jsonwebtoken\` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the \`allowInvalidAsymmetricKeyTypes\` option to \`true\` in the \`sign()\` and/or \`verify()\` functions.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", + "name": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-23539", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": ">=4.2.2", + "foundIn": "Node.js", + "installedVersion": "0.1.0", + "packageName": "jsonwebtoken", + "references": [ + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + ], + "vulnerabilityId": "NSWG-ECO-17", + }, + "category": "NPM Package Vulnerability", + "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", + "name": "Verification Bypass", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "NSWG", + "value": "NSWG-ECO-17", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + }, + { + "type": "URL", + "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "9.0.0", + "foundIn": "Node.js", + "installedVersion": "0.1.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-23540", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23540", + ], + "vulnerabilityId": "CVE-2022-23540", + }, + "category": "NPM Package Vulnerability", + "description": "In versions \`<=8.5.1\` of \`jsonwebtoken\` library, lack of algorithm definition in the \`jwt.verify()\` function can lead to signature validation bypass due to defaulting to the \`none\` algorithm for signature verification. Users are affected if you do not specify algorithms in the \`jwt.verify()\` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the \`jwt.verify()\` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the \`none\` algorithm. If you need 'none' algorithm, you have to explicitly specify that in \`jwt.verify()\` options. +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", + "name": "jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-23540", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "9.0.0", + "foundIn": "Node.js", + "installedVersion": "0.1.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-23541", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23541", + ], + "vulnerabilityId": "CVE-2022-23541", + }, + "category": "NPM Package Vulnerability", + "description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions \`<= 8.5.1\` of \`jsonwebtoken\` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the \`secretOrPublicKey\` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", + "name": "jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-23541", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.2.2", + "foundIn": "Node.js", + "installedVersion": "0.4.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2015-9235", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://nodesecurity.io/advisories/17", + "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "https://www.cve.org/CVERecord?id=CVE-2015-9235", + "https://www.npmjs.com/advisories/17", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + ], + "vulnerabilityId": "CVE-2015-9235", + }, + "category": "NPM Package Vulnerability", + "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", + "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/17", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2015-9235", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/17", + }, + { + "type": "URL", + "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "9.0.0", + "foundIn": "Node.js", + "installedVersion": "0.4.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-23539", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23539", + ], + "vulnerabilityId": "CVE-2022-23539", + }, + "category": "NPM Package Vulnerability", + "description": "Versions \`<=8.5.1\` of \`jsonwebtoken\` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the \`allowInvalidAsymmetricKeyTypes\` option to \`true\` in the \`sign()\` and/or \`verify()\` functions.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", + "name": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-23539", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": ">=4.2.2", + "foundIn": "Node.js", + "installedVersion": "0.4.0", + "packageName": "jsonwebtoken", + "references": [ + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + ], + "vulnerabilityId": "NSWG-ECO-17", + }, + "category": "NPM Package Vulnerability", + "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", + "name": "Verification Bypass", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "NSWG", + "value": "NSWG-ECO-17", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + }, + { + "type": "URL", + "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "9.0.0", + "foundIn": "Node.js", + "installedVersion": "0.4.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-23540", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23540", + ], + "vulnerabilityId": "CVE-2022-23540", + }, + "category": "NPM Package Vulnerability", + "description": "In versions \`<=8.5.1\` of \`jsonwebtoken\` library, lack of algorithm definition in the \`jwt.verify()\` function can lead to signature validation bypass due to defaulting to the \`none\` algorithm for signature verification. Users are affected if you do not specify algorithms in the \`jwt.verify()\` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the \`jwt.verify()\` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the \`none\` algorithm. If you need 'none' algorithm, you have to explicitly specify that in \`jwt.verify()\` options. +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", + "name": "jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-23540", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "9.0.0", + "foundIn": "Node.js", + "installedVersion": "0.4.0", + "packageName": "jsonwebtoken", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-23541", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23541", + ], + "vulnerabilityId": "CVE-2022-23541", + }, + "category": "NPM Package Vulnerability", + "description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions \`<= 8.5.1\` of \`jsonwebtoken\` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the \`secretOrPublicKey\` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", + "name": "jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + }, + { + "type": "URL", + "value": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0007/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-23541", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": ">=3.0.0", + "foundIn": "Node.js", + "installedVersion": "0.2.6", + "packageName": "jws", + "references": [ + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/brianloveswords/node-jws", + "https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e", + "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223", + "https://snyk.io/vuln/npm:jws:20160726", + "https://www.npmjs.com/advisories/88", + ], + "vulnerabilityId": "CVE-2016-1000223", + }, + "category": "NPM Package Vulnerability", + "description": "Since "algorithm" isn't enforced in \`jws.verify()\`, a malicious user could choose what algorithm is sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants. + +In addition, there is the \`none\` algorithm to be concerned about. In versions prior to 3.0.0, verification of the token could be bypassed when the \`alg\` field is set to \`none\`. + +*Edit ( 7/29/16 ): A previous version of this advisory incorrectly stated that the vulnerability was patched in version 2.0.0 instead of 3.0.0. The advisory has been updated to reflect this new information. Thanks to Fabien Catteau for reporting the error.*", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jws to the fixed version: >=3.0.0 or remove the package from the image.", + "name": "Forgeable Public/Private Tokens", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2016-1000223", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + }, + { + "type": "URL", + "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + }, + { + "type": "URL", + "value": "https://github.com/brianloveswords/node-jws", + }, + { + "type": "URL", + "value": "https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/npm:jws:20160726", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/88", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "0.26.7", + "packageName": "libxmljs2", + "references": [ + "https://github.com/marudor/libxmljs2", + "https://github.com/marudor/libxmljs2/issues/204", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34393", + "https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097", + "https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097/", + ], + "vulnerabilityId": "CVE-2024-34393", + }, + "category": "NPM Package Vulnerability", + "description": "libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of attrs() that was called on a parsed node. This vulnerability might lead to denial of service (on both 32-bit systems and 64-bit systems), data leak, infinite loop and remote code execution (on 32-bit systems with the XML_PARSE_HUGE flag enabled).", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package libxmljs2 to the fixed version: undefined or remove the package from the image.", + "name": "libxmljs2 type confusion vulnerability when parsing specially crafted XML", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-34393", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-34393", + }, + { + "type": "URL", + "value": "https://github.com/marudor/libxmljs2", + }, + { + "type": "URL", + "value": "https://github.com/marudor/libxmljs2/issues/204", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-34393", + }, + { + "type": "URL", + "value": "https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097", + }, + { + "type": "URL", + "value": "https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097/", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "0.26.7", + "packageName": "libxmljs2", + "references": [ + "https://github.com/marudor/libxmljs2", + "https://github.com/marudor/libxmljs2/issues/205", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34394", + "https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098", + "https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098/", + ], + "vulnerabilityId": "CVE-2024-34394", + }, + "category": "NPM Package Vulnerability", + "description": "libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the namespaces() function (which invokes XmlNode::get_local_namespaces()) on a grand-child of a node that refers to an entity. This vulnerability can lead to denial of service and remote code execution.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package libxmljs2 to the fixed version: undefined or remove the package from the image.", + "name": "libxmljs2 vulnerable to type confusion when parsing specially crafted XML", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-34394", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-34394", + }, + { + "type": "URL", + "value": "https://github.com/marudor/libxmljs2", + }, + { + "type": "URL", + "value": "https://github.com/marudor/libxmljs2/issues/205", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-34394", + }, + { + "type": "URL", + "value": "https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098", + }, + { + "type": "URL", + "value": "https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098/", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.17.12", + "foundIn": "Node.js", + "installedVersion": "2.4.2", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/errata/RHSA-2019:3024", + "https://access.redhat.com/security/cve/CVE-2019-10744", + "https://github.com/lodash/lodash/pull/4336", + "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "https://security.netapp.com/advisory/ntap-20191004-0005", + "https://security.netapp.com/advisory/ntap-20191004-0005/", + "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2019-10744", + "https://www.npmjs.com/advisories/1065", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + ], + "vulnerabilityId": "CVE-2019-10744", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", + "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2019:3024", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/pull/4336", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20191004-0005", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20191004-0005/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + }, + { + "type": "URL", + "value": "https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS", + }, + { + "type": "URL", + "value": "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1065", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2020.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": ">=4.17.11", + "foundIn": "Node.js", + "installedVersion": "2.4.2", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2018-16487", + "https://github.com/advisories/GHSA-4xc9-xhrj-v574", + "https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad", + "https://hackerone.com/reports/380873", + "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", + "https://security.netapp.com/advisory/ntap-20190919-0004", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://www.cve.org/CVERecord?id=CVE-2018-16487", + "https://www.npmjs.com/advisories/782", + ], + "vulnerabilityId": "CVE-2018-16487", + }, + "category": "NPM Package Vulnerability", + "description": "A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: >=4.17.11 or remove the package from the image.", + "name": "lodash: Prototype pollution in utilities function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2018-16487", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2018-16487", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-4xc9-xhrj-v574", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/380873", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20190919-0004", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20190919-0004/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2018-16487", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/782", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.17.21", + "foundIn": "Node.js", + "installedVersion": "2.4.2", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-23337", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "https://www.cve.org/CVERecord?id=CVE-2021-23337", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-23337", + }, + "category": "NPM Package Vulnerability", + "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", + "name": "nodejs-lodash: command injection via template", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.17.11", + "foundIn": "Node.js", + "installedVersion": "2.4.2", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2019-1010266", + "https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347", + "https://github.com/lodash/lodash/issues/3359", + "https://github.com/lodash/lodash/wiki/Changelog", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", + "https://security.netapp.com/advisory/ntap-20190919-0004", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://snyk.io/vuln/SNYK-JS-LODASH-73639", + "https://www.cve.org/CVERecord?id=CVE-2019-1010266", + ], + "vulnerabilityId": "CVE-2019-1010266", + }, + "category": "NPM Package Vulnerability", + "description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.11 or remove the package from the image.", + "name": "lodash: uncontrolled resource consumption in Data handler causing denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2019-1010266", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2019-1010266", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/issues/3359", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/wiki/Changelog", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20190919-0004", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20190919-0004/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-73639", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2019-1010266", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.17.21", + "foundIn": "Node.js", + "installedVersion": "2.4.2", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-28500", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + "https://github.com/lodash/lodash/pull/5065", + "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + "https://www.cve.org/CVERecord?id=CVE-2020-28500", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2020-28500", + }, + "category": "NPM Package Vulnerability", + "description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", + "name": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/pull/5065", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": ">=4.17.5", + "foundIn": "Node.js", + "installedVersion": "2.4.2", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2018-3721", + "https://github.com/advisories/GHSA-fvqr-27wr-82fm", + "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", + "https://hackerone.com/reports/310443", + "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", + "https://security.netapp.com/advisory/ntap-20190919-0004", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://www.cve.org/CVERecord?id=CVE-2018-3721", + "https://www.npmjs.com/advisories/577", + ], + "vulnerabilityId": "CVE-2018-3721", + }, + "category": "NPM Package Vulnerability", + "description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: >=4.17.5 or remove the package from the image.", + "name": "lodash: Prototype pollution in utilities function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2018-3721", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2018-3721", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-fvqr-27wr-82fm", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/310443", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20190919-0004", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20190919-0004/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2018-3721", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/577", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "4.17.12", + "foundIn": "Node.js", + "installedVersion": "4.17.11", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/errata/RHSA-2019:3024", + "https://access.redhat.com/security/cve/CVE-2019-10744", + "https://github.com/lodash/lodash/pull/4336", + "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "https://security.netapp.com/advisory/ntap-20191004-0005", + "https://security.netapp.com/advisory/ntap-20191004-0005/", + "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2019-10744", + "https://www.npmjs.com/advisories/1065", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + ], + "vulnerabilityId": "CVE-2019-10744", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", + "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2019:3024", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/pull/4336", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20191004-0005", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20191004-0005/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + }, + { + "type": "URL", + "value": "https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS", + }, + { + "type": "URL", + "value": "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2019-10744", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1065", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2020.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.17.19", + "foundIn": "Node.js", + "installedVersion": "4.17.11", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-8203", + "https://github.com/github/advisory-database/pull/2884", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + "https://github.com/lodash/lodash/issues/4744", + "https://github.com/lodash/lodash/issues/4874", + "https://github.com/lodash/lodash/wiki/Changelog#v41719", + "https://hackerone.com/reports/712065", + "https://hackerone.com/reports/864701", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "https://security.netapp.com/advisory/ntap-20200724-0006", + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + "https://www.cve.org/CVERecord?id=CVE-2020-8203", + "https://www.npmjs.com/advisories/1523", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2020-8203", + }, + "category": "NPM Package Vulnerability", + "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", + "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://github.com/github/advisory-database/pull/2884", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/issues/4744", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/issues/4874", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/wiki/Changelog#v41719", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/712065", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/864701", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200724-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200724-0006/", + }, + { + "type": "URL", + "value": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1523", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.17.21", + "foundIn": "Node.js", + "installedVersion": "4.17.11", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-23337", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "https://www.cve.org/CVERecord?id=CVE-2021-23337", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-23337", + }, + "category": "NPM Package Vulnerability", + "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", + "name": "nodejs-lodash: command injection via template", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23337", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.17.21", + "foundIn": "Node.js", + "installedVersion": "4.17.11", + "packageName": "lodash", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-28500", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + "https://github.com/lodash/lodash/pull/5065", + "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + "https://www.cve.org/CVERecord?id=CVE-2020-28500", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2020-28500", + }, + "category": "NPM Package Vulnerability", + "description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", + "name": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/pull/5065", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20210312-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-28500", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujul2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "4.3.2", + "packageName": "lodash.set", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-8203", + "https://github.com/github/advisory-database/pull/2884", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + "https://github.com/lodash/lodash/issues/4744", + "https://github.com/lodash/lodash/issues/4874", + "https://github.com/lodash/lodash/wiki/Changelog#v41719", + "https://hackerone.com/reports/712065", + "https://hackerone.com/reports/864701", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "https://security.netapp.com/advisory/ntap-20200724-0006", + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + "https://www.cve.org/CVERecord?id=CVE-2020-8203", + "https://www.npmjs.com/advisories/1523", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2020-8203", + }, + "category": "NPM Package Vulnerability", + "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash.set to the fixed version: undefined or remove the package from the image.", + "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://github.com/github/advisory-database/pull/2884", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/issues/4744", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/issues/4874", + }, + { + "type": "URL", + "value": "https://github.com/lodash/lodash/wiki/Changelog#v41719", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/712065", + }, + { + "type": "URL", + "value": "https://hackerone.com/reports/864701", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200724-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20200724-0006/", + }, + { + "type": "URL", + "value": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-8203", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1523", + }, + { + "type": "URL", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "0.6.11", + "packageName": "marsdb", + "references": [ + "https://github.com/bkimminich/juice-shop/issues/1173", + "https://www.npmjs.com/advisories/1122", + ], + "vulnerabilityId": "GHSA-5mrr-rgp6-x4gr", + }, + "category": "NPM Package Vulnerability", + "description": "All versions of \`marsdb\` are vulnerable to Command Injection. In the \`DocumentMatcher\` class, selectors on \`$where\` clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed. + + +## Recommendation + +No fix is currently available. Consider using an alternative package until a fix is made available.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package marsdb to the fixed version: undefined or remove the package from the image.", + "name": "Command Injection in marsdb", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "URL", + "value": "https://github.com/bkimminich/juice-shop/issues/1173", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/1122", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.0.8", + "foundIn": "Node.js", + "installedVersion": "3.1.10", + "packageName": "micromatch", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067/", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/", + "https://github.com/micromatch/micromatch", + "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", + "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", + "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", + "https://github.com/micromatch/micromatch/issues/243", + "https://github.com/micromatch/micromatch/pull/247", + "https://github.com/micromatch/micromatch/pull/266", + "https://github.com/micromatch/micromatch/releases/tag/4.0.8", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + "https://www.cve.org/CVERecord?id=CVE-2024-4067", + ], + "vulnerabilityId": "CVE-2024-4067", + }, + "category": "NPM Package Vulnerability", + "description": "The NPM package \`micromatch\` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in \`micromatch.braces()\` in \`index.js\` because the pattern \`.*\` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package micromatch to the fixed version: 4.0.8 or remove the package from the image.", + "name": "micromatch: vulnerable to Regular Expression Denial of Service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://advisory.checkmarx.net/advisory/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://advisory.checkmarx.net/advisory/CVE-2024-4067/", + }, + { + "type": "URL", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/issues/243", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/pull/247", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/pull/266", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/releases/tag/4.0.8", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-4067", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "4.0.8", + "foundIn": "Node.js", + "installedVersion": "4.0.4", + "packageName": "micromatch", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067/", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/", + "https://github.com/micromatch/micromatch", + "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", + "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", + "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", + "https://github.com/micromatch/micromatch/issues/243", + "https://github.com/micromatch/micromatch/pull/247", + "https://github.com/micromatch/micromatch/pull/266", + "https://github.com/micromatch/micromatch/releases/tag/4.0.8", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + "https://www.cve.org/CVERecord?id=CVE-2024-4067", + ], + "vulnerabilityId": "CVE-2024-4067", + }, + "category": "NPM Package Vulnerability", + "description": "The NPM package \`micromatch\` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in \`micromatch.braces()\` in \`index.js\` because the pattern \`.*\` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package micromatch to the fixed version: 4.0.8 or remove the package from the image.", + "name": "micromatch: vulnerable to Regular Expression Denial of Service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://advisory.checkmarx.net/advisory/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://advisory.checkmarx.net/advisory/CVE-2024-4067/", + }, + { + "type": "URL", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/issues/243", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/pull/247", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/pull/266", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/releases/tag/4.0.8", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-4067", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "3.0.5", + "foundIn": "Node.js", + "installedVersion": "3.0.4", + "packageName": "minimatch", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2022-3517", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/grafana/grafana-image-renderer/issues/329", + "https://github.com/isaacs/minimatch", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6 (v3.0.5)", + "https://github.com/nodejs/node/issues/42510", + "https://linux.oracle.com/cve/CVE-2022-3517.html", + "https://linux.oracle.com/errata/ELSA-2023-1743.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + "https://ubuntu.com/security/notices/USN-6086-1", + "https://www.cve.org/CVERecord?id=CVE-2022-3517", + ], + "vulnerabilityId": "CVE-2022-3517", + }, + "category": "NPM Package Vulnerability", + "description": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package minimatch to the fixed version: 3.0.5 or remove the package from the image.", + "name": "nodejs-minimatch: ReDoS via the braceExpand function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0321", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:0321", + }, + { + "type": "URL", + "value": "https://github.com/grafana/grafana-image-renderer/issues/329", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/minimatch", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6 (v3.0.5)", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/node/issues/42510", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-3517.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-1743.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6086-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-3517", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.0.5", + "foundIn": "Node.js", + "installedVersion": "3.0.4", + "packageName": "minimatch", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2022-3517", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/grafana/grafana-image-renderer/issues/329", + "https://github.com/isaacs/minimatch", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6 (v3.0.5)", + "https://github.com/nodejs/node/issues/42510", + "https://linux.oracle.com/cve/CVE-2022-3517.html", + "https://linux.oracle.com/errata/ELSA-2023-1743.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + "https://ubuntu.com/security/notices/USN-6086-1", + "https://www.cve.org/CVERecord?id=CVE-2022-3517", + ], + "vulnerabilityId": "CVE-2022-3517", + }, + "category": "NPM Package Vulnerability", + "description": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package minimatch to the fixed version: 3.0.5 or remove the package from the image.", + "name": "nodejs-minimatch: ReDoS via the braceExpand function", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0321", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:0321", + }, + { + "type": "URL", + "value": "https://github.com/grafana/grafana-image-renderer/issues/329", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/minimatch", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6", + }, + { + "type": "URL", + "value": "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6 (v3.0.5)", + }, + { + "type": "URL", + "value": "https://github.com/nodejs/node/issues/42510", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-3517.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-1743.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6086-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-3517", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.2.6, 0.2.4", + "foundIn": "Node.js", + "installedVersion": "0.2.1", + "packageName": "minimist", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906", + ], + "vulnerabilityId": "CVE-2021-44906", + }, + "category": "NPM Package Vulnerability", + "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", + "name": "minimist: prototype pollution", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0321", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:0321", + }, + { + "type": "URL", + "value": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-xvch-5gv4-984h", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commits/v0.2.4", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/issues/11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/pull/24", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/blob/master/index.js#L69", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/issues/164", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-44906.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + }, + { + "type": "URL", + "value": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-44906", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.2.6, 0.2.4", + "foundIn": "Node.js", + "installedVersion": "1.2.5", + "packageName": "minimist", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906", + ], + "vulnerabilityId": "CVE-2021-44906", + }, + "category": "NPM Package Vulnerability", + "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", + "name": "minimist: prototype pollution", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0321", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:0321", + }, + { + "type": "URL", + "value": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-xvch-5gv4-984h", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commits/v0.2.4", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/issues/11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/pull/24", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/blob/master/index.js#L69", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/issues/164", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-44906.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + }, + { + "type": "URL", + "value": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-44906", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.2.6, 0.2.4", + "foundIn": "Node.js", + "installedVersion": "1.2.5", + "packageName": "minimist", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906", + ], + "vulnerabilityId": "CVE-2021-44906", + }, + "category": "NPM Package Vulnerability", + "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", + "name": "minimist: prototype pollution", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0321", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:0321", + }, + { + "type": "URL", + "value": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-xvch-5gv4-984h", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commits/v0.2.4", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/issues/11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/pull/24", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/blob/master/index.js#L69", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/issues/164", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-44906.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + }, + { + "type": "URL", + "value": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-44906", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "1.2.6, 0.2.4", + "foundIn": "Node.js", + "installedVersion": "1.2.5", + "packageName": "minimist", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906", + ], + "vulnerabilityId": "CVE-2021-44906", + }, + "category": "NPM Package Vulnerability", + "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", + "name": "minimist: prototype pollution", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0321", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + }, + { + "type": "URL", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/9/ALSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://errata.rockylinux.org/RLSA-2023:0321", + }, + { + "type": "URL", + "value": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-xvch-5gv4-984h", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/commits/v0.2.4", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/issues/11", + }, + { + "type": "URL", + "value": "https://github.com/minimistjs/minimist/pull/24", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/blob/master/index.js#L69", + }, + { + "type": "URL", + "value": "https://github.com/substack/minimist/issues/164", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2021-44906.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-0321.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + }, + { + "type": "URL", + "value": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-44906", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.19.3", + "foundIn": "Node.js", + "installedVersion": "2.0.0", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2017-18214", + "https://github.com/advisories/GHSA-446m-mv8f-q348", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb", + "https://github.com/moment/moment/issues/4163", + "https://github.com/moment/moment/pull/4326", + "https://nodesecurity.io/advisories/532", + "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", + "https://www.cve.org/CVERecord?id=CVE-2017-18214", + "https://www.npmjs.com/advisories/532", + "https://www.tenable.com/security/tns-2019-02", + ], + "vulnerabilityId": "CVE-2017-18214", + }, + "category": "NPM Package Vulnerability", + "description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.19.3 or remove the package from the image.", + "name": "nodejs-moment: Regular expression denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2017-18214", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2017-18214", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-446m-mv8f-q348", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/issues/4163", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/4326", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/532", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2017-18214", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/532", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2019-02", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.2", + "foundIn": "Node.js", + "installedVersion": "2.0.0", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09", + ], + "vulnerabilityId": "CVE-2022-24785", + }, + "category": "NPM Package Vulnerability", + "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", + "name": "Moment.js: Path traversal in moment.locale", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2022-09", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": ">=2.11.2", + "foundIn": "Node.js", + "installedVersion": "2.0.0", + "packageName": "moment", + "references": [ + "http://www.openwall.com/lists/oss-security/2016/04/20/11", + "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "http://www.securityfocus.com/bid/95849", + "https://access.redhat.com/security/cve/CVE-2016-4055", + "https://github.com/advisories/GHSA-87vv-r9j6-g5qv", + "https://github.com/moment/moment", + "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3Cdev.flink.apache.org%3E", + "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E", + "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E", + "https://nodesecurity.io/advisories/55", + "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", + "https://www.cve.org/CVERecord?id=CVE-2016-4055", + "https://www.npmjs.com/advisories/55", + "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS", + "https://www.tenable.com/security/tns-2019-02", + ], + "vulnerabilityId": "CVE-2016-4055", + }, + "category": "NPM Package Vulnerability", + "description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: >=2.11.2 or remove the package from the image.", + "name": "moment.js: regular expression denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2016-4055", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", + }, + { + "type": "URL", + "value": "http://www.openwall.com/lists/oss-security/2016/04/20/11", + }, + { + "type": "URL", + "value": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + }, + { + "type": "URL", + "value": "http://www.securityfocus.com/bid/95849", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2016-4055", + }, + { + "type": "URL", + "value": "https://github.com/advisories/GHSA-87vv-r9j6-g5qv", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3Cdev.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3Cuser.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E", + }, + { + "type": "URL", + "value": "https://nodesecurity.io/advisories/55", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2016-4055", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/55", + }, + { + "type": "URL", + "value": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2019-02", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "2.29.2", + "foundIn": "Node.js", + "installedVersion": "2.29.1", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09", + ], + "vulnerabilityId": "CVE-2022-24785", + }, + "category": "NPM Package Vulnerability", + "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", + "name": "Moment.js: Path traversal in moment.locale", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2022-09", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.2", + "foundIn": "Node.js", + "installedVersion": "2.29.1", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09", + ], + "vulnerabilityId": "CVE-2022-24785", + }, + "category": "NPM Package Vulnerability", + "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", + "name": "Moment.js: Path traversal in moment.locale", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2022-09", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.2", + "foundIn": "Node.js", + "installedVersion": "2.29.1", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09", + ], + "vulnerabilityId": "CVE-2022-24785", + }, + "category": "NPM Package Vulnerability", + "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", + "name": "Moment.js: Path traversal in moment.locale", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2022-09", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.2", + "foundIn": "Node.js", + "installedVersion": "2.29.1", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09", + ], + "vulnerabilityId": "CVE-2022-24785", + }, + "category": "NPM Package Vulnerability", + "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", + "name": "Moment.js: Path traversal in moment.locale", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2022-09", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.2", + "foundIn": "Node.js", + "installedVersion": "2.29.1", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09", + ], + "vulnerabilityId": "CVE-2022-24785", + }, + "category": "NPM Package Vulnerability", + "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", + "name": "Moment.js: Path traversal in moment.locale", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2022-09", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.2", + "foundIn": "Node.js", + "installedVersion": "2.29.1", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09", + ], + "vulnerabilityId": "CVE-2022-24785", + }, + "category": "NPM Package Vulnerability", + "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", + "name": "Moment.js: Path traversal in moment.locale", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20220513-0006/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24785", + }, + { + "type": "URL", + "value": "https://www.tenable.com/security/tns-2022-09", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.4", + "foundIn": "Node.js", + "installedVersion": "2.29.1", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129", + ], + "vulnerabilityId": "CVE-2022-31129", + }, + "category": "NPM Package Vulnerability", + "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", + "name": "moment: inefficient parsing algorithm resulting in DoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6550-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-31129", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.4", + "foundIn": "Node.js", + "installedVersion": "2.29.1", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129", + ], + "vulnerabilityId": "CVE-2022-31129", + }, + "category": "NPM Package Vulnerability", + "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", + "name": "moment: inefficient parsing algorithm resulting in DoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6550-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-31129", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.4", + "foundIn": "Node.js", + "installedVersion": "2.29.1", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129", + ], + "vulnerabilityId": "CVE-2022-31129", + }, + "category": "NPM Package Vulnerability", + "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", + "name": "moment: inefficient parsing algorithm resulting in DoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6550-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-31129", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.4", + "foundIn": "Node.js", + "installedVersion": "2.29.1", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129", + ], + "vulnerabilityId": "CVE-2022-31129", + }, + "category": "NPM Package Vulnerability", + "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", + "name": "moment: inefficient parsing algorithm resulting in DoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6550-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-31129", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.4", + "foundIn": "Node.js", + "installedVersion": "2.29.1", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129", + ], + "vulnerabilityId": "CVE-2022-31129", + }, + "category": "NPM Package Vulnerability", + "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", + "name": "moment: inefficient parsing algorithm resulting in DoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6550-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-31129", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "2.29.4", + "foundIn": "Node.js", + "installedVersion": "2.29.1", + "packageName": "moment", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129", + ], + "vulnerabilityId": "CVE-2022-31129", + }, + "category": "NPM Package Vulnerability", + "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", + "name": "moment: inefficient parsing algorithm resulting in DoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221014-0003/", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-5559-1", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6550-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-31129", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "0.5.35", + "foundIn": "Node.js", + "installedVersion": "0.5.33", + "packageName": "moment-timezone", + "references": [ + "https://github.com/moment/moment-timezone", + "https://github.com/moment/moment-timezone/commit/7915ac567ab19700e44ad6b5d8ef0b85e48a9e75", + "https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c", + ], + "vulnerabilityId": "GHSA-v78c-4p63-2j6c", + }, + "category": "NPM Package Vulnerability", + "description": "### Impact + +* if Alice uses \`grunt data\` (or \`grunt release\`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website +* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved) + +### Patches +Problem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint. + +### Workarounds +Specify the exact version of tzdata (like \`2014d\`, full command being \`grunt data:2014d\`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command. +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment-timezone to the fixed version: 0.5.35 or remove the package from the image.", + "name": "Cleartext Transmission of Sensitive Information in moment-timezone", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "URL", + "value": "https://github.com/moment/moment-timezone", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment-timezone/commit/7915ac567ab19700e44ad6b5d8ef0b85e48a9e75", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "0.5.35", + "foundIn": "Node.js", + "installedVersion": "0.5.33", + "packageName": "moment-timezone", + "references": [ + "https://github.com/moment/moment-timezone", + "https://github.com/moment/moment-timezone/commit/ce955a301ff372e8e9fb3a5b516620c60e7a082a", + "https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9", + ], + "vulnerabilityId": "GHSA-56x4-j7p9-fcf9", + }, + "category": "NPM Package Vulnerability", + "description": "### Impact + +All versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection. + +* if Alice uses tzdata pipeline to package moment-timezone on her own (for example via \`grunt data:2014d\`, where \`2014d\` stands for the version of the tzdata to be used from IANA's website), +* and Alice let's Mallory select the version (\`2014d\` in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task + +#### Am I affected? + +##### Do you build custom versions of moment-timezone with grunt? + +If no, you're not affected. + +##### Do you allow a third party to specify which particular version you want build? + +If yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task. + +### Description + +#### Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint + +The \`tasks/data-download.js\` script takes in a parameter from grunt and uses it to form a command line which is then executed: + +\`\`\` +6 module.exports = function (grunt) { +7 grunt.registerTask('data-download', '1. Download data from iana.org/time-zones.', function (version) { +8 version = version || 'latest'; + +10 var done = this.async(), +11 src = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz', +12 curl = path.resolve('temp/curl', version, 'data.tar.gz'), +13 dest = path.resolve('temp/download', version); +... +24 exec('curl ' + src + ' -o ' + curl + ' && cd ' + dest + ' && gzip -dc ' + curl + ' | tar -xf -', function (err) { +\`\`\` + +Ordinarily, one one run this script using something like \`grunt data-download:2014d\`, in which case version would have the value \`2014d\`. However, if an attacker were to provide additional content on the command line, they would be able to execute arbitrary code + +\`\`\` +root@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-download:2014d ; echo flag>/tmp/foo #' +\\Running "data-download:2014d ; echo flag>/tmp/foo #" (data-download) task +>> Downloading https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz +>> Downloaded https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz + +Done. +root@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/foo +flag +\`\`\` + +#### Command Injection via data-zdump.js + +The \`tasks/data-zdump.js\` script reads a list of files present in a temporary directory (created by previous tasks), and for each one, assembles and executes a command line without sanitization. As a result, an attacker able to influence the contents of that directory could gain code execution. This attack is exacerbated by timezone data being downloaded via cleartext FTP (described above), but beyond that, an attacker at iana.org able to modify the timezone files could disrupt any systems that build moment-timezone. + +\`\`\` +15 files = grunt.file.expand({ filter : 'isFile', cwd : 'temp/zic/' + version }, '**/*'); +... +27 function next () { +... +33 var file = files.pop(), +34 src = path.join(zicBase, file), +35 dest = path.join(zdumpBase, file); +36 exec('zdump -v ' + src, { maxBuffer: 20*1024*1024 }, function (err, stdout) { +\`\`\` + +In this case, an attacker able to add a file to \`temp/zic/2014d\` (for example) with a filename like \`Z; curl www.example.com\` would influence the called to exec on line 36 and run arbitrary code. There are a few minor challenges in exploiting this, since the string needs to be a valid filename. + +#### Command Injection via data-zic.js + +Similar to the vulnerability in /tasks/data-download.js, the /tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization. + +\`\`\` +10 var done = this.async(), +11 dest = path.resolve('temp/zic', version), +... +22 var file = files.shift(), +23 src = path.resolve('temp/download', version, file); +24 +25 exec('zic -d ' + dest + ' ' + src, function (err) { +\`\`\` + +As a result, an attacker able to influence that string can run arbitrary commands. Of course, it requires an attacker able to influence the command passed to grunt, so may be unlikely in practice. + +\`\`\` +root@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-zic:2014d; echo hi > /tmp/evil; echo ' +Running "data-zic:2014d; echo hi > /tmp/evil; echo " (data-zic) task +exec: zid -d /usr/src/app/moment-timezone/temp/zic/2014d; echo hi > /tmp/evil; echo /usr/src/app/moment-timezone/temp/download/2014d; echo hi > /tmp/evil; echo /africa +... + +root@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/evil +hi +\`\`\` + +### Patches + +The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affected versions. It switches \`exec\` to \`execFile\` so arbitrary bash fragments won't be executed any more. + +### References + +* https://knowledge-base.secureflag.com/vulnerabilities/code_injection/os_command_injection_nodejs.html +* https://auth0.com/blog/preventing-command-injection-attacks-in-node-js-apps/", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment-timezone to the fixed version: 0.5.35 or remove the package from the image.", + "name": "Command Injection in moment-timezone", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "URL", + "value": "https://github.com/moment/moment-timezone", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment-timezone/commit/ce955a301ff372e8e9fb3a5b516620c60e7a082a", + }, + { + "type": "URL", + "value": "https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9", + }, + ], + "severity": "LOW", + }, + { + "attributes": { + "fixedVersion": "1.2.4", + "foundIn": "Node.js", + "installedVersion": "1.2.3", + "packageName": "mout", + "references": [ + "https://github.com/mout/mout", + "https://github.com/mout/mout/blob/master/src/object/deepFillIn.js", + "https://github.com/mout/mout/blob/master/src/object/deepMixIn.js", + "https://github.com/mout/mout/commit/17ffdc2a96417a63a0147156dc045e90d0d14c64", + "https://github.com/mout/mout/pull/279", + "https://nvd.nist.gov/vuln/detail/CVE-2022-21213", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2870623", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2870622", + "https://snyk.io/vuln/SNYK-JS-MOUT-2342654", + ], + "vulnerabilityId": "CVE-2022-21213", + }, + "category": "NPM Package Vulnerability", + "description": "This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7792](https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544).", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package mout to the fixed version: 1.2.4 or remove the package from the image.", + "name": "Prototype Pollution in mout", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-21213", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-21213", + }, + { + "type": "URL", + "value": "https://github.com/mout/mout", + }, + { + "type": "URL", + "value": "https://github.com/mout/mout/blob/master/src/object/deepFillIn.js", + }, + { + "type": "URL", + "value": "https://github.com/mout/mout/blob/master/src/object/deepMixIn.js", + }, + { + "type": "URL", + "value": "https://github.com/mout/mout/commit/17ffdc2a96417a63a0147156dc045e90d0d14c64", + }, + { + "type": "URL", + "value": "https://github.com/mout/mout/pull/279", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-21213", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2870623", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2870622", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-MOUT-2342654", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.1.1, 2.6.7", + "foundIn": "Node.js", + "installedVersion": "2.6.5", + "packageName": "node-fetch", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0050", + "https://access.redhat.com/security/cve/CVE-2022-0235", + "https://bugzilla.redhat.com/2044591", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/2150323", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://errata.almalinux.org/8/ALSA-2023-0050.html", + "https://github.com/node-fetch/node-fetch", + "https://github.com/node-fetch/node-fetch/commit/1ef4b560a17e644a02a3bfdea7631ffeee578b35", + "https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10", + "https://github.com/node-fetch/node-fetch/commit/5c32f002fdd65b1c6a8f1e3620210813d45c7e60", + "https://github.com/node-fetch/node-fetch/pull/1449/commits/5c32f002fdd65b1c6a8f1e3620210813d45c7e60", + "https://github.com/node-fetch/node-fetch/pull/1453", + "https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7", + "https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/", + "https://linux.oracle.com/cve/CVE-2022-0235.html", + "https://linux.oracle.com/errata/ELSA-2023-0050.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0235", + "https://ubuntu.com/security/notices/USN-6158-1", + "https://www.cve.org/CVERecord?id=CVE-2022-0235", + ], + "vulnerabilityId": "CVE-2022-0235", + }, + "category": "NPM Package Vulnerability", + "description": "node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package node-fetch to the fixed version: 3.1.1, 2.6.7 or remove the package from the image.", + "name": "node-fetch: exposure of sensitive information to an unauthorized actor", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-0235", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-0235", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0050", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-0235", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2044591", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2150323", + }, + { + "type": "URL", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2023-0050.html", + }, + { + "type": "URL", + "value": "https://github.com/node-fetch/node-fetch", + }, + { + "type": "URL", + "value": "https://github.com/node-fetch/node-fetch/commit/1ef4b560a17e644a02a3bfdea7631ffeee578b35", + }, + { + "type": "URL", + "value": "https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10", + }, + { + "type": "URL", + "value": "https://github.com/node-fetch/node-fetch/commit/5c32f002fdd65b1c6a8f1e3620210813d45c7e60", + }, + { + "type": "URL", + "value": "https://github.com/node-fetch/node-fetch/pull/1449/commits/5c32f002fdd65b1c6a8f1e3620210813d45c7e60", + }, + { + "type": "URL", + "value": "https://github.com/node-fetch/node-fetch/pull/1453", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-0235.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-0050.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-0235", + }, + { + "type": "URL", + "value": "https://ubuntu.com/security/notices/USN-6158-1", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-0235", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "1.3.3", + "packageName": "notevil", + "references": [ + "https://github.com/mmckegg/notevil", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23771", + "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587", + "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946", + ], + "vulnerabilityId": "CVE-2021-23771", + }, + "category": "NPM Package Vulnerability", + "description": "This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package notevil to the fixed version: undefined or remove the package from the image.", + "name": "Sandbox escape in notevil and argencoders-notevil", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-23771", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23771", + }, + { + "type": "URL", + "value": "https://github.com/mmckegg/notevil", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23771", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0", + "foundIn": "Node.js", + "installedVersion": "0.1.7", + "packageName": "path-to-regexp", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-45296", + "https://github.com/pillarjs/path-to-regexp", + "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", + "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", + "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", + "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", + "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", + "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", + "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", + "https://www.cve.org/CVERecord?id=CVE-2024-45296", + ], + "vulnerabilityId": "CVE-2024-45296", + }, + "category": "NPM Package Vulnerability", + "description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package path-to-regexp to the fixed version: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 or remove the package from the image.", + "name": "path-to-regexp: Backtracking regular expressions cause ReDoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-45296", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-45296", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-45296", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "3.0.3", + "foundIn": "Node.js", + "installedVersion": "3.0.2", + "packageName": "pug", + "references": [ + "https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug", + "https://github.com/pugjs/pug", + "https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328", + "https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb", + "https://github.com/pugjs/pug/pull/3428", + "https://github.com/pugjs/pug/pull/3438", + "https://github.com/pugjs/pug/releases/tag/pug%403.0.3", + "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + "https://pugjs.org/api/reference.html", + "https://www.npmjs.com/package/pug-code-gen", + ], + "vulnerabilityId": "CVE-2024-36361", + }, + "category": "NPM Package Vulnerability", + "description": "Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package pug to the fixed version: 3.0.3 or remove the package from the image.", + "name": "Pug allows JavaScript code execution if an application accepts untrusted input", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-36361", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + }, + { + "type": "URL", + "value": "https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/pull/3428", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/pull/3438", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/releases/tag/pug%403.0.3", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + }, + { + "type": "URL", + "value": "https://pugjs.org/api/reference.html", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/pug-code-gen", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "3.0.3", + "foundIn": "Node.js", + "installedVersion": "3.0.2", + "packageName": "pug-code-gen", + "references": [ + "https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug", + "https://github.com/pugjs/pug", + "https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328", + "https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb", + "https://github.com/pugjs/pug/pull/3428", + "https://github.com/pugjs/pug/pull/3438", + "https://github.com/pugjs/pug/releases/tag/pug%403.0.3", + "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + "https://pugjs.org/api/reference.html", + "https://www.npmjs.com/package/pug-code-gen", + ], + "vulnerabilityId": "CVE-2024-36361", + }, + "category": "NPM Package Vulnerability", + "description": "Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package pug-code-gen to the fixed version: 3.0.3 or remove the package from the image.", + "name": "Pug allows JavaScript code execution if an application accepts untrusted input", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-36361", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + }, + { + "type": "URL", + "value": "https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/pull/3428", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/pull/3438", + }, + { + "type": "URL", + "value": "https://github.com/pugjs/pug/releases/tag/pug%403.0.3", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + }, + { + "type": "URL", + "value": "https://pugjs.org/api/reference.html", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/pug-code-gen", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4", + "foundIn": "Node.js", + "installedVersion": "6.5.2", + "packageName": "qs", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0050", + "https://access.redhat.com/security/cve/CVE-2022-24999", + "https://bugzilla.redhat.com/2044591", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/2150323", + "https://errata.almalinux.org/8/ALSA-2023-0050.html", + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs", + "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999", + "https://linux.oracle.com/cve/CVE-2022-24999.html", + "https://linux.oracle.com/errata/ELSA-2023-0050.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + "https://security.netapp.com/advisory/ntap-20230908-0005/", + "https://www.cve.org/CVERecord?id=CVE-2022-24999", + ], + "vulnerabilityId": "CVE-2022-24999", + }, + "category": "NPM Package Vulnerability", + "description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package qs to the fixed version: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 or remove the package from the image.", + "name": "express: "qs" prototype poisoning causes the hang of the node process", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0050", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2044591", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2150323", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2023-0050.html", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/releases/tag/4.17.3", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/pull/428", + }, + { + "type": "URL", + "value": "https://github.com/n8tz/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-24999.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-0050.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230908-0005/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24999", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4", + "foundIn": "Node.js", + "installedVersion": "6.5.2", + "packageName": "qs", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0050", + "https://access.redhat.com/security/cve/CVE-2022-24999", + "https://bugzilla.redhat.com/2044591", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/2150323", + "https://errata.almalinux.org/8/ALSA-2023-0050.html", + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs", + "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999", + "https://linux.oracle.com/cve/CVE-2022-24999.html", + "https://linux.oracle.com/errata/ELSA-2023-0050.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + "https://security.netapp.com/advisory/ntap-20230908-0005/", + "https://www.cve.org/CVERecord?id=CVE-2022-24999", + ], + "vulnerabilityId": "CVE-2022-24999", + }, + "category": "NPM Package Vulnerability", + "description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package qs to the fixed version: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 or remove the package from the image.", + "name": "express: "qs" prototype poisoning causes the hang of the node process", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0050", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2044591", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2150323", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2023-0050.html", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/releases/tag/4.17.3", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/pull/428", + }, + { + "type": "URL", + "value": "https://github.com/n8tz/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-24999.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-0050.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230908-0005/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24999", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4", + "foundIn": "Node.js", + "installedVersion": "6.7.0", + "packageName": "qs", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:0050", + "https://access.redhat.com/security/cve/CVE-2022-24999", + "https://bugzilla.redhat.com/2044591", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/2150323", + "https://errata.almalinux.org/8/ALSA-2023-0050.html", + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs", + "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999", + "https://linux.oracle.com/cve/CVE-2022-24999.html", + "https://linux.oracle.com/errata/ELSA-2023-0050.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + "https://security.netapp.com/advisory/ntap-20230908-0005/", + "https://www.cve.org/CVERecord?id=CVE-2022-24999", + ], + "vulnerabilityId": "CVE-2022-24999", + }, + "category": "NPM Package Vulnerability", + "description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package qs to the fixed version: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 or remove the package from the image.", + "name": "express: "qs" prototype poisoning causes the hang of the node process", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:0050", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2044591", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2066009", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2134609", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2140911", + }, + { + "type": "URL", + "value": "https://bugzilla.redhat.com/2150323", + }, + { + "type": "URL", + "value": "https://errata.almalinux.org/8/ALSA-2023-0050.html", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/express/releases/tag/4.17.3", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + }, + { + "type": "URL", + "value": "https://github.com/ljharb/qs/pull/428", + }, + { + "type": "URL", + "value": "https://github.com/n8tz/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-24999.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-0050.html", + }, + { + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230908-0005/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-24999", + }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "2.88.0", + "packageName": "request", + "references": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/", + ], + "vulnerabilityId": "CVE-2023-28155", + }, + "category": "NPM Package Vulnerability", + "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", + "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-28155", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + }, + { + "type": "URL", + "value": "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/pull/28", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/releases/tag/v3.0.0", + }, + { + "type": "URL", + "value": "https://github.com/github/advisory-database/pull/2500", + }, + { + "type": "URL", + "value": "https://github.com/request/request", + }, + { + "type": "URL", + "value": "https://github.com/request/request/blob/master/lib/redirect.js#L111", + }, + { + "type": "URL", + "value": "https://github.com/request/request/issues/3442", + }, + { + "type": "URL", + "value": "https://github.com/request/request/pull/3444", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007/", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": undefined, + "foundIn": "Node.js", + "installedVersion": "2.88.2", + "packageName": "request", + "references": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/", + ], + "vulnerabilityId": "CVE-2023-28155", + }, + "category": "NPM Package Vulnerability", + "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", + "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2023-28155", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + }, + { + "type": "URL", + "value": "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/pull/28", + }, + { + "type": "URL", + "value": "https://github.com/cypress-io/request/releases/tag/v3.0.0", + }, + { + "type": "URL", + "value": "https://github.com/github/advisory-database/pull/2500", + }, + { + "type": "URL", + "value": "https://github.com/request/request", + }, + { + "type": "URL", + "value": "https://github.com/request/request/blob/master/lib/redirect.js#L111", + }, + { + "type": "URL", + "value": "https://github.com/request/request/issues/3442", + }, + { + "type": "URL", + "value": "https://github.com/request/request/pull/3444", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007/", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "2.7.1", + "foundIn": "Node.js", + "installedVersion": "1.4.2", + "packageName": "sanitize-html", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-25887", + "https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c", + "https://github.com/apostrophecms/sanitize-html/pull/557", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25887", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102", + "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526", + "https://www.cve.org/CVERecord?id=CVE-2022-25887", + ], + "vulnerabilityId": "CVE-2022-25887", + }, + "category": "NPM Package Vulnerability", + "description": "The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sanitize-html to the fixed version: 2.7.1 or remove the package from the image.", + "name": "sanitize-html: insecure global regular expression replacement logic may lead to ReDoS", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2022-25887", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25887", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2022-25887", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c", + }, + { + "type": "URL", + "value": "https://github.com/apostrophecms/sanitize-html/pull/557", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20210216.txt", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25887", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25887", }, ], - "severity": "LOW", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "9.3.0-r0", - "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "9.2.0-r4", - "packageName": "libgcc", + "fixedVersion": ">=1.4.3", + "foundIn": "Node.js", + "installedVersion": "1.4.2", + "packageName": "sanitize-html", "references": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", - "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481", - "https://linux.oracle.com/cve/CVE-2019-15847.html", - "https://linux.oracle.com/errata/ELSA-2020-1864.html", + "https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf", + "https://github.com/apostrophecms/sanitize-html/issues/29", + "https://github.com/punkave/sanitize-html/issues/29", + "https://nodesecurity.io/advisories/135", + "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", + "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json", + "https://www.npmjs.com/advisories/135", ], - "vulnerabilityId": "CVE-2019-15847", + "vulnerabilityId": "CVE-2016-1000237", }, - "category": "Image Vulnerability", - "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libgcc to the fixed version: 9.3.0-r0 or remove the package from the image.", - "name": "gcc: POWER9 "DARN" RNG intrinsic produces repeated output", + "category": "NPM Package Vulnerability", + "description": "sanitize-html before 1.4.3 has XSS.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sanitize-html to the fixed version: >=1.4.3 or remove the package from the image.", + "name": "XSS - Sanitization not applied recursively", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2019-15847", + "value": "CVE-2016-1000237", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", }, { "type": "URL", - "value": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + "value": "https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf", }, { "type": "URL", - "value": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", + "value": "https://github.com/apostrophecms/sanitize-html/issues/29", }, { "type": "URL", - "value": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", + "value": "https://github.com/punkave/sanitize-html/issues/29", }, { "type": "URL", - "value": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481", + "value": "https://nodesecurity.io/advisories/135", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2019-15847.html", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2020-1864.html", + "value": "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/advisories/135", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "1.1.1l-r0", - "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.1d-r3", - "packageName": "libssl1.1", + "fixedVersion": "1.11.4", + "foundIn": "Node.js", + "installedVersion": "1.4.2", + "packageName": "sanitize-html", "references": [ - "http://www.openwall.com/lists/oss-security/2021/08/26/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3711", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", - "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", - "https://security.netapp.com/advisory/ntap-20210827-0010/", - "https://security.netapp.com/advisory/ntap-20211022-0003/", - "https://ubuntu.com/security/notices/USN-5051-1", - "https://www.debian.org/security/2021/dsa-4963", - "https://www.openssl.org/news/secadv/20210824.txt", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-16", + "https://github.com/advisories/GHSA-xc6g-ggrc-qq4r", + "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))", + "https://github.com/punkave/sanitize-html/issues/100", + "https://nodesecurity.io/advisories/154", + "https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", + "https://www.npmjs.com/advisories/154", ], - "vulnerabilityId": "CVE-2021-3711", + "vulnerabilityId": "CVE-2017-16016", }, - "category": "Image Vulnerability", - "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", - "name": "openssl: SM2 Decryption Buffer Overflow", + "category": "NPM Package Vulnerability", + "description": "Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sanitize-html to the fixed version: 1.11.4 or remove the package from the image.", + "name": "Cross-Site Scripting in sanitize-html", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-3711", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3711", - }, - { - "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/08/26/2", - }, - { - "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3711", - }, - { - "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", + "value": "CVE-2017-16016", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", + "value": "https://github.com/advisories/GHSA-xc6g-ggrc-qq4r", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210827-0010/", + "value": "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20211022-0003/", + "value": "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5051-1", + "value": "https://github.com/punkave/sanitize-html/issues/100", }, { "type": "URL", - "value": "https://www.debian.org/security/2021/dsa-4963", + "value": "https://nodesecurity.io/advisories/154", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20210824.txt", + "value": "https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-16", + "value": "https://www.npmjs.com/advisories/154", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "1.1.1g-r0", - "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.1d-r3", - "packageName": "libssl1.1", + "fixedVersion": "2.3.1", + "foundIn": "Node.js", + "installedVersion": "1.4.2", + "packageName": "sanitize-html", "references": [ - "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html", - "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html", - "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html", - "http://seclists.org/fulldisclosure/2020/May/5", - "http://www.openwall.com/lists/oss-security/2020/04/22/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1", - "https://github.com/irsl/CVE-2020-1967", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440", - "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", - "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", - "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc", - "https://security.gentoo.org/glsa/202004-10", - "https://security.netapp.com/advisory/ntap-20200424-0003/", - "https://security.netapp.com/advisory/ntap-20200717-0004/", - "https://www.debian.org/security/2020/dsa-4661", - "https://www.openssl.org/news/secadv/20200421.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpujul2020.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.synology.com/security/advisory/Synology_SA_20_05", - "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL", - "https://www.tenable.com/security/tns-2020-03", - "https://www.tenable.com/security/tns-2020-04", - "https://www.tenable.com/security/tns-2020-11", - "https://www.tenable.com/security/tns-2021-10", + "https://access.redhat.com/security/cve/CVE-2021-26539", + "https://advisory.checkmarx.net/advisory/CX-2021-4308", + "https://github.com/apostrophecms/sanitize-html", + "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22", + "https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da", + "https://github.com/apostrophecms/sanitize-html/pull/458", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", + "https://www.cve.org/CVERecord?id=CVE-2021-26539", ], - "vulnerabilityId": "CVE-2020-1967", + "vulnerabilityId": "CVE-2021-26539", }, - "category": "Image Vulnerability", - "description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1g-r0 or remove the package from the image.", - "name": "openssl: Segmentation fault in SSL_check_chain causes denial of service", + "category": "NPM Package Vulnerability", + "description": "Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.1 or remove the package from the image.", + "name": "sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-1967", + "value": "CVE-2021-26539", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", }, { "type": "URL", - "value": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html", + "value": "https://access.redhat.com/security/cve/CVE-2021-26539", }, { "type": "URL", - "value": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html", + "value": "https://advisory.checkmarx.net/advisory/CX-2021-4308", }, { "type": "URL", - "value": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html", + "value": "https://github.com/apostrophecms/sanitize-html", }, { "type": "URL", - "value": "http://seclists.org/fulldisclosure/2020/May/5", + "value": "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2020/04/22/2", + "value": "https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967", + "value": "https://github.com/apostrophecms/sanitize-html/pull/458", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", }, { "type": "URL", - "value": "https://github.com/irsl/CVE-2020-1967", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-26539", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "2.3.2", + "foundIn": "Node.js", + "installedVersion": "1.4.2", + "packageName": "sanitize-html", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-26540", + "https://advisory.checkmarx.net/advisory/CX-2021-4309", + "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26", + "https://github.com/apostrophecms/sanitize-html/pull/460", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", + "https://www.cve.org/CVERecord?id=CVE-2021-26540", + ], + "vulnerabilityId": "CVE-2021-26540", + }, + "category": "NPM Package Vulnerability", + "description": "Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\\\example.com".", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.2 or remove the package from the image.", + "name": "sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2021-26540", }, { "type": "URL", - "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E", + "value": "https://access.redhat.com/security/cve/CVE-2021-26540", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E", + "value": "https://advisory.checkmarx.net/advisory/CX-2021-4309", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E", + "value": "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", + "value": "https://github.com/apostrophecms/sanitize-html/pull/460", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-26540", + }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "2.12.1", + "foundIn": "Node.js", + "installedVersion": "1.4.2", + "packageName": "sanitize-html", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-21501", + "https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf", + "https://github.com/apostrophecms/apostrophe/discussions/4436", + "https://github.com/apostrophecms/sanitize-html", + "https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4", + "https://github.com/apostrophecms/sanitize-html/pull/650", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21501", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557", + "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334", + "https://www.cve.org/CVERecord?id=CVE-2024-21501", + ], + "vulnerabilityId": "CVE-2024-21501", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sanitize-html to the fixed version: 2.12.1 or remove the package from the image.", + "name": "sanitize-html: Information Exposure when used on the backend", + "osi_layer": "NOT_APPLICABLE", + "references": [ + { + "type": "CVE", + "value": "CVE-2024-21501", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21501", }, { "type": "URL", - "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc", + "value": "https://access.redhat.com/security/cve/CVE-2024-21501", }, { "type": "URL", - "value": "https://security.gentoo.org/glsa/202004-10", + "value": "https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20200424-0003/", + "value": "https://github.com/apostrophecms/apostrophe/discussions/4436", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20200717-0004/", + "value": "https://github.com/apostrophecms/sanitize-html", }, { "type": "URL", - "value": "https://www.debian.org/security/2020/dsa-4661", + "value": "https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20200421.txt", + "value": "https://github.com/apostrophecms/sanitize-html/pull/650", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpujan2021.html", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpujul2020.html", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2020.html", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21501", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557", }, { "type": "URL", - "value": "https://www.synology.com/security/advisory/Synology_SA_20_05", + "value": "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334", }, { "type": "URL", - "value": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-21501", }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": ">=1.11.4", + "foundIn": "Node.js", + "installedVersion": "1.4.2", + "packageName": "sanitize-html", + "references": [ + "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "https://github.com/punkave/sanitize-html/issues/100", + ], + "vulnerabilityId": "NSWG-ECO-154", + }, + "category": "NPM Package Vulnerability", + "description": "Sanitize-html is a library for scrubbing html input of malicious values. + +Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: + +If allowed at least one nonTextTags, the result is a potential XSS vulnerability. +PoC: + +\`\`\` +var sanitizeHtml = require('sanitize-html'); + +var dirty = '!! +\`\`\`", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sanitize-html to the fixed version: >=1.11.4 or remove the package from the image.", + "name": "Cross Site Scripting", + "osi_layer": "NOT_APPLICABLE", + "references": [ { - "type": "URL", - "value": "https://www.tenable.com/security/tns-2020-03", + "type": "NSWG", + "value": "NSWG-ECO-154", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2020-04", + "value": "https://github.com/nodejs/security-wg/tree/master/vuln", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2020-11", + "value": "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-10", + "value": "https://github.com/punkave/sanitize-html/issues/100", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "1.1.1j-r0", - "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.1d-r3", - "packageName": "libssl1.1", - "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23840", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", - "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", - "https://linux.oracle.com/cve/CVE-2021-23840.html", - "https://linux.oracle.com/errata/ELSA-2021-9528.html", - "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E", - "https://security.gentoo.org/glsa/202103-03", - "https://security.netapp.com/advisory/ntap-20210219-0009/", - "https://ubuntu.com/security/notices/USN-4738-1", - "https://ubuntu.com/security/notices/USN-5088-1", - "https://www.debian.org/security/2021/dsa-4855", - "https://www.openssl.org/news/secadv/20210216.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-03", - "https://www.tenable.com/security/tns-2021-09", - "https://www.tenable.com/security/tns-2021-10", - ], - "vulnerabilityId": "CVE-2021-23840", + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "5.3.0", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", }, - "category": "Image Vulnerability", - "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissible length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", - "name": "openssl: integer overflow in CipherUpdate", + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-23840", + "value": "CVE-2022-25883", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23840", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "value": "https://bugzilla.redhat.com/2216475", }, { "type": "URL", - "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "value": "https://bugzilla.redhat.com/2230948", }, { "type": "URL", - "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "value": "https://bugzilla.redhat.com/2230955", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2021-23840.html", + "value": "https://bugzilla.redhat.com/2230956", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-9528.html", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E", + "value": "https://github.com/npm/node-semver", }, { "type": "URL", - "value": "https://security.gentoo.org/glsa/202103-03", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210219-0009/", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-4738-1", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5088-1", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", }, { "type": "URL", - "value": "https://www.debian.org/security/2021/dsa-4855", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20210216.txt", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-03", + "value": "https://github.com/npm/node-semver/pull/564", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-09", + "value": "https://github.com/npm/node-semver/pull/585", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-10", + "value": "https://github.com/npm/node-semver/pull/593", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.1.1k-r0", - "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.1d-r3", - "packageName": "libssl1.1", - "references": [ - "http://www.openwall.com/lists/oss-security/2021/03/27/1", - "http://www.openwall.com/lists/oss-security/2021/03/27/2", - "http://www.openwall.com/lists/oss-security/2021/03/28/3", - "http://www.openwall.com/lists/oss-security/2021/03/28/4", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", - "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", - "https://linux.oracle.com/cve/CVE-2021-3450.html", - "https://linux.oracle.com/errata/ELSA-2021-9151.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", - "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", - "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", - "https://security.gentoo.org/glsa/202103-03", - "https://security.netapp.com/advisory/ntap-20210326-0006/", - "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", - "https://www.openssl.org/news/secadv/20210325.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-05", - "https://www.tenable.com/security/tns-2021-08", - "https://www.tenable.com/security/tns-2021-09", - ], - "vulnerabilityId": "CVE-2021-3450", + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "5.7.1", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", }, - "category": "Image Vulnerability", - "description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", - "name": "openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT", + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-3450", + "value": "CVE-2022-25883", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3450", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "value": "https://bugzilla.redhat.com/2216475", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "value": "https://bugzilla.redhat.com/2230948", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + "value": "https://bugzilla.redhat.com/2230955", }, { "type": "URL", - "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "value": "https://bugzilla.redhat.com/2230956", }, { "type": "URL", - "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2021-3450.html", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-9151.html", + "value": "https://github.com/npm/node-semver", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", }, { "type": "URL", - "value": "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", }, { "type": "URL", - "value": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", }, { "type": "URL", - "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", }, { "type": "URL", - "value": "https://security.gentoo.org/glsa/202103-03", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210326-0006/", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", }, { "type": "URL", - "value": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20210325.txt", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://github.com/npm/node-semver/pull/564", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://github.com/npm/node-semver/pull/585", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-05", + "value": "https://github.com/npm/node-semver/pull/593", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-08", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-09", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.1.1l-r0", - "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.1d-r3", - "packageName": "libssl1.1", - "references": [ - "http://www.openwall.com/lists/oss-security/2021/08/26/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", - "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", - "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", - "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", - "https://security.netapp.com/advisory/ntap-20210827-0010/", - "https://ubuntu.com/security/notices/USN-5051-1", - "https://ubuntu.com/security/notices/USN-5051-2", - "https://ubuntu.com/security/notices/USN-5051-3", - "https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)", - "https://ubuntu.com/security/notices/USN-5088-1", - "https://www.debian.org/security/2021/dsa-4963", - "https://www.openssl.org/news/secadv/20210824.txt", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-16", - ], - "vulnerabilityId": "CVE-2021-3712", + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "5.7.1", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", }, - "category": "Image Vulnerability", - "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", - "name": "openssl: Read buffer overruns processing ASN.1 strings", + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", "references": [ { - "type": "CVE", - "value": "CVE-2021-3712", + "type": "CVE", + "value": "CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "value": "https://bugzilla.redhat.com/2216475", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712", + "value": "https://bugzilla.redhat.com/2230948", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + "value": "https://bugzilla.redhat.com/2230955", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + "value": "https://bugzilla.redhat.com/2230956", }, { "type": "URL", - "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", + "value": "https://github.com/npm/node-semver", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210827-0010/", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5051-1", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5051-2", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5051-3", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5088-1", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", }, { "type": "URL", - "value": "https://www.debian.org/security/2021/dsa-4963", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20210824.txt", + "value": "https://github.com/npm/node-semver/pull/564", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://github.com/npm/node-semver/pull/585", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-16", + "value": "https://github.com/npm/node-semver/pull/593", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", + }, + { + "type": "URL", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.1.1i-r0", - "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.1d-r3", - "packageName": "libssl1.1", - "references": [ - "http://www.openwall.com/lists/oss-security/2021/09/14/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f960d81215ebf3f65e03d4d5d857fb9b666d6920", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676", - "https://linux.oracle.com/cve/CVE-2020-1971.html", - "https://linux.oracle.com/errata/ELSA-2021-9150.html", - "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143@%3Ccommits.pulsar.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", - "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", - "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", - "https://security.gentoo.org/glsa/202012-13", - "https://security.netapp.com/advisory/ntap-20201218-0005/", - "https://security.netapp.com/advisory/ntap-20210513-0002/", - "https://ubuntu.com/security/notices/USN-4662-1", - "https://ubuntu.com/security/notices/USN-4745-1", - "https://www.debian.org/security/2020/dsa-4807", - "https://www.openssl.org/news/secadv/20201208.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2020-11", - "https://www.tenable.com/security/tns-2021-09", - "https://www.tenable.com/security/tns-2021-10", - ], - "vulnerabilityId": "CVE-2020-1971", + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "5.7.1", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", }, - "category": "Image Vulnerability", - "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1i-r0 or remove the package from the image.", - "name": "openssl: EDIPARTYNAME NULL pointer de-reference", + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-1971", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971", - }, - { - "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/09/14/2", + "value": "CVE-2022-25883", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f960d81215ebf3f65e03d4d5d857fb9b666d6920", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", }, { "type": "URL", - "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676", + "value": "https://bugzilla.redhat.com/2216475", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2020-1971.html", + "value": "https://bugzilla.redhat.com/2230948", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-9150.html", + "value": "https://bugzilla.redhat.com/2230955", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c@%3Cdev.tomcat.apache.org%3E", + "value": "https://bugzilla.redhat.com/2230956", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143@%3Ccommits.pulsar.apache.org%3E", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", + "value": "https://github.com/npm/node-semver", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", }, { "type": "URL", - "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", }, { "type": "URL", - "value": "https://security.gentoo.org/glsa/202012-13", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20201218-0005/", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210513-0002/", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-4662-1", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-4745-1", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", }, { "type": "URL", - "value": "https://www.debian.org/security/2020/dsa-4807", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20201208.txt", + "value": "https://github.com/npm/node-semver/pull/564", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://github.com/npm/node-semver/pull/585", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://github.com/npm/node-semver/pull/593", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpujan2021.html", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2020-11", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-09", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-10", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.1.1j-r0", - "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.1d-r3", - "packageName": "libssl1.1", - "references": [ - "http://seclists.org/fulldisclosure/2021/May/67", - "http://seclists.org/fulldisclosure/2021/May/68", - "http://seclists.org/fulldisclosure/2021/May/70", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23841", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", - "https://linux.oracle.com/cve/CVE-2021-23841.html", - "https://linux.oracle.com/errata/ELSA-2021-9528.html", - "https://security.gentoo.org/glsa/202103-03", - "https://security.netapp.com/advisory/ntap-20210219-0009/", - "https://security.netapp.com/advisory/ntap-20210513-0002/", - "https://support.apple.com/kb/HT212528", - "https://support.apple.com/kb/HT212529", - "https://support.apple.com/kb/HT212534", - "https://ubuntu.com/security/notices/USN-4738-1", - "https://ubuntu.com/security/notices/USN-4745-1", - "https://www.debian.org/security/2021/dsa-4855", - "https://www.openssl.org/news/secadv/20210216.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-03", - "https://www.tenable.com/security/tns-2021-09", - ], - "vulnerabilityId": "CVE-2021-23841", + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "5.7.1", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", }, - "category": "Image Vulnerability", - "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", - "name": "openssl: NULL pointer dereference in X509_issuer_and_serial_hash()", + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-23841", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841", + "value": "CVE-2022-25883", }, { "type": "URL", - "value": "http://seclists.org/fulldisclosure/2021/May/67", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", }, { "type": "URL", - "value": "http://seclists.org/fulldisclosure/2021/May/68", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", }, { "type": "URL", - "value": "http://seclists.org/fulldisclosure/2021/May/70", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23841", + "value": "https://bugzilla.redhat.com/2216475", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + "value": "https://bugzilla.redhat.com/2230948", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + "value": "https://bugzilla.redhat.com/2230955", }, { "type": "URL", - "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "value": "https://bugzilla.redhat.com/2230956", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2021-23841.html", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-9528.html", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", }, { "type": "URL", - "value": "https://security.gentoo.org/glsa/202103-03", + "value": "https://github.com/npm/node-semver", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210219-0009/", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210513-0002/", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", }, { "type": "URL", - "value": "https://support.apple.com/kb/HT212528", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", }, { "type": "URL", - "value": "https://support.apple.com/kb/HT212529", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", }, { "type": "URL", - "value": "https://support.apple.com/kb/HT212534", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-4738-1", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-4745-1", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", }, { "type": "URL", - "value": "https://www.debian.org/security/2021/dsa-4855", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20210216.txt", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://github.com/npm/node-semver/pull/564", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://github.com/npm/node-semver/pull/585", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://github.com/npm/node-semver/pull/593", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-03", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-09", - }, - ], - "severity": "MEDIUM", - }, - { - "attributes": { - "fixedVersion": "1.1.1k-r0", - "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.1d-r3", - "packageName": "libssl1.1", - "references": [ - "http://www.openwall.com/lists/oss-security/2021/03/27/1", - "http://www.openwall.com/lists/oss-security/2021/03/27/2", - "http://www.openwall.com/lists/oss-security/2021/03/28/3", - "http://www.openwall.com/lists/oss-security/2021/03/28/4", - "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", - "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", - "https://linux.oracle.com/cve/CVE-2021-3449.html", - "https://linux.oracle.com/errata/ELSA-2021-9151.html", - "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", - "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", - "https://security.gentoo.org/glsa/202103-03", - "https://security.netapp.com/advisory/ntap-20210326-0006/", - "https://security.netapp.com/advisory/ntap-20210513-0002/", - "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", - "https://ubuntu.com/security/notices/USN-4891-1", - "https://ubuntu.com/security/notices/USN-5038-1", - "https://www.debian.org/security/2021/dsa-4875", - "https://www.openssl.org/news/secadv/20210325.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-05", - "https://www.tenable.com/security/tns-2021-06", - "https://www.tenable.com/security/tns-2021-09", - "https://www.tenable.com/security/tns-2021-10", - ], - "vulnerabilityId": "CVE-2021-3449", - }, - "category": "Image Vulnerability", - "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", - "name": "openssl: NULL pointer dereference in signature_algorithms processing", - "osi_layer": "NOT_APPLICABLE", - "references": [ - { - "type": "CVE", - "value": "CVE-2021-3449", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "5.7.1", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", + }, + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", + "osi_layer": "NOT_APPLICABLE", + "references": [ { - "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "type": "CVE", + "value": "CVE-2022-25883", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", }, { "type": "URL", - "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148", + "value": "https://bugzilla.redhat.com/2216475", }, { "type": "URL", - "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "value": "https://bugzilla.redhat.com/2230948", }, { "type": "URL", - "value": "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "value": "https://bugzilla.redhat.com/2230955", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2021-3449.html", + "value": "https://bugzilla.redhat.com/2230956", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-9151.html", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "value": "https://github.com/npm/node-semver", }, { "type": "URL", - "value": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", }, { "type": "URL", - "value": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", }, { "type": "URL", - "value": "https://security.gentoo.org/glsa/202103-03", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210326-0006/", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210513-0002/", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", }, { "type": "URL", - "value": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-4891-1", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5038-1", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", }, { "type": "URL", - "value": "https://www.debian.org/security/2021/dsa-4875", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20210325.txt", + "value": "https://github.com/npm/node-semver/pull/564", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://github.com/npm/node-semver/pull/585", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://github.com/npm/node-semver/pull/593", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-05", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-06", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-09", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2021-10", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.1.1j-r0", - "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.1d-r3", - "packageName": "libssl1.1", - "references": [ - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30919ab80a478f2d81f2e9acdcca3fa4740cd547", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", - "https://security.netapp.com/advisory/ntap-20210219-0009/", - "https://www.openssl.org/news/secadv/20210216.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2021-23839", + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "5.7.1", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", }, - "category": "Image Vulnerability", - "description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", - "name": "openssl: incorrect SSLv2 rollback protection", + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-23839", + "value": "CVE-2022-25883", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23839", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", }, { "type": "URL", - "value": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30919ab80a478f2d81f2e9acdcca3fa4740cd547", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", }, { "type": "URL", - "value": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210219-0009/", + "value": "https://bugzilla.redhat.com/2216475", }, { "type": "URL", - "value": "https://www.openssl.org/news/secadv/20210216.txt", + "value": "https://bugzilla.redhat.com/2230948", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://bugzilla.redhat.com/2230955", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://bugzilla.redhat.com/2230956", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", - }, - ], - "severity": "LOW", - }, - { - "attributes": { - "fixedVersion": "9.3.0-r0", - "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "9.2.0-r4", - "packageName": "libstdc++", - "references": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", - "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481", - "https://linux.oracle.com/cve/CVE-2019-15847.html", - "https://linux.oracle.com/errata/ELSA-2020-1864.html", - ], - "vulnerabilityId": "CVE-2019-15847", - }, - "category": "Image Vulnerability", - "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package libstdc++ to the fixed version: 9.3.0-r0 or remove the package from the image.", - "name": "gcc: POWER9 "DARN" RNG intrinsic produces repeated output", - "osi_layer": "NOT_APPLICABLE", - "references": [ - { - "type": "CVE", - "value": "CVE-2019-15847", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", }, { "type": "URL", - "value": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + "value": "https://github.com/npm/node-semver", }, { "type": "URL", - "value": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", }, { "type": "URL", - "value": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", }, { "type": "URL", - "value": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2019-15847.html", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2020-1864.html", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "1.1.24-r3", - "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.24-r2", - "packageName": "musl", - "references": [ - "http://www.openwall.com/lists/oss-security/2020/11/20/4", - "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1@%3Cnotifications.apisix.apache.org%3E", - "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e@%3Cnotifications.apisix.apache.org%3E", - "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2@%3Cnotifications.apisix.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", - "https://musl.libc.org/releases.html", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2020-28928", - }, - "category": "Image Vulnerability", - "description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package musl to the fixed version: 1.1.24-r3 or remove the package from the image.", - "name": "Vulnerability in Dependency musl (1.1.24-r2)", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2020-28928", + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28928", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2020/11/20/4", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1@%3Cnotifications.apisix.apache.org%3E", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e@%3Cnotifications.apisix.apache.org%3E", + "value": "https://github.com/npm/node-semver/pull/564", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2@%3Cnotifications.apisix.apache.org%3E", + "value": "https://github.com/npm/node-semver/pull/585", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", + "value": "https://github.com/npm/node-semver/pull/593", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", }, { "type": "URL", - "value": "https://musl.libc.org/releases.html", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.1.24-r3", - "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.1.24-r2", - "packageName": "musl-utils", - "references": [ - "http://www.openwall.com/lists/oss-security/2020/11/20/4", - "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1@%3Cnotifications.apisix.apache.org%3E", - "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e@%3Cnotifications.apisix.apache.org%3E", - "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2@%3Cnotifications.apisix.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", - "https://musl.libc.org/releases.html", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2020-28928", + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", + "foundIn": "Node.js", + "installedVersion": "5.7.1", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", }, - "category": "Image Vulnerability", - "description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package musl-utils to the fixed version: 1.1.24-r3 or remove the package from the image.", - "name": "Vulnerability in Dependency musl-utils (1.1.24-r2)", + "category": "NPM Package Vulnerability", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-28928", + "value": "CVE-2022-25883", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28928", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2020/11/20/4", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1@%3Cnotifications.apisix.apache.org%3E", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e@%3Cnotifications.apisix.apache.org%3E", + "value": "https://bugzilla.redhat.com/2216475", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2@%3Cnotifications.apisix.apache.org%3E", + "value": "https://bugzilla.redhat.com/2230948", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", + "value": "https://bugzilla.redhat.com/2230955", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", + "value": "https://bugzilla.redhat.com/2230956", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", }, { "type": "URL", - "value": "https://musl.libc.org/releases.html", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://github.com/npm/node-semver", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", }, - ], - "severity": "MEDIUM", - }, - { - "attributes": { - "fixedVersion": "1.31.1-r10", - "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)", - "installedVersion": "1.31.1-r9", - "packageName": "ssl_client", - "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831", - "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", - "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", - "https://security.gentoo.org/glsa/202105-09", - ], - "vulnerabilityId": "CVE-2021-28831", - }, - "category": "Image Vulnerability", - "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r10 or remove the package from the image.", - "name": "busybox: invalid free or segmentation fault via malformed gzip data", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2021-28831", + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", }, { "type": "URL", - "value": "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", }, { "type": "URL", - "value": "https://security.gentoo.org/glsa/202105-09", + "value": "https://github.com/npm/node-semver/pull/564", + }, + { + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/585", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "5.0.1, 6.0.1", - "foundIn": "Node.js", - "installedVersion": "3.0.0", - "packageName": "ansi-regex", - "references": [ - "https://github.com/advisories/GHSA-93q8-gq69-wqmw", - "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", - "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", - ], - "vulnerabilityId": "CVE-2021-3807", - }, - "category": "NPM Package Vulnerability", - "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package ansi-regex to the fixed version: 5.0.1, 6.0.1 or remove the package from the image.", - "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2021-3807", + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/593", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", }, { "type": "URL", - "value": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", }, { "type": "URL", - "value": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "5.0.1, 6.0.1", + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", "foundIn": "Node.js", - "installedVersion": "4.1.0", - "packageName": "ansi-regex", - "references": [ - "https://github.com/advisories/GHSA-93q8-gq69-wqmw", - "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", - "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", - ], - "vulnerabilityId": "CVE-2021-3807", + "installedVersion": "6.3.0", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", }, "category": "NPM Package Vulnerability", - "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package ansi-regex to the fixed version: 5.0.1, 6.0.1 or remove the package from the image.", - "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-3807", + "value": "CVE-2022-25883", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", }, { "type": "URL", - "value": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", }, { "type": "URL", - "value": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "value": "https://bugzilla.redhat.com/2216475", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "value": "https://bugzilla.redhat.com/2230948", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": ">=3.0.0", - "foundIn": "Node.js", - "installedVersion": "0.0.6", - "packageName": "base64url", - "references": [ - "https://github.com/brianloveswords/base64url/pull/25", - "https://hackerone.com/reports/321687", - ], - "vulnerabilityId": "NSWG-ECO-428", - }, - "category": "NPM Package Vulnerability", - "description": "\`base64url\` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package base64url to the fixed version: >=3.0.0 or remove the package from the image.", - "name": "Out-of-bounds Read", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "NSWG", - "value": "NSWG-ECO-428", + "type": "URL", + "value": "https://bugzilla.redhat.com/2230955", }, { "type": "URL", - "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + "value": "https://bugzilla.redhat.com/2230956", }, { "type": "URL", - "value": "https://github.com/brianloveswords/base64url/pull/25", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", }, { "type": "URL", - "value": "https://hackerone.com/reports/321687", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "3.0.0", - "foundIn": "Node.js", - "installedVersion": "0.0.6", - "packageName": "base64url", - "references": [ - "https://github.com/advisories/GHSA-rvg8-pwq2-xj7q", - "https://github.com/brianloveswords/base64url/pull/25", - ], - "vulnerabilityId": "GHSA-rvg8-pwq2-xj7q", - }, - "category": "NPM Package Vulnerability", - "description": "Versions of \`base64url\` before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below. - - -## Recommendation - -Update to version 3.0.0 or later.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package base64url to the fixed version: 3.0.0 or remove the package from the image.", - "name": "Out-of-bounds Read in base64url", - "osi_layer": "NOT_APPLICABLE", - "references": [ { "type": "URL", - "value": "https://github.com/advisories/GHSA-rvg8-pwq2-xj7q", + "value": "https://github.com/npm/node-semver", }, { "type": "URL", - "value": "https://github.com/brianloveswords/base64url/pull/25", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", }, - ], - "severity": "MEDIUM", - }, - { - "attributes": { - "fixedVersion": "2.2.1, 1.2.3, 4.0.3, 3.0.1", - "foundIn": "Node.js", - "installedVersion": "1.2.2", - "packageName": "bl", - "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8244", - "https://github.com/advisories/GHSA-pp7h-53gx-mx7r", - "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190", - "https://hackerone.com/reports/966347", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", - "https://ubuntu.com/security/notices/USN-5098-1", - ], - "vulnerabilityId": "CVE-2020-8244", - }, - "category": "NPM Package Vulnerability", - "description": "A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package bl to the fixed version: 2.2.1, 1.2.3, 4.0.3, 3.0.1 or remove the package from the image.", - "name": "nodejs-bl: buffer over-read vulnerability leads to corrupted BufferList which can result in uninitialized memory being leaked", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2020-8244", + "type": "URL", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8244", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-pp7h-53gx-mx7r", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", }, { "type": "URL", - "value": "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", }, { "type": "URL", - "value": "https://hackerone.com/reports/966347", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5098-1", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", }, - ], - "severity": "MEDIUM", - }, - { - "attributes": { - "fixedVersion": "2.2.1, 1.2.3, 4.0.3, 3.0.1", - "foundIn": "Node.js", - "installedVersion": "4.0.2", - "packageName": "bl", - "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8244", - "https://github.com/advisories/GHSA-pp7h-53gx-mx7r", - "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190", - "https://hackerone.com/reports/966347", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", - "https://ubuntu.com/security/notices/USN-5098-1", - ], - "vulnerabilityId": "CVE-2020-8244", - }, - "category": "NPM Package Vulnerability", - "description": "A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package bl to the fixed version: 2.2.1, 1.2.3, 4.0.3, 3.0.1 or remove the package from the image.", - "name": "nodejs-bl: buffer over-read vulnerability leads to corrupted BufferList which can result in uninitialized memory being leaked", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2020-8244", + "type": "URL", + "value": "https://github.com/npm/node-semver/pull/564", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", + "value": "https://github.com/npm/node-semver/pull/585", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8244", + "value": "https://github.com/npm/node-semver/pull/593", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-pp7h-53gx-mx7r", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", }, { "type": "URL", - "value": "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", }, { "type": "URL", - "value": "https://hackerone.com/reports/966347", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-5098-1", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.5.5", + "fixedVersion": "7.5.2, 6.3.1, 5.7.2", "foundIn": "Node.js", - "installedVersion": "1.5.3", - "packageName": "color-string", - "references": [ - "https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3", - "https://github.com/advisories/GHSA-257v-vj4p-3w2h", - "https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md", - "https://github.com/yetingli/SaveResults/blob/main/js/color-string.js", - "https://nvd.nist.gov/vuln/detail/CVE-2021-29060", - "https://snyk.io/vuln/SNYK-JS-COLORSTRING-1082939", - "https://www.npmjs.com/package/color-string", - ], - "vulnerabilityId": "CVE-2021-29060", + "installedVersion": "7.3.5", + "packageName": "semver", + "references": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883", + ], + "vulnerabilityId": "CVE-2022-25883", }, "category": "NPM Package Vulnerability", - "description": "A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package color-string to the fixed version: 1.5.5 or remove the package from the image.", - "name": "nodejs-color-string: Regular expression denial of service when the application is provided and checks a crafted invalid HWB string", + "description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. + + +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", + "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-29060", + "value": "CVE-2022-25883", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-29060", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", }, { "type": "URL", - "value": "https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3", + "value": "https://access.redhat.com/errata/RHSA-2023:5363", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-257v-vj4p-3w2h", + "value": "https://access.redhat.com/security/cve/CVE-2022-25883", }, { "type": "URL", - "value": "https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md", + "value": "https://bugzilla.redhat.com/2216475", }, { "type": "URL", - "value": "https://github.com/yetingli/SaveResults/blob/main/js/color-string.js", + "value": "https://bugzilla.redhat.com/2230948", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-29060", + "value": "https://bugzilla.redhat.com/2230955", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-COLORSTRING-1082939", + "value": "https://bugzilla.redhat.com/2230956", }, { "type": "URL", - "value": "https://www.npmjs.com/package/color-string", + "value": "https://errata.almalinux.org/9/ALSA-2023-5363.html", }, - ], - "severity": "MEDIUM", - }, - { - "attributes": { - "fixedVersion": "3.5.0", - "foundIn": "Node.js", - "installedVersion": "1.0.2", - "packageName": "diff", - "references": [ - "https://github.com/advisories/GHSA-h6ch-v84p-w6p9", - "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0", - ], - "vulnerabilityId": "GHSA-h6ch-v84p-w6p9", - }, - "category": "NPM Package Vulnerability", - "description": "A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package diff to the fixed version: 3.5.0 or remove the package from the image.", - "name": "Regular Expression Denial of Service (ReDoS)", - "osi_layer": "NOT_APPLICABLE", - "references": [ { "type": "URL", - "value": "https://github.com/advisories/GHSA-h6ch-v84p-w6p9", + "value": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", }, { "type": "URL", - "value": "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0", - }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "5.1.1, 4.2.1", - "foundIn": "Node.js", - "installedVersion": "4.2.0", - "packageName": "dot-prop", - "references": [ - "https://github.com/advisories/GHSA-ff7x-qrg7-qggm", - "https://github.com/sindresorhus/dot-prop/issues/63", - "https://github.com/sindresorhus/dot-prop/tree/v4", - "https://hackerone.com/reports/719856", - "https://linux.oracle.com/cve/CVE-2020-8116.html", - "https://linux.oracle.com/errata/ELSA-2021-0548.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8116", - ], - "vulnerabilityId": "CVE-2020-8116", - }, - "category": "NPM Package Vulnerability", - "description": "Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package dot-prop to the fixed version: 5.1.1, 4.2.1 or remove the package from the image.", - "name": "nodejs-dot-prop: prototype pollution", - "osi_layer": "NOT_APPLICABLE", - "references": [ - { - "type": "CVE", - "value": "CVE-2020-8116", + "value": "https://github.com/npm/node-semver", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8116", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-ff7x-qrg7-qggm", + "value": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", }, { "type": "URL", - "value": "https://github.com/sindresorhus/dot-prop/issues/63", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", }, { "type": "URL", - "value": "https://github.com/sindresorhus/dot-prop/tree/v4", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", }, { "type": "URL", - "value": "https://hackerone.com/reports/719856", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2020-8116.html", + "value": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-0548.html", + "value": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", }, { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8116", - }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "6.0.0", - "foundIn": "Node.js", - "installedVersion": "0.1.3", - "packageName": "express-jwt", - "references": [ - "https://github.com/advisories/GHSA-6g6m-m6h5-w9gf", - "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", - "https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf", - "https://nvd.nist.gov/vuln/detail/CVE-2020-15084", - ], - "vulnerabilityId": "CVE-2020-15084", - }, - "category": "NPM Package Vulnerability", - "description": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package express-jwt to the fixed version: 6.0.0 or remove the package from the image.", - "name": "Authorization bypass in express-jwt", - "osi_layer": "NOT_APPLICABLE", - "references": [ + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + }, { - "type": "CVE", - "value": "CVE-2020-15084", + "type": "URL", + "value": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15084", + "value": "https://github.com/npm/node-semver/pull/564", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-6g6m-m6h5-w9gf", + "value": "https://github.com/npm/node-semver/pull/585", }, { "type": "URL", - "value": "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", + "value": "https://github.com/npm/node-semver/pull/593", }, { "type": "URL", - "value": "https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf", + "value": "https://linux.oracle.com/cve/CVE-2022-25883.html", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15084", + "value": "https://linux.oracle.com/errata/ELSA-2023-5363.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-25883", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.0.0", + "fixedVersion": "0.19.0", "foundIn": "Node.js", - "installedVersion": "0.1.0", - "packageName": "getobject", + "installedVersion": "0.17.1", + "packageName": "send", "references": [ - "https://github.com/advisories/GHSA-957j-59c2-j692", - "https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48", - "https://nvd.nist.gov/vuln/detail/CVE-2020-28282", - "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282", + "https://access.redhat.com/security/cve/CVE-2024-43799", + "https://github.com/pillarjs/send", + "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", + "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", + "https://www.cve.org/CVERecord?id=CVE-2024-43799", ], - "vulnerabilityId": "CVE-2020-28282", + "vulnerabilityId": "CVE-2024-43799", }, "category": "NPM Package Vulnerability", - "description": "Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package getobject to the fixed version: 1.0.0 or remove the package from the image.", - "name": "nodejs-getobject: Prototype pollution could result in DoS and RCE", + "description": "Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package send to the fixed version: 0.19.0 or remove the package from the image.", + "name": "send: Code Execution Vulnerability in Send Library", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-28282", + "value": "CVE-2024-43799", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28282", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-957j-59c2-j692", + "value": "https://access.redhat.com/security/cve/CVE-2024-43799", }, { "type": "URL", - "value": "https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48", + "value": "https://github.com/pillarjs/send", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28282", + "value": "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", }, { "type": "URL", - "value": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282", + "value": "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-43799", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "1.10.0", + "fixedVersion": "6.29.0", "foundIn": "Node.js", - "installedVersion": "1.5.1", - "packageName": "growl", - "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16042", - "https://github.com/advisories/GHSA-qh2h-chj9-jffq", - "https://github.com/tj/node-growl/issues/60", - "https://github.com/tj/node-growl/pull/61", - "https://nodesecurity.io/advisories/146", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16042", - ], - "vulnerabilityId": "CVE-2017-16042", + "installedVersion": "6.7.0", + "packageName": "sequelize", + "references": [ + "https://csirt.divd.nl/CVE-2023-22578", + "https://csirt.divd.nl/DIVD-2022-00020", + "https://csirt.divd.nl/DIVD-2022-00020/", + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/discussions/15694", + "https://github.com/sequelize/sequelize/pull/15710", + "https://github.com/sequelize/sequelize/releases/tag/v6.29.0", + "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + "https://github.com/sequelize/sequelize/security/advisories/GHSA-f598-mfpv-gmfx", + "https://nvd.nist.gov/vuln/detail/CVE-2023-22578", + ], + "vulnerabilityId": "CVE-2023-22578", }, "category": "NPM Package Vulnerability", - "description": "Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package growl to the fixed version: 1.10.0 or remove the package from the image.", - "name": "nodejs-growl: Does not properly sanitize input before passing it to exec", + "description": "Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sequelize to the fixed version: 6.29.0 or remove the package from the image.", + "name": "Sequelize - Default support for “raw attributes” when using parentheses", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2017-16042", + "value": "CVE-2023-22578", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16042", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-22578", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16042", + "value": "https://csirt.divd.nl/CVE-2023-22578", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-qh2h-chj9-jffq", + "value": "https://csirt.divd.nl/DIVD-2022-00020", }, { "type": "URL", - "value": "https://github.com/tj/node-growl/issues/60", + "value": "https://csirt.divd.nl/DIVD-2022-00020/", }, { "type": "URL", - "value": "https://github.com/tj/node-growl/pull/61", + "value": "https://github.com/sequelize/sequelize", }, { "type": "URL", - "value": "https://nodesecurity.io/advisories/146", + "value": "https://github.com/sequelize/sequelize/discussions/15694", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16042", + "value": "https://github.com/sequelize/sequelize/pull/15710", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/releases/tag/v6.29.0", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + }, + { + "type": "URL", + "value": "https://github.com/sequelize/sequelize/security/advisories/GHSA-f598-mfpv-gmfx", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-22578", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.3.0", + "fixedVersion": "6.28.1", "foundIn": "Node.js", - "installedVersion": "1.1.0", - "packageName": "grunt", - "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7729", - "https://github.com/advisories/GHSA-m5pj-vjjf-4m3h", - "https://github.com/gruntjs/grunt/blob/master/lib/grunt/file.js%23L249", - "https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7", - "https://lists.debian.org/debian-lts-announce/2020/09/msg00008.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7729", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-607922", - "https://snyk.io/vuln/SNYK-JS-GRUNT-597546", - "https://ubuntu.com/security/notices/USN-4595-1", - "https://usn.ubuntu.com/4595-1/", - ], - "vulnerabilityId": "CVE-2020-7729", + "installedVersion": "6.7.0", + "packageName": "sequelize", + "references": [ + "https://csirt.divd.nl/CVE-2023-22579", + "https://csirt.divd.nl/DIVD-2022-00020", + "https://csirt.divd.nl/DIVD-2022-00020/", + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/discussions/15698", + "https://github.com/sequelize/sequelize/pull/15375", + "https://github.com/sequelize/sequelize/pull/15699", + "https://github.com/sequelize/sequelize/releases/tag/v6.28.1", + "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + "https://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95", + "https://nvd.nist.gov/vuln/detail/CVE-2023-22579", + ], + "vulnerabilityId": "CVE-2023-22579", }, "category": "NPM Package Vulnerability", - "description": "The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package grunt to the fixed version: 1.3.0 or remove the package from the image.", - "name": "Arbitrary Code Execution in grunt", + "description": "Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sequelize to the fixed version: 6.28.1 or remove the package from the image.", + "name": "Unsafe fall-through in getWhereConditions", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-7729", + "value": "CVE-2023-22579", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7729", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-22579", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7729", + "value": "https://csirt.divd.nl/CVE-2023-22579", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-m5pj-vjjf-4m3h", + "value": "https://csirt.divd.nl/DIVD-2022-00020", }, { "type": "URL", - "value": "https://github.com/gruntjs/grunt/blob/master/lib/grunt/file.js%23L249", + "value": "https://csirt.divd.nl/DIVD-2022-00020/", }, { "type": "URL", - "value": "https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7", + "value": "https://github.com/sequelize/sequelize", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2020/09/msg00008.html", + "value": "https://github.com/sequelize/sequelize/discussions/15698", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7729", + "value": "https://github.com/sequelize/sequelize/pull/15375", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-607922", + "value": "https://github.com/sequelize/sequelize/pull/15699", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-GRUNT-597546", + "value": "https://github.com/sequelize/sequelize/releases/tag/v6.28.1", }, { "type": "URL", - "value": "https://ubuntu.com/security/notices/USN-4595-1", + "value": "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", }, { "type": "URL", - "value": "https://usn.ubuntu.com/4595-1/", + "value": "https://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-22579", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "2.8.9, 3.0.8", + "fixedVersion": "6.19.1", "foundIn": "Node.js", - "installedVersion": "2.8.8", - "packageName": "hosted-git-info", + "installedVersion": "6.7.0", + "packageName": "sequelize", "references": [ - "https://github.com/advisories/GHSA-43f8-2h32-f4cj", - "https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7", - "https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01", - "https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3", - "https://github.com/npm/hosted-git-info/commits/v2", - "https://linux.oracle.com/cve/CVE-2021-23362.html", - "https://linux.oracle.com/errata/ELSA-2021-3074.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23362", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356", - "https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355", + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b", + "https://github.com/sequelize/sequelize/issues/14519", + "https://github.com/sequelize/sequelize/releases/tag/v6.19.1", + "https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw", + "https://nvd.nist.gov/vuln/detail/CVE-2023-25813", + "https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027", ], - "vulnerabilityId": "CVE-2021-23362", + "vulnerabilityId": "CVE-2023-25813", }, "category": "NPM Package Vulnerability", - "description": "The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package hosted-git-info to the fixed version: 2.8.9, 3.0.8 or remove the package from the image.", - "name": "nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()", + "description": "Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the \`replacements\` and the \`where\` option in the same query.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sequelize to the fixed version: 6.19.1 or remove the package from the image.", + "name": "Sequelize vulnerable to SQL Injection via replacements", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-23362", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23362", - }, - { - "type": "URL", - "value": "https://github.com/advisories/GHSA-43f8-2h32-f4cj", - }, - { - "type": "URL", - "value": "https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7", + "value": "CVE-2023-25813", }, { "type": "URL", - "value": "https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-25813", }, { "type": "URL", - "value": "https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3", + "value": "https://github.com/sequelize/sequelize", }, { "type": "URL", - "value": "https://github.com/npm/hosted-git-info/commits/v2", + "value": "https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2021-23362.html", + "value": "https://github.com/sequelize/sequelize/issues/14519", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-3074.html", + "value": "https://github.com/sequelize/sequelize/releases/tag/v6.19.1", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23362", + "value": "https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-25813", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355", + "value": "https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.3.6", + "fixedVersion": "6.28.1", "foundIn": "Node.js", - "installedVersion": "1.3.5", - "packageName": "ini", + "installedVersion": "6.7.0", + "packageName": "sequelize", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788", - "https://github.com/advisories/GHSA-qqgx-2p2h-9c37", - "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1", - "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1 (v1.3.6)", - "https://linux.oracle.com/cve/CVE-2020-7788.html", - "https://linux.oracle.com/errata/ELSA-2021-0551.html", - "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", - "https://snyk.io/vuln/SNYK-JS-INI-1048974", + "https://csirt.divd.nl/CVE-2023-22580", + "https://csirt.divd.nl/DIVD-2022-00020", + "https://csirt.divd.nl/DIVD-2022-00020/", + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/pull/15375", + "https://github.com/sequelize/sequelize/pull/15699", + "https://github.com/sequelize/sequelize/releases/tag/v6.28.1", + "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + "https://nvd.nist.gov/vuln/detail/CVE-2023-22580", ], - "vulnerabilityId": "CVE-2020-7788", + "vulnerabilityId": "CVE-2023-22580", }, "category": "NPM Package Vulnerability", - "description": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package ini to the fixed version: 1.3.6 or remove the package from the image.", - "name": "nodejs-ini: Prototype pollution via malicious INI file", + "description": "Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sequelize to the fixed version: 6.28.1 or remove the package from the image.", + "name": "Sequelize information disclosure vulnerability", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-7788", + "value": "CVE-2023-22580", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-22580", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788", + "value": "https://csirt.divd.nl/CVE-2023-22580", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-qqgx-2p2h-9c37", + "value": "https://csirt.divd.nl/DIVD-2022-00020", }, { "type": "URL", - "value": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1", + "value": "https://csirt.divd.nl/DIVD-2022-00020/", }, { "type": "URL", - "value": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1 (v1.3.6)", + "value": "https://github.com/sequelize/sequelize", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2020-7788.html", + "value": "https://github.com/sequelize/sequelize/pull/15375", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-0551.html", + "value": "https://github.com/sequelize/sequelize/pull/15699", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html", + "value": "https://github.com/sequelize/sequelize/releases/tag/v6.28.1", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", + "value": "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-INI-1048974", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-22580", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "4.2.2", + "fixedVersion": "1.16.0, 2.1.0", "foundIn": "Node.js", - "installedVersion": "0.1.0", - "packageName": "jsonwebtoken", + "installedVersion": "1.14.1", + "packageName": "serve-static", "references": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", - "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", - "https://nodesecurity.io/advisories/17", - "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", - "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + "https://access.redhat.com/security/cve/CVE-2024-43800", + "https://github.com/expressjs/serve-static", + "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", + "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", + "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", + "https://www.cve.org/CVERecord?id=CVE-2024-43800", ], - "vulnerabilityId": "CVE-2015-9235", + "vulnerabilityId": "CVE-2024-43800", }, "category": "NPM Package Vulnerability", - "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", - "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", + "description": "serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package serve-static to the fixed version: 1.16.0, 2.1.0 or remove the package from the image.", + "name": "serve-static: Improper Sanitization in serve-static", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2015-9235", + "value": "CVE-2024-43800", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", }, { "type": "URL", - "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "value": "https://access.redhat.com/security/cve/CVE-2024-43800", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + "value": "https://github.com/expressjs/serve-static", }, { "type": "URL", - "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "value": "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", }, { "type": "URL", - "value": "https://nodesecurity.io/advisories/17", + "value": "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "value": "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", }, { "type": "URL", - "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-43800", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": ">=4.2.2", + "fixedVersion": "4.0.1, 3.1.1, 2.8.2", "foundIn": "Node.js", - "installedVersion": "0.1.0", - "packageName": "jsonwebtoken", - "references": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", - "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", - ], - "vulnerabilityId": "NSWG-ECO-17", + "installedVersion": "3.1.0", + "packageName": "simple-get", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-0355", + "https://github.com/advisories/GHSA-wpg7-2c88-r8xv", + "https://github.com/feross/simple-get", + "https://github.com/feross/simple-get/commit/e4af095e06cd69a9235013e8507e220a79b9684f", + "https://github.com/feross/simple-get/pull/75#issuecomment-1027755026", + "https://github.com/feross/simple-get/pull/76#issuecomment-1027754710", + "https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31", + "https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31/", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0355", + "https://www.cve.org/CVERecord?id=CVE-2022-0355", + ], + "vulnerabilityId": "CVE-2022-0355", }, "category": "NPM Package Vulnerability", - "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", - "name": "Verification Bypass", + "description": "Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1. + +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package simple-get to the fixed version: 4.0.1, 3.1.1, 2.8.2 or remove the package from the image.", + "name": "simple-get: exposure of sensitive information to an unauthorized actor", "osi_layer": "NOT_APPLICABLE", "references": [ { - "type": "NSWG", - "value": "NSWG-ECO-17", + "type": "CVE", + "value": "CVE-2022-0355", }, { "type": "URL", - "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-0355", }, { "type": "URL", - "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "value": "https://access.redhat.com/security/cve/CVE-2022-0355", }, { "type": "URL", - "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "value": "https://github.com/advisories/GHSA-wpg7-2c88-r8xv", }, { "type": "URL", - "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + "value": "https://github.com/feross/simple-get", + }, + { + "type": "URL", + "value": "https://github.com/feross/simple-get/commit/e4af095e06cd69a9235013e8507e220a79b9684f", + }, + { + "type": "URL", + "value": "https://github.com/feross/simple-get/pull/75#issuecomment-1027755026", + }, + { + "type": "URL", + "value": "https://github.com/feross/simple-get/pull/76#issuecomment-1027754710", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31", + }, + { + "type": "URL", + "value": "https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-0355", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-0355", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "4.2.2", + "fixedVersion": "2.5.1, 4.6.2", "foundIn": "Node.js", - "installedVersion": "0.4.0", - "packageName": "jsonwebtoken", - "references": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", - "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", - "https://nodesecurity.io/advisories/17", - "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", - "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + "installedVersion": "3.1.2", + "packageName": "socket.io", + "references": [ + "https://access.redhat.com/security/cve/CVE-2024-38355", + "https://github.com/socketio/socket.io", + "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", + "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", + "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38355", + "https://www.cve.org/CVERecord?id=CVE-2024-38355", ], - "vulnerabilityId": "CVE-2015-9235", + "vulnerabilityId": "CVE-2024-38355", }, "category": "NPM Package Vulnerability", - "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", - "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", + "description": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit \`15af22fc22\` which has been included in \`socket.io@4.6.2\` (released in May 2023). The fix was backported in the 2.x branch as well with commit \`d30630ba10\`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors. +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package socket.io to the fixed version: 2.5.1, 4.6.2 or remove the package from the image.", + "name": "socket.io: Unhandled 'error' event", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2015-9235", + "value": "CVE-2024-38355", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-38355", }, { "type": "URL", - "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "value": "https://access.redhat.com/security/cve/CVE-2024-38355", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + "value": "https://github.com/socketio/socket.io", }, { "type": "URL", - "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "value": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", }, { "type": "URL", - "value": "https://nodesecurity.io/advisories/17", + "value": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "value": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", }, { "type": "URL", - "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-38355", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-38355", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": ">=4.2.2", + "fixedVersion": "4.0.5, 4.2.1, 3.3.3, 3.4.2", "foundIn": "Node.js", - "installedVersion": "0.4.0", - "packageName": "jsonwebtoken", + "installedVersion": "4.0.4", + "packageName": "socket.io-parser", "references": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", - "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + "https://csirt.divd.nl/CVE-2022-2421", + "https://csirt.divd.nl/DIVD-2022-00045", + "https://csirt.divd.nl/cases/DIVD-2022-00045", + "https://csirt.divd.nl/cves/CVE-2022-2421", + "https://github.com/socketio/socket.io-parser", + "https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14", + "https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4", + "https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050", + "https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983", + "https://nvd.nist.gov/vuln/detail/CVE-2022-2421", ], - "vulnerabilityId": "NSWG-ECO-17", + "vulnerabilityId": "CVE-2022-2421", }, "category": "NPM Package Vulnerability", - "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", - "name": "Verification Bypass", + "description": "Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package socket.io-parser to the fixed version: 4.0.5, 4.2.1, 3.3.3, 3.4.2 or remove the package from the image.", + "name": "Insufficient validation when decoding a Socket.IO packet", "osi_layer": "NOT_APPLICABLE", "references": [ { - "type": "NSWG", - "value": "NSWG-ECO-17", + "type": "CVE", + "value": "CVE-2022-2421", }, { "type": "URL", - "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-2421", }, { "type": "URL", - "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "value": "https://csirt.divd.nl/CVE-2022-2421", }, { "type": "URL", - "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "value": "https://csirt.divd.nl/DIVD-2022-00045", }, { "type": "URL", - "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + "value": "https://csirt.divd.nl/cases/DIVD-2022-00045", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "3.0.0", - "foundIn": "Node.js", - "installedVersion": "0.2.6", - "packageName": "jws", - "references": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/advisories/GHSA-gjcw-v447-2w7q", - "https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e", - "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223", - ], - "vulnerabilityId": "CVE-2016-1000223", - }, - "category": "NPM Package Vulnerability", - "description": "Since "algorithm" isn't enforced in \`jws.verify()\`, a malicious user could choose what algorithm is sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants. - -In addition, there is the \`none\` algorithm to be concerned about. In versions prior to 3.0.0, verification of the token could be bypassed when the \`alg\` field is set to \`none\`. - -*Edit ( 7/29/16 ): A previous version of this advisory incorrectly stated that the vulnerability was patched in version 2.0.0 instead of 3.0.0. The advisory has been updated to reflect this new information. Thanks to Fabien Catteau for reporting the error.*", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package jws to the fixed version: 3.0.0 or remove the package from the image.", - "name": "Forgeable Public/Private Tokens", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2016-1000223", + "type": "URL", + "value": "https://csirt.divd.nl/cves/CVE-2022-2421", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223", + "value": "https://github.com/socketio/socket.io-parser", }, { "type": "URL", - "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "value": "https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-gjcw-v447-2w7q", + "value": "https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4", }, { "type": "URL", - "value": "https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e", + "value": "https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223", + "value": "https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-2421", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "4.17.12", + "fixedVersion": "4.2.3, 3.4.3, 3.3.4", "foundIn": "Node.js", - "installedVersion": "2.4.2", - "packageName": "lodash", + "installedVersion": "4.0.4", + "packageName": "socket.io-parser", "references": [ - "https://access.redhat.com/errata/RHSA-2019:3024", - "https://github.com/advisories/GHSA-jf85-cpcp-j695", - "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", - "https://security.netapp.com/advisory/ntap-20191004-0005/", - "https://snyk.io/vuln/SNYK-JS-LODASH-450202", - "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://github.com/socketio/socket.io-parser", + "https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9", + "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced", + "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3", + "https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4", + "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3", + "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9", + "https://nvd.nist.gov/vuln/detail/CVE-2023-32695", ], - "vulnerabilityId": "CVE-2019-10744", + "vulnerabilityId": "CVE-2023-32695", }, "category": "NPM Package Vulnerability", - "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", - "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", + "description": "socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3. + +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package socket.io-parser to the fixed version: 4.2.3, 3.4.3, 3.3.4 or remove the package from the image.", + "name": "socket.io parser is a socket.io encoder and decoder written in JavaScr ...", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2019-10744", + "value": "CVE-2023-32695", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-32695", }, { "type": "URL", - "value": "https://access.redhat.com/errata/RHSA-2019:3024", + "value": "https://github.com/socketio/socket.io-parser", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-jf85-cpcp-j695", + "value": "https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "value": "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20191004-0005/", + "value": "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "value": "https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4", }, { "type": "URL", - "value": "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", + "value": "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpujan2021.html", + "value": "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2020.html", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-32695", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "4.17.19", + "fixedVersion": "5.0.3", "foundIn": "Node.js", - "installedVersion": "2.4.2", - "packageName": "lodash", - "references": [ - "https://github.com/advisories/GHSA-p6mc-m468-83gw", - "https://github.com/lodash/lodash/issues/4874", - "https://hackerone.com/reports/712065", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", - "https://security.netapp.com/advisory/ntap-20200724-0006/", - "https://www.npmjs.com/advisories/1523", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2020-8203", + "installedVersion": "5.0.2", + "packageName": "sqlite3", + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-21227", + "https://github.com/TryGhost/node-sqlite3", + "https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4a", + "https://github.com/TryGhost/node-sqlite3/issues/1440", + "https://github.com/TryGhost/node-sqlite3/issues/1449", + "https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-9qrh-qjmc-5w2p", + "https://nvd.nist.gov/vuln/detail/CVE-2022-21227", + "https://security.snyk.io/vuln/SNYK-JS-SQLITE3-2388645", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805470", + "https://snyk.io/vuln/SNYK-JS-SQLITE3-2388645", + "https://www.cve.org/CVERecord?id=CVE-2022-21227", + ], + "vulnerabilityId": "CVE-2022-21227", }, "category": "NPM Package Vulnerability", - "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", - "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "description": "The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sqlite3 to the fixed version: 5.0.3 or remove the package from the image.", + "name": "sqlite3: Denial of Service (DoS) in sqlite3", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-8203", + "value": "CVE-2022-21227", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-21227", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-p6mc-m468-83gw", + "value": "https://access.redhat.com/security/cve/CVE-2022-21227", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/issues/4874", + "value": "https://github.com/TryGhost/node-sqlite3", }, { "type": "URL", - "value": "https://hackerone.com/reports/712065", + "value": "https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4a", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "value": "https://github.com/TryGhost/node-sqlite3/issues/1440", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20200724-0006/", + "value": "https://github.com/TryGhost/node-sqlite3/issues/1449", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/1523", + "value": "https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-9qrh-qjmc-5w2p", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-21227", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://security.snyk.io/vuln/SNYK-JS-SQLITE3-2388645", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805470", + }, + { + "type": "URL", + "value": "https://snyk.io/vuln/SNYK-JS-SQLITE3-2388645", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-21227", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "4.17.21", + "fixedVersion": "5.1.5", "foundIn": "Node.js", - "installedVersion": "2.4.2", - "packageName": "lodash", + "installedVersion": "5.0.2", + "packageName": "sqlite3", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337", - "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", - "https://security.netapp.com/advisory/ntap-20210312-0006/", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", - "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://github.com/TryGhost/node-sqlite3", + "https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781", + "https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-jqv5-7xpx-qj74", + "https://nvd.nist.gov/vuln/detail/CVE-2022-43441", + "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1645", ], - "vulnerabilityId": "CVE-2021-23337", + "vulnerabilityId": "CVE-2022-43441", }, "category": "NPM Package Vulnerability", - "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", - "name": "nodejs-lodash: command injection via template", + "description": "A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sqlite3 to the fixed version: 5.1.5 or remove the package from the image.", + "name": "A code execution vulnerability exists in the Statement Bindings functi ...", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-23337", + "value": "CVE-2022-43441", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-43441", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337", + "value": "https://github.com/TryGhost/node-sqlite3", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", + "value": "https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "value": "https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-jqv5-7xpx-qj74", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-43441", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210312-0006/", + "value": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1645", }, + ], + "severity": "HIGH", + }, + { + "attributes": { + "fixedVersion": "4.1.3", + "foundIn": "Node.js", + "installedVersion": "3.52.4", + "packageName": "swagger-ui-dist", + "references": [ + "https://github.com/swagger-api/swagger-ui", + "https://nvd.nist.gov/vuln/detail/CVE-2021-46708", + "https://security.netapp.com/advisory/ntap-20220407-0004", + "https://security.netapp.com/advisory/ntap-20220407-0004/", + "https://security.snyk.io/vuln/SNYK-JS-SWAGGERUIDIST-2314884", + "https://www.npmjs.com/package/swagger-ui-dist/v/4.1.3", + ], + "vulnerabilityId": "CVE-2021-46708", + }, + "category": "NPM Package Vulnerability", + "description": "The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package swagger-ui-dist to the fixed version: 4.1.3 or remove the package from the image.", + "name": "Spoofing attack in swagger-ui-dist", + "osi_layer": "NOT_APPLICABLE", + "references": [ { - "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "type": "CVE", + "value": "CVE-2021-46708", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-46708", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "value": "https://github.com/swagger-api/swagger-ui", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-46708", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "value": "https://security.netapp.com/advisory/ntap-20220407-0004", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "value": "https://security.netapp.com/advisory/ntap-20220407-0004/", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://security.snyk.io/vuln/SNYK-JS-SWAGGERUIDIST-2314884", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://www.npmjs.com/package/swagger-ui-dist/v/4.1.3", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "4.17.11", + "fixedVersion": "4.1.3", "foundIn": "Node.js", - "installedVersion": "2.4.2", - "packageName": "lodash", + "installedVersion": "3.52.4", + "packageName": "swagger-ui-dist", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487", - "https://github.com/advisories/GHSA-4xc9-xhrj-v574", - "https://hackerone.com/reports/380873", - "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", - "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://github.com/domaindrivendev/Swashbuckle.AspNetCore/commit/401c7cb81e5efe835ceb8aae23e82057d57c7d29", + "https://github.com/swagger-api/swagger-ui", + "https://github.com/swagger-api/swagger-ui/commit/01a3e55960f864a0acf6a8d06e5ddaf6776a7f76", + "https://github.com/swagger-api/swagger-ui/issues/4872", + "https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx", ], - "vulnerabilityId": "CVE-2018-16487", + "vulnerabilityId": "GHSA-qrmm-w75w-3wpx", }, "category": "NPM Package Vulnerability", - "description": "A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.11 or remove the package from the image.", - "name": "lodash: Prototype pollution in utilities function", + "description": "SwaggerUI supports displaying remote OpenAPI definitions through the \`?url\` parameter. This enables robust demonstration capabilities on sites like \`petstore.swagger.io\`, \`editor.swagger.io\`, and similar sites, where users often want to see what their OpenAPI definitions would look like rendered. + +However, this functionality may pose a risk for users who host their own SwaggerUI instances. In particular, including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances. + +An example scenario abusing this functionality could take the following form: +- \`https://example.com/api-docs\` hosts a version of SwaggerUI with \`?url=\` query parameter enabled. +- Users will trust the domain \`https://example.com\` and the contents of the OpenAPI definition. +- A malicious actor may craft a similar OpenAPI definition and service that responds to the defined APIs at \`https://evildomain\`. +- Users mistakenly click a phishing URL like \`https://example.com/api-docs?url=https://evildomain/fakeapi.yaml\` and enters sensitive data via the "Try-it-out" feature. + +We do want to stress that this attack vector is limited to scenarios that actively trick users into divulging sensitive information. The ease of this is highly contextual and, therefore, the threat model may be different for individual users and organizations. It is *not* possible to perform non-interactive attacks (e.g., cross-site scripting or code injection) through this mechanism. + +### Resolution +We've made the decision to [disable query parameters (#4872)](https://github.com/swagger-api/swagger-ui/issues/4872) by default starting with SwaggerUI version \`4.1.3\`. Please update to this version when it becomes available (**ETA: 2021 December**). Users will still be able to be re-enable the options at their discretion. We'll continue to enable query parameters on the Swagger demo sites. + +### Workaround +If you host a version of SwaggerUI and wish to mitigate this issue immediately, you are encouraged to add the following custom plugin code: + +\`\`\`js +SwaggerUI({ + // ...other configuration options, + plugins: [function UrlParamDisablePlugin() { + return { + statePlugins: { + spec: { + wrapActions: { + // Remove the ?url parameter from loading an external OpenAPI definition. + updateUrl: (oriAction) => (payload) => { + const url = new URL(window.location.href) + if (url.searchParams.has('url')) { + url.searchParams.delete('url') + window.location.replace(url.toString()) + } + return oriAction(payload) + } + } + } + } + } + }], +}) +\`\`\` + +### Future UX work + +Through the exploration of this issue, it became apparent that users may not be aware to which web server the Try-it-out function will send requests. While this information is currently presented at the top of the page, understanding may improve by displaying it closer to the "Execute" button where requests are actually made. We'll be exploring these UX improvements over the coming months and welcome community input. Please create a Feature Request under the GitHub Issue tab to start a conversation with us and the community. + +## Reflected XSS attack + +**Warning** in versions < 3.38.0, it is possible to combine the URL options (as mentioned above) with a vulnerability in DOMPurify (https://www.cvedetails.com/cve/CVE-2020-26870/) to create a reflected XSS vector. If your version of Swagger UI is older than 3.38.0, we suggest you upgrade or implement the workaround as mentioned above. +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package swagger-ui-dist to the fixed version: 4.1.3 or remove the package from the image.", + "name": "Server side request forgery in SwaggerUI", "osi_layer": "NOT_APPLICABLE", "references": [ { - "type": "CVE", - "value": "CVE-2018-16487", + "type": "URL", + "value": "https://github.com/domaindrivendev/Swashbuckle.AspNetCore/commit/401c7cb81e5efe835ceb8aae23e82057d57c7d29", + }, + { + "type": "URL", + "value": "https://github.com/swagger-api/swagger-ui", + }, + { + "type": "URL", + "value": "https://github.com/swagger-api/swagger-ui/commit/01a3e55960f864a0acf6a8d06e5ddaf6776a7f76", + }, + { + "type": "URL", + "value": "https://github.com/swagger-api/swagger-ui/issues/4872", + }, + { + "type": "URL", + "value": "https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx", }, + ], + "severity": "MEDIUM", + }, + { + "attributes": { + "fixedVersion": "3.2.2, 4.4.14, 5.0.6, 6.1.1", + "foundIn": "Node.js", + "installedVersion": "2.2.2", + "packageName": "tar", + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-32804", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-3666.html", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", + "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", + "https://linux.oracle.com/cve/CVE-2021-32804.html", + "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", + "https://www.cve.org/CVERecord?id=CVE-2021-32804", + "https://www.npmjs.com/advisories/1770", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + ], + "vulnerabilityId": "CVE-2021-32804", + }, + "category": "NPM Package Vulnerability", + "description": "The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the \`preservePaths\` flag is not set to \`true\`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example \`/home/user/.bashrc\` would turn into \`home/user/.bashrc\`. This logic was insufficient when file paths contained repeated path roots such as \`////home/user/.bashrc\`. \`node-tar\` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. \`///home/user/.bashrc\`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom \`onentry\` method which sanitizes the \`entry.path\` or a \`filter\` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package tar to the fixed version: 3.2.2, 4.4.14, 5.0.6, 6.1.1 or remove the package from the image.", + "name": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", + "osi_layer": "NOT_APPLICABLE", + "references": [ { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", + "type": "CVE", + "value": "CVE-2021-32804", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-4xc9-xhrj-v574", + "value": "https://access.redhat.com/security/cve/CVE-2021-32804", }, { "type": "URL", - "value": "https://hackerone.com/reports/380873", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", + "value": "https://errata.almalinux.org/8/ALSA-2021-3666.html", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20190919-0004/", - }, - ], - "severity": "MEDIUM", - }, - { - "attributes": { - "fixedVersion": "4.17.5", - "foundIn": "Node.js", - "installedVersion": "2.4.2", - "packageName": "lodash", - "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721", - "https://github.com/advisories/GHSA-fvqr-27wr-82fm", - "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", - "https://hackerone.com/reports/310443", - "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", - "https://security.netapp.com/advisory/ntap-20190919-0004/", - "https://snyk.io/vuln/npm:lodash:20180130", - "https://www.npmjs.com/advisories/577", - ], - "vulnerabilityId": "CVE-2018-3721", - }, - "category": "NPM Package Vulnerability", - "description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.5 or remove the package from the image.", - "name": "lodash: Prototype pollution in utilities function", - "osi_layer": "NOT_APPLICABLE", - "references": [ - { - "type": "CVE", - "value": "CVE-2018-3721", + "value": "https://github.com/npm/node-tar", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", + "value": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721", + "value": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-fvqr-27wr-82fm", + "value": "https://linux.oracle.com/cve/CVE-2021-32804.html", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", + "value": "https://linux.oracle.com/errata/ELSA-2021-3666.html", }, { "type": "URL", - "value": "https://hackerone.com/reports/310443", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-32804", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20190919-0004/", + "value": "https://www.npmjs.com/advisories/1770", }, { "type": "URL", - "value": "https://snyk.io/vuln/npm:lodash:20180130", + "value": "https://www.npmjs.com/package/tar", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/577", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "4.17.11", + "fixedVersion": "4.4.18, 5.0.10, 6.1.9", "foundIn": "Node.js", - "installedVersion": "2.4.2", - "packageName": "lodash", + "installedVersion": "2.2.2", + "packageName": "tar", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266", - "https://github.com/advisories/GHSA-x5rq-j2xg-h7qm", - "https://github.com/lodash/lodash/issues/3359", - "https://github.com/lodash/lodash/wiki/Changelog", - "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", - "https://security.netapp.com/advisory/ntap-20190919-0004/", - "https://snyk.io/vuln/SNYK-JS-LODASH-73639", + "https://access.redhat.com/security/cve/CVE-2021-37713", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946", + "https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc", + "https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh", + "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", + "https://www.cve.org/CVERecord?id=CVE-2021-37713", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html", ], - "vulnerabilityId": "CVE-2019-1010266", + "vulnerabilityId": "CVE-2021-37713", }, "category": "NPM Package Vulnerability", - "description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.11 or remove the package from the image.", - "name": "lodash: uncontrolled resource consumption in Data handler causing denial of service", + "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain \`..\` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as \`C:some\\path\`. If the drive letter does not match the extraction target, for example \`D:\\extraction\\dir\`, then the result of \`path.resolve(extractionDirectory, entryPath)\` would resolve against the current working directory on the \`C:\` drive, rather than the extraction target directory. Additionally, a \`..\` portion of the path could occur immediately after the drive letter, such as \`C:../foo\`, and was not properly sanitized by the logic that checked for \`..\` within the normalized and split portions of the path. This only affects users of \`node-tar\` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package tar to the fixed version: 4.4.18, 5.0.10, 6.1.9 or remove the package from the image.", + "name": "nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2019-1010266", + "value": "CVE-2021-37713", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266", + "value": "https://access.redhat.com/security/cve/CVE-2021-37713", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-x5rq-j2xg-h7qm", + "value": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/issues/3359", + "value": "https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/wiki/Changelog", + "value": "https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", + "value": "https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20190919-0004/", + "value": "https://github.com/npm/node-tar", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-LODASH-73639", + "value": "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-37713", + }, + { + "type": "URL", + "value": "https://www.npmjs.com/package/tar", + }, + { + "type": "URL", + "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "4.17.12", + "fixedVersion": "6.2.1", "foundIn": "Node.js", - "installedVersion": "4.17.11", - "packageName": "lodash", + "installedVersion": "2.2.2", + "packageName": "tar", "references": [ - "https://access.redhat.com/errata/RHSA-2019:3024", - "https://github.com/advisories/GHSA-jf85-cpcp-j695", - "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", - "https://security.netapp.com/advisory/ntap-20191004-0005/", - "https://snyk.io/vuln/SNYK-JS-LODASH-450202", - "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html", - ], - "vulnerabilityId": "CVE-2019-10744", + "https://access.redhat.com/errata/RHSA-2024:6147", + "https://access.redhat.com/security/cve/CVE-2024-28863", + "https://bugzilla.redhat.com/2293200", + "https://bugzilla.redhat.com/2296417", + "https://errata.almalinux.org/9/ALSA-2024-6147.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + "https://linux.oracle.com/cve/CVE-2024-28863.html", + "https://linux.oracle.com/errata/ELSA-2024-6148.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "https://security.netapp.com/advisory/ntap-20240524-0005", + "https://security.netapp.com/advisory/ntap-20240524-0005/", + "https://www.cve.org/CVERecord?id=CVE-2024-28863", + ], + "vulnerabilityId": "CVE-2024-28863", }, "category": "NPM Package Vulnerability", - "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", - "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", + "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package tar to the fixed version: 6.2.1 or remove the package from the image.", + "name": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2019-10744", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", - }, - { - "type": "URL", - "value": "https://access.redhat.com/errata/RHSA-2019:3024", - }, - { - "type": "URL", - "value": "https://github.com/advisories/GHSA-jf85-cpcp-j695", + "value": "CVE-2024-28863", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20191004-0005/", + "value": "https://access.redhat.com/errata/RHSA-2024:6147", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "value": "https://access.redhat.com/security/cve/CVE-2024-28863", }, { "type": "URL", - "value": "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", + "value": "https://bugzilla.redhat.com/2293200", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpujan2021.html", + "value": "https://bugzilla.redhat.com/2296417", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2020.html", - }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "4.17.19", - "foundIn": "Node.js", - "installedVersion": "4.17.11", - "packageName": "lodash", - "references": [ - "https://github.com/advisories/GHSA-p6mc-m468-83gw", - "https://github.com/lodash/lodash/issues/4874", - "https://hackerone.com/reports/712065", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", - "https://security.netapp.com/advisory/ntap-20200724-0006/", - "https://www.npmjs.com/advisories/1523", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2020-8203", - }, - "category": "NPM Package Vulnerability", - "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", - "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", - "osi_layer": "NOT_APPLICABLE", - "references": [ - { - "type": "CVE", - "value": "CVE-2020-8203", + "value": "https://errata.almalinux.org/9/ALSA-2024-6147.html", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "value": "https://github.com/isaacs/node-tar", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-p6mc-m468-83gw", + "value": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/issues/4874", + "value": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", }, { "type": "URL", - "value": "https://hackerone.com/reports/712065", + "value": "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "value": "https://linux.oracle.com/cve/CVE-2024-28863.html", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20200724-0006/", + "value": "https://linux.oracle.com/errata/ELSA-2024-6148.html", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/1523", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://security.netapp.com/advisory/ntap-20240524-0005", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://security.netapp.com/advisory/ntap-20240524-0005/", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-28863", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "4.17.21", + "fixedVersion": "6.2.1", "foundIn": "Node.js", - "installedVersion": "4.17.11", - "packageName": "lodash", + "installedVersion": "4.4.19", + "packageName": "tar", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337", - "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", - "https://security.netapp.com/advisory/ntap-20210312-0006/", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", - "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2021-23337", + "https://access.redhat.com/errata/RHSA-2024:6147", + "https://access.redhat.com/security/cve/CVE-2024-28863", + "https://bugzilla.redhat.com/2293200", + "https://bugzilla.redhat.com/2296417", + "https://errata.almalinux.org/9/ALSA-2024-6147.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + "https://linux.oracle.com/cve/CVE-2024-28863.html", + "https://linux.oracle.com/errata/ELSA-2024-6148.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "https://security.netapp.com/advisory/ntap-20240524-0005", + "https://security.netapp.com/advisory/ntap-20240524-0005/", + "https://www.cve.org/CVERecord?id=CVE-2024-28863", + ], + "vulnerabilityId": "CVE-2024-28863", }, "category": "NPM Package Vulnerability", - "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", - "name": "nodejs-lodash: command injection via template", + "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package tar to the fixed version: 6.2.1 or remove the package from the image.", + "name": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-23337", + "value": "CVE-2024-28863", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337", + "value": "https://access.redhat.com/errata/RHSA-2024:6147", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", + "value": "https://access.redhat.com/security/cve/CVE-2024-28863", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "value": "https://bugzilla.redhat.com/2293200", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "value": "https://bugzilla.redhat.com/2296417", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210312-0006/", + "value": "https://errata.almalinux.org/9/ALSA-2024-6147.html", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "value": "https://github.com/isaacs/node-tar", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "value": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "value": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "value": "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "value": "https://linux.oracle.com/cve/CVE-2024-28863.html", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "value": "https://linux.oracle.com/errata/ELSA-2024-6148.html", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://security.netapp.com/advisory/ntap-20240524-0005", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240524-0005/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-28863", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "4.17.19", + "fixedVersion": "6.2.1", "foundIn": "Node.js", - "installedVersion": "4.17.15", - "packageName": "lodash", + "installedVersion": "4.4.19", + "packageName": "tar", "references": [ - "https://github.com/advisories/GHSA-p6mc-m468-83gw", - "https://github.com/lodash/lodash/issues/4874", - "https://hackerone.com/reports/712065", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", - "https://security.netapp.com/advisory/ntap-20200724-0006/", - "https://www.npmjs.com/advisories/1523", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2020-8203", + "https://access.redhat.com/errata/RHSA-2024:6147", + "https://access.redhat.com/security/cve/CVE-2024-28863", + "https://bugzilla.redhat.com/2293200", + "https://bugzilla.redhat.com/2296417", + "https://errata.almalinux.org/9/ALSA-2024-6147.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + "https://linux.oracle.com/cve/CVE-2024-28863.html", + "https://linux.oracle.com/errata/ELSA-2024-6148.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "https://security.netapp.com/advisory/ntap-20240524-0005", + "https://security.netapp.com/advisory/ntap-20240524-0005/", + "https://www.cve.org/CVERecord?id=CVE-2024-28863", + ], + "vulnerabilityId": "CVE-2024-28863", }, "category": "NPM Package Vulnerability", - "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", - "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package tar to the fixed version: 6.2.1 or remove the package from the image.", + "name": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", "osi_layer": "NOT_APPLICABLE", "references": [ { - "type": "CVE", - "value": "CVE-2020-8203", + "type": "CVE", + "value": "CVE-2024-28863", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + }, + { + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2024:6147", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2024-28863", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "value": "https://bugzilla.redhat.com/2293200", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-p6mc-m468-83gw", + "value": "https://bugzilla.redhat.com/2296417", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/issues/4874", + "value": "https://errata.almalinux.org/9/ALSA-2024-6147.html", }, { "type": "URL", - "value": "https://hackerone.com/reports/712065", + "value": "https://github.com/isaacs/node-tar", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "value": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20200724-0006/", + "value": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/1523", + "value": "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://linux.oracle.com/cve/CVE-2024-28863.html", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://linux.oracle.com/errata/ELSA-2024-6148.html", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240524-0005", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240524-0005/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-28863", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "4.17.21", + "fixedVersion": "6.2.1", "foundIn": "Node.js", - "installedVersion": "4.17.15", - "packageName": "lodash", + "installedVersion": "4.4.19", + "packageName": "tar", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337", - "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", - "https://security.netapp.com/advisory/ntap-20210312-0006/", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", - "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2021-23337", + "https://access.redhat.com/errata/RHSA-2024:6147", + "https://access.redhat.com/security/cve/CVE-2024-28863", + "https://bugzilla.redhat.com/2293200", + "https://bugzilla.redhat.com/2296417", + "https://errata.almalinux.org/9/ALSA-2024-6147.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + "https://linux.oracle.com/cve/CVE-2024-28863.html", + "https://linux.oracle.com/errata/ELSA-2024-6148.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "https://security.netapp.com/advisory/ntap-20240524-0005", + "https://security.netapp.com/advisory/ntap-20240524-0005/", + "https://www.cve.org/CVERecord?id=CVE-2024-28863", + ], + "vulnerabilityId": "CVE-2024-28863", }, "category": "NPM Package Vulnerability", - "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", - "name": "nodejs-lodash: command injection via template", + "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package tar to the fixed version: 6.2.1 or remove the package from the image.", + "name": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-23337", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", - }, - { - "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337", + "value": "CVE-2024-28863", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "value": "https://access.redhat.com/errata/RHSA-2024:6147", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "value": "https://access.redhat.com/security/cve/CVE-2024-28863", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210312-0006/", + "value": "https://bugzilla.redhat.com/2293200", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "value": "https://bugzilla.redhat.com/2296417", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "value": "https://errata.almalinux.org/9/ALSA-2024-6147.html", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "value": "https://github.com/isaacs/node-tar", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "value": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "value": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "value": "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://linux.oracle.com/cve/CVE-2024-28863.html", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", - }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": ">=4.17.19", - "foundIn": "Node.js", - "installedVersion": "4.17.15", - "packageName": "lodash", - "references": [ - "https://github.com/lodash/lodash/pull/4759", - "https://hackerone.com/reports/712065", - "https://www.npmjs.com/advisories/1523", - ], - "vulnerabilityId": "NSWG-ECO-516", - }, - "category": "NPM Package Vulnerability", - "description": "Prototype pollution attack (lodash)", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package lodash to the fixed version: >=4.17.19 or remove the package from the image.", - "name": "Allocation of Resources Without Limits or Throttling", - "osi_layer": "NOT_APPLICABLE", - "references": [ - { - "type": "NSWG", - "value": "NSWG-ECO-516", + "value": "https://linux.oracle.com/errata/ELSA-2024-6148.html", }, { "type": "URL", - "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/pull/4759", + "value": "https://security.netapp.com/advisory/ntap-20240524-0005", }, { "type": "URL", - "value": "https://hackerone.com/reports/712065", + "value": "https://security.netapp.com/advisory/ntap-20240524-0005/", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/1523", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-28863", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": undefined, + "fixedVersion": "6.2.1", "foundIn": "Node.js", - "installedVersion": "0.6.11", - "packageName": "marsdb", + "installedVersion": "6.1.11", + "packageName": "tar", "references": [ - "https://github.com/advisories/GHSA-5mrr-rgp6-x4gr", - "https://github.com/bkimminich/juice-shop/issues/1173", - ], - "vulnerabilityId": "GHSA-5mrr-rgp6-x4gr", + "https://access.redhat.com/errata/RHSA-2024:6147", + "https://access.redhat.com/security/cve/CVE-2024-28863", + "https://bugzilla.redhat.com/2293200", + "https://bugzilla.redhat.com/2296417", + "https://errata.almalinux.org/9/ALSA-2024-6147.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + "https://linux.oracle.com/cve/CVE-2024-28863.html", + "https://linux.oracle.com/errata/ELSA-2024-6148.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "https://security.netapp.com/advisory/ntap-20240524-0005", + "https://security.netapp.com/advisory/ntap-20240524-0005/", + "https://www.cve.org/CVERecord?id=CVE-2024-28863", + ], + "vulnerabilityId": "CVE-2024-28863", }, "category": "NPM Package Vulnerability", - "description": "All versions of \`marsdb\` are vulnerable to Command Injection. In the \`DocumentMatcher\` class, selectors on \`$where\` clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed. - - -## Recommendation - -No fix is currently available. Consider using an alternative package until a fix is made available.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package marsdb to the fixed version: undefined or remove the package from the image.", - "name": "Command Injection in marsdb", + "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package tar to the fixed version: 6.2.1 or remove the package from the image.", + "name": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", "osi_layer": "NOT_APPLICABLE", "references": [ { - "type": "URL", - "value": "https://github.com/advisories/GHSA-5mrr-rgp6-x4gr", + "type": "CVE", + "value": "CVE-2024-28863", }, { "type": "URL", - "value": "https://github.com/bkimminich/juice-shop/issues/1173", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "1.2.3, 0.2.1", - "foundIn": "Node.js", - "installedVersion": "0.0.10", - "packageName": "minimist", - "references": [ - "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html", - "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", - "https://linux.oracle.com/cve/CVE-2020-7598.html", - "https://linux.oracle.com/errata/ELSA-2020-2852.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7598", - "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", - ], - "vulnerabilityId": "CVE-2020-7598", - }, - "category": "NPM Package Vulnerability", - "description": "minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package minimist to the fixed version: 1.2.3, 0.2.1 or remove the package from the image.", - "name": "nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2020-7598", + "type": "URL", + "value": "https://access.redhat.com/errata/RHSA-2024:6147", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598", + "value": "https://access.redhat.com/security/cve/CVE-2024-28863", }, { "type": "URL", - "value": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html", + "value": "https://bugzilla.redhat.com/2293200", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", + "value": "https://bugzilla.redhat.com/2296417", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2020-7598.html", + "value": "https://errata.almalinux.org/9/ALSA-2024-6147.html", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2020-2852.html", + "value": "https://github.com/isaacs/node-tar", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598", + "value": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "value": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", }, - ], - "severity": "MEDIUM", - }, - { - "attributes": { - "fixedVersion": "2.19.3", - "foundIn": "Node.js", - "installedVersion": "2.0.0", - "packageName": "moment", - "references": [ - "https://github.com/advisories/GHSA-446m-mv8f-q348", - "https://github.com/moment/moment/issues/4163", - "https://nodesecurity.io/advisories/532", - "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", - "https://www.tenable.com/security/tns-2019-02", - ], - "vulnerabilityId": "CVE-2017-18214", - }, - "category": "NPM Package Vulnerability", - "description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package moment to the fixed version: 2.19.3 or remove the package from the image.", - "name": "nodejs-moment: Regular expression denial of service", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2017-18214", + "type": "URL", + "value": "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", + "value": "https://linux.oracle.com/cve/CVE-2024-28863.html", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-446m-mv8f-q348", + "value": "https://linux.oracle.com/errata/ELSA-2024-6148.html", }, { "type": "URL", - "value": "https://github.com/moment/moment/issues/4163", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", }, { "type": "URL", - "value": "https://nodesecurity.io/advisories/532", + "value": "https://security.netapp.com/advisory/ntap-20240524-0005", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", + "value": "https://security.netapp.com/advisory/ntap-20240524-0005/", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2019-02", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-28863", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "2.11.2", + "fixedVersion": "4.1.3", "foundIn": "Node.js", - "installedVersion": "2.0.0", - "packageName": "moment", - "references": [ - "http://www.openwall.com/lists/oss-security/2016/04/20/11", - "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "http://www.securityfocus.com/bid/95849", - "https://github.com/advisories/GHSA-87vv-r9j6-g5qv", - "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E", - "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E", - "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E", - "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E", - "https://nodesecurity.io/advisories/55", - "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", - "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS", - "https://www.tenable.com/security/tns-2019-02", - ], - "vulnerabilityId": "CVE-2016-4055", + "installedVersion": "2.4.3", + "packageName": "tough-cookie", + "references": [ + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136", + ], + "vulnerabilityId": "CVE-2023-26136", }, "category": "NPM Package Vulnerability", - "description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package moment to the fixed version: 2.11.2 or remove the package from the image.", - "name": "moment.js: regular expression denial of service", + "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", + "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2016-4055", + "value": "CVE-2023-26136", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2016/04/20/11", + "value": "https://access.redhat.com/security/cve/CVE-2023-26136", }, { "type": "URL", - "value": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "value": "https://github.com/salesforce/tough-cookie", }, { "type": "URL", - "value": "http://www.securityfocus.com/bid/95849", + "value": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-87vv-r9j6-g5qv", + "value": "https://github.com/salesforce/tough-cookie/issues/282", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E", + "value": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E", + "value": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", }, { "type": "URL", - "value": "https://nodesecurity.io/advisories/55", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", }, { "type": "URL", - "value": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2019-02", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-26136", }, ], "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "6.14.6", + "fixedVersion": "4.1.3", "foundIn": "Node.js", - "installedVersion": "6.14.4", - "packageName": "npm", - "references": [ - "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html", - "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html", - "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html", - "https://github.com/advisories/GHSA-93f3-23rq-pjfp", - "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07", - "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc", - "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp", - "https://linux.oracle.com/cve/CVE-2020-15095.html", - "https://linux.oracle.com/errata/ELSA-2021-0548.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/", - "https://nvd.nist.gov/vuln/detail/CVE-2020-15095", - "https://security.gentoo.org/glsa/202101-07", - ], - "vulnerabilityId": "CVE-2020-15095", + "installedVersion": "2.5.0", + "packageName": "tough-cookie", + "references": [ + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136", + ], + "vulnerabilityId": "CVE-2023-26136", }, "category": "NPM Package Vulnerability", - "description": "Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package npm to the fixed version: 6.14.6 or remove the package from the image.", - "name": "npm: sensitive information exposure through logs", + "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", + "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-15095", + "value": "CVE-2023-26136", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15095", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2023-26136", }, { "type": "URL", - "value": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html", + "value": "https://github.com/salesforce/tough-cookie", }, { "type": "URL", - "value": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html", + "value": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", }, { "type": "URL", - "value": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html", + "value": "https://github.com/salesforce/tough-cookie/issues/282", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-93f3-23rq-pjfp", + "value": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", }, { "type": "URL", - "value": "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07", + "value": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", }, { "type": "URL", - "value": "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", }, { "type": "URL", - "value": "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2020-15095.html", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-0548.html", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", }, { "type": "URL", - "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15095", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", }, { "type": "URL", - "value": "https://security.gentoo.org/glsa/202101-07", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", }, - ], - "severity": "MEDIUM", - }, - { - "attributes": { - "fixedVersion": "8.1.1, 4.0.5", - "foundIn": "Node.js", - "installedVersion": "4.0.3", - "packageName": "npm-registry-fetch", - "references": [ - "https://github.com/advisories/GHSA-jmqm-f2gx-4fjv", - "https://github.com/npm/npm-registry-fetch/security/advisories/GHSA-jmqm-f2gx-4fjv", - ], - "vulnerabilityId": "GHSA-jmqm-f2gx-4fjv", - }, - "category": "NPM Package Vulnerability", - "description": "Affected versions of \`npm-registry-fetch\` are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like \`://[[:]@][:][:][/]\`. The password value is not redacted and is printed to stdout and also to any generated log files.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package npm-registry-fetch to the fixed version: 8.1.1, 4.0.5 or remove the package from the image.", - "name": "Sensitive information exposure through logs in npm-registry-fetch", - "osi_layer": "NOT_APPLICABLE", - "references": [ { "type": "URL", - "value": "https://github.com/advisories/GHSA-jmqm-f2gx-4fjv", + "value": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", }, { "type": "URL", - "value": "https://github.com/npm/npm-registry-fetch/security/advisories/GHSA-jmqm-f2gx-4fjv", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-26136", }, ], "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "1.0.1", + "fixedVersion": "13.7.0", "foundIn": "Node.js", - "installedVersion": "1.0.0", - "packageName": "npm-user-validate", + "installedVersion": "13.6.0", + "packageName": "validator", "references": [ - "https://github.com/advisories/GHSA-pw54-mh39-w3hc", - "https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e", - "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p", - "https://linux.oracle.com/cve/CVE-2020-7754.html", - "https://linux.oracle.com/errata/ELSA-2021-0551.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7754", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353", - "https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352", + "https://access.redhat.com/security/cve/CVE-2021-3765", + "https://github.com/validatorjs/validator.js", + "https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1", + "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", + "https://www.cve.org/CVERecord?id=CVE-2021-3765", ], - "vulnerabilityId": "CVE-2020-7754", + "vulnerabilityId": "CVE-2021-3765", }, "category": "NPM Package Vulnerability", - "description": "This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package npm-user-validate to the fixed version: 1.0.1 or remove the package from the image.", - "name": "nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS", + "description": "validator.js is vulnerable to Inefficient Regular Expression Complexity", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package validator to the fixed version: 13.7.0 or remove the package from the image.", + "name": "validator: Inefficient Regular Expression Complexity in Validator.js", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-7754", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7754", - }, - { - "type": "URL", - "value": "https://github.com/advisories/GHSA-pw54-mh39-w3hc", + "value": "CVE-2021-3765", }, { "type": "URL", - "value": "https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", }, { "type": "URL", - "value": "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p", + "value": "https://access.redhat.com/security/cve/CVE-2021-3765", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2020-7754.html", + "value": "https://github.com/validatorjs/validator.js", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-0551.html", + "value": "https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7754", + "value": "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-3765", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "1.0.1", + "fixedVersion": "13.7.0", "foundIn": "Node.js", - "installedVersion": "1.0.0", - "packageName": "npm-user-validate", + "installedVersion": "13.6.0", + "packageName": "validator", "references": [ - "https://github.com/advisories/GHSA-xgh6-85xh-479p", - "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p", + "https://github.com/validatorjs/validator.js", + "https://github.com/validatorjs/validator.js/issues/1599", + "https://github.com/validatorjs/validator.js/pull/1738", + "https://github.com/validatorjs/validator.js/security/advisories/GHSA-xx4c-jj58-r7x6", + "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", ], - "vulnerabilityId": "GHSA-xgh6-85xh-479p", + "vulnerabilityId": "GHSA-xx4c-jj58-r7x6", }, "category": "NPM Package Vulnerability", - "description": "\`npm-user-validate\` before version \`1.0.1\` is vulnerable to a Regular Expression Denial of Service (REDos). The regex that validates user emails took exponentially longer to process long input strings beginning with \`@\` characters. - -### Impact -The issue affects the \`email\` function. If you use this function to process arbitrary user input with no character limit the application may be susceptible to Denial of Service. + "description": "### Impact +Versions of \`validator\` prior to 13.7.0 are affected by an inefficient Regular Expression complexity when using the \`rtrim\` and \`trim\` sanitizers. ### Patches -The issue is patched in version 1.0.1 by improving the regular expression used and also enforcing a 254 character limit. - -### Workarounds -Restrict the character length to a reasonable degree before passing a value to \`.emal()\`; Also, consider doing a more rigorous sanitizing/validation beforehand.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package npm-user-validate to the fixed version: 1.0.1 or remove the package from the image.", - "name": "Regular Expression Denial of Service in npm-user-validate", - "osi_layer": "NOT_APPLICABLE", - "references": [ - { - "type": "URL", - "value": "https://github.com/advisories/GHSA-xgh6-85xh-479p", - }, - { - "type": "URL", - "value": "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p", - }, - ], - "severity": "LOW", - }, - { - "attributes": { - "fixedVersion": "1.0.7", - "foundIn": "Node.js", - "installedVersion": "1.0.6", - "packageName": "path-parse", - "references": [ - "https://github.com/advisories/GHSA-hj48-42vr-x3v9", - "https://github.com/jbgutierrez/path-parse/issues/8", - "https://linux.oracle.com/cve/CVE-2021-23343.html", - "https://linux.oracle.com/errata/ELSA-2021-3666.html", - "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23343", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028", - "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067", - ], - "vulnerabilityId": "CVE-2021-23343", - }, - "category": "NPM Package Vulnerability", - "description": "All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package path-parse to the fixed version: 1.0.7 or remove the package from the image.", - "name": "nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe", +The problem has been patched in validator 13.7.0", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package validator to the fixed version: 13.7.0 or remove the package from the image.", + "name": "Inefficient Regular Expression Complexity in Validator.js", "osi_layer": "NOT_APPLICABLE", "references": [ - { - "type": "CVE", - "value": "CVE-2021-23343", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23343", - }, - { - "type": "URL", - "value": "https://github.com/advisories/GHSA-hj48-42vr-x3v9", - }, - { - "type": "URL", - "value": "https://github.com/jbgutierrez/path-parse/issues/8", - }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2021-23343.html", + "value": "https://github.com/validatorjs/validator.js", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "value": "https://github.com/validatorjs/validator.js/issues/1599", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E", + "value": "https://github.com/validatorjs/validator.js/pull/1738", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23343", + "value": "https://github.com/validatorjs/validator.js/security/advisories/GHSA-xx4c-jj58-r7x6", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028", + "value": "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "3.0.1", + "fixedVersion": "3.9.4", "foundIn": "Node.js", - "installedVersion": "2.0.4", - "packageName": "pug", + "installedVersion": "3.9.3", + "packageName": "vm2", "references": [ - "https://github.com/advisories/GHSA-p493-635q-r6gr", - "https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0", - "https://github.com/pugjs/pug/issues/3312", - "https://github.com/pugjs/pug/pull/3314", - "https://github.com/pugjs/pug/releases/tag/pug%403.0.1", - "https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr", - "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", - "https://www.npmjs.com/package/pug", - "https://www.npmjs.com/package/pug-code-gen", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886", + "https://github.com/patriksimek/vm2/issues/363", + "https://github.com/patriksimek/vm2/releases/tag/3.9.4", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23449", + "https://security.netapp.com/advisory/ntap-20211029-0010", + "https://security.netapp.com/advisory/ntap-20211029-0010/", + "https://snyk.io/vuln/SNYK-JS-VM2-1585918", ], - "vulnerabilityId": "CVE-2021-21353", + "vulnerabilityId": "CVE-2021-23449", }, "category": "NPM Package Vulnerability", - "description": "Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the \`pretty\` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the \`pretty\` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package pug to the fixed version: 3.0.1 or remove the package from the image.", - "name": "Remote code execution via the \`pretty\` option.", + "description": "This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package vm2 to the fixed version: 3.9.4 or remove the package from the image.", + "name": "Prototype Pollution in vm2", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-21353", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", + "value": "CVE-2021-23449", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-p493-635q-r6gr", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23449", }, { "type": "URL", - "value": "https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0", + "value": "https://github.com/patriksimek/vm2", }, { "type": "URL", - "value": "https://github.com/pugjs/pug/issues/3312", + "value": "https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886", }, { "type": "URL", - "value": "https://github.com/pugjs/pug/pull/3314", + "value": "https://github.com/patriksimek/vm2/issues/363", }, { "type": "URL", - "value": "https://github.com/pugjs/pug/releases/tag/pug%403.0.1", + "value": "https://github.com/patriksimek/vm2/releases/tag/3.9.4", }, { "type": "URL", - "value": "https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23449", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", + "value": "https://security.netapp.com/advisory/ntap-20211029-0010", }, { "type": "URL", - "value": "https://www.npmjs.com/package/pug", + "value": "https://security.netapp.com/advisory/ntap-20211029-0010/", }, { "type": "URL", - "value": "https://www.npmjs.com/package/pug-code-gen", + "value": "https://snyk.io/vuln/SNYK-JS-VM2-1585918", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "3.0.2, 2.0.3", + "fixedVersion": "3.9.6", "foundIn": "Node.js", - "installedVersion": "2.0.2", - "packageName": "pug-code-gen", + "installedVersion": "3.9.3", + "packageName": "vm2", "references": [ - "https://github.com/advisories/GHSA-p493-635q-r6gr", - "https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0", - "https://github.com/pugjs/pug/issues/3312", - "https://github.com/pugjs/pug/pull/3314", - "https://github.com/pugjs/pug/releases/tag/pug%403.0.1", - "https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr", - "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", - "https://www.npmjs.com/package/pug", - "https://www.npmjs.com/package/pug-code-gen", + "https://access.redhat.com/security/cve/CVE-2021-23555", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23555", + "https://security.snyk.io/vuln/SNYK-JS-VM2-2309905", + "https://snyk.io/vuln/SNYK-JS-VM2-2309905", + "https://www.cve.org/CVERecord?id=CVE-2021-23555", ], - "vulnerabilityId": "CVE-2021-21353", + "vulnerabilityId": "CVE-2021-23555", }, "category": "NPM Package Vulnerability", - "description": "Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the \`pretty\` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the \`pretty\` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package pug-code-gen to the fixed version: 3.0.2, 2.0.3 or remove the package from the image.", - "name": "Remote code execution via the \`pretty\` option.", + "description": "The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package vm2 to the fixed version: 3.9.6 or remove the package from the image.", + "name": "vm2: vulnerable to Sandbox Bypass", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-21353", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", - }, - { - "type": "URL", - "value": "https://github.com/advisories/GHSA-p493-635q-r6gr", + "value": "CVE-2021-23555", }, { "type": "URL", - "value": "https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23555", }, { "type": "URL", - "value": "https://github.com/pugjs/pug/issues/3312", + "value": "https://access.redhat.com/security/cve/CVE-2021-23555", }, { "type": "URL", - "value": "https://github.com/pugjs/pug/pull/3314", + "value": "https://github.com/patriksimek/vm2", }, { "type": "URL", - "value": "https://github.com/pugjs/pug/releases/tag/pug%403.0.1", + "value": "https://github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d", }, { "type": "URL", - "value": "https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23555", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", + "value": "https://security.snyk.io/vuln/SNYK-JS-VM2-2309905", }, { "type": "URL", - "value": "https://www.npmjs.com/package/pug", + "value": "https://snyk.io/vuln/SNYK-JS-VM2-2309905", }, { "type": "URL", - "value": "https://www.npmjs.com/package/pug-code-gen", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-23555", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.4.3", + "fixedVersion": "3.9.10", "foundIn": "Node.js", - "installedVersion": "1.4.2", - "packageName": "sanitize-html", + "installedVersion": "3.9.3", + "packageName": "vm2", "references": [ - "https://github.com/advisories/GHSA-3j7m-hmh3-9jmp", - "https://github.com/punkave/sanitize-html/issues/29", - "https://nodesecurity.io/advisories/135", - "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", - "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/issues/444", + "https://github.com/patriksimek/vm2/pull/445", + "https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25893", + "https://security.snyk.io/vuln/SNYK-JS-VM2-2990237", ], - "vulnerabilityId": "CVE-2016-1000237", + "vulnerabilityId": "CVE-2022-25893", }, "category": "NPM Package Vulnerability", - "description": "sanitize-html before 1.4.3 has XSS.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package sanitize-html to the fixed version: 1.4.3 or remove the package from the image.", - "name": "XSS - Sanitization not applied recursively", + "description": "The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package vm2 to the fixed version: 3.9.10 or remove the package from the image.", + "name": "vm2 vulnerable to Arbitrary Code Execution", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2016-1000237", + "value": "CVE-2022-25893", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25893", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", + "value": "https://github.com/patriksimek/vm2", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-3j7m-hmh3-9jmp", + "value": "https://github.com/patriksimek/vm2/issues/444", }, { "type": "URL", - "value": "https://github.com/punkave/sanitize-html/issues/29", + "value": "https://github.com/patriksimek/vm2/pull/445", }, { "type": "URL", - "value": "https://nodesecurity.io/advisories/135", + "value": "https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-25893", }, { "type": "URL", - "value": "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json", + "value": "https://security.snyk.io/vuln/SNYK-JS-VM2-2990237", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.11.4", + "fixedVersion": "3.9.11", "foundIn": "Node.js", - "installedVersion": "1.4.2", - "packageName": "sanitize-html", + "installedVersion": "3.9.3", + "packageName": "vm2", "references": [ - "https://github.com/advisories/GHSA-xc6g-ggrc-qq4r", - "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", - "https://github.com/punkave/sanitize-html/issues/100", - "https://nodesecurity.io/advisories/154", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", + "https://access.redhat.com/security/cve/CVE-2022-36067", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71", + "https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164", + "https://github.com/patriksimek/vm2/issues/467", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq", + "https://nvd.nist.gov/vuln/detail/CVE-2022-36067", + "https://security.netapp.com/advisory/ntap-20221017-0002", + "https://security.netapp.com/advisory/ntap-20221017-0002/", + "https://www.cve.org/CVERecord?id=CVE-2022-36067", + "https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067", ], - "vulnerabilityId": "CVE-2017-16016", + "vulnerabilityId": "CVE-2022-36067", }, "category": "NPM Package Vulnerability", - "description": "Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package sanitize-html to the fixed version: 1.11.4 or remove the package from the image.", - "name": "Cross-Site Scripting in sanitize-html", + "description": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package vm2 to the fixed version: 3.9.11 or remove the package from the image.", + "name": "vm2: Sandbox Escape in vm2", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2017-16016", + "value": "CVE-2022-36067", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-36067", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-xc6g-ggrc-qq4r", + "value": "https://access.redhat.com/security/cve/CVE-2022-36067", }, { "type": "URL", - "value": "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "value": "https://github.com/patriksimek/vm2", }, { "type": "URL", - "value": "https://github.com/punkave/sanitize-html/issues/100", + "value": "https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71", }, { "type": "URL", - "value": "https://nodesecurity.io/advisories/154", + "value": "https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", + "value": "https://github.com/patriksimek/vm2/issues/467", + }, + { + "type": "URL", + "value": "https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2022-36067", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221017-0002", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20221017-0002/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2022-36067", + }, + { + "type": "URL", + "value": "https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "2.3.1", + "fixedVersion": "3.9.15", "foundIn": "Node.js", - "installedVersion": "1.4.2", - "packageName": "sanitize-html", + "installedVersion": "3.9.3", + "packageName": "vm2", "references": [ - "https://advisory.checkmarx.net/advisory/CX-2021-4308", - "https://github.com/advisories/GHSA-rjqq-98f6-6j3r", - "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22", - "https://github.com/apostrophecms/sanitize-html/pull/458", - "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", + "https://access.redhat.com/security/cve/CVE-2023-29017", + "https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50", + "https://github.com/patriksimek/vm2/issues/515", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv", + "https://nvd.nist.gov/vuln/detail/CVE-2023-29017", + "https://www.cve.org/CVERecord?id=CVE-2023-29017", ], - "vulnerabilityId": "CVE-2021-26539", + "vulnerabilityId": "CVE-2023-29017", }, "category": "NPM Package Vulnerability", - "description": "Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.1 or remove the package from the image.", - "name": "sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation", + "description": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to \`Error.prepareStackTrace\` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package vm2 to the fixed version: 3.9.15 or remove the package from the image.", + "name": "vm2: sandbox escape", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-26539", + "value": "CVE-2023-29017", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-29017", }, { "type": "URL", - "value": "https://advisory.checkmarx.net/advisory/CX-2021-4308", + "value": "https://access.redhat.com/security/cve/CVE-2023-29017", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-rjqq-98f6-6j3r", + "value": "https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d", }, { "type": "URL", - "value": "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22", + "value": "https://github.com/patriksimek/vm2", }, { "type": "URL", - "value": "https://github.com/apostrophecms/sanitize-html/pull/458", + "value": "https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", + "value": "https://github.com/patriksimek/vm2/issues/515", + }, + { + "type": "URL", + "value": "https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-29017", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-29017", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "2.3.2", + "fixedVersion": "3.9.16", "foundIn": "Node.js", - "installedVersion": "1.4.2", - "packageName": "sanitize-html", + "installedVersion": "3.9.3", + "packageName": "vm2", "references": [ - "https://advisory.checkmarx.net/advisory/CX-2021-4309", - "https://github.com/advisories/GHSA-mjxr-4v3x-q3m4", - "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26", - "https://github.com/apostrophecms/sanitize-html/pull/460", - "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", + "https://access.redhat.com/security/cve/CVE-2023-29199", + "https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7", + "https://github.com/patriksimek/vm2/issues/516", + "https://github.com/patriksimek/vm2/releases/tag/3.9.16", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985", + "https://nvd.nist.gov/vuln/detail/CVE-2023-29199", + "https://www.cve.org/CVERecord?id=CVE-2023-29199", ], - "vulnerabilityId": "CVE-2021-26540", + "vulnerabilityId": "CVE-2023-29199", }, "category": "NPM Package Vulnerability", - "description": "Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\\\example.com".", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.2 or remove the package from the image.", - "name": "sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element", + "description": "There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass \`handleException()\` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version \`3.9.16\` of \`vm2\`. +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package vm2 to the fixed version: 3.9.16 or remove the package from the image.", + "name": "vm2: Sandbox Escape", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-26540", + "value": "CVE-2023-29199", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-29199", }, { "type": "URL", - "value": "https://advisory.checkmarx.net/advisory/CX-2021-4309", + "value": "https://access.redhat.com/security/cve/CVE-2023-29199", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-mjxr-4v3x-q3m4", + "value": "https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c", }, { "type": "URL", - "value": "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26", + "value": "https://github.com/patriksimek/vm2", }, { "type": "URL", - "value": "https://github.com/apostrophecms/sanitize-html/pull/460", + "value": "https://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", + "value": "https://github.com/patriksimek/vm2/issues/516", }, - ], - "severity": "MEDIUM", - }, - { - "attributes": { - "fixedVersion": ">=1.11.4", - "foundIn": "Node.js", - "installedVersion": "1.4.2", - "packageName": "sanitize-html", - "references": [ - "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", - "https://github.com/punkave/sanitize-html/issues/100", - ], - "vulnerabilityId": "NSWG-ECO-154", - }, - "category": "NPM Package Vulnerability", - "description": "Sanitize-html is a library for scrubbing html input of malicious values. - -Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: - -If allowed at least one nonTextTags, the result is a potential XSS vulnerability. -PoC: - -\`\`\` -var sanitizeHtml = require('sanitize-html'); - -var dirty = '!! -\`\`\`", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package sanitize-html to the fixed version: >=1.11.4 or remove the package from the image.", - "name": "Cross Site Scripting", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "NSWG", - "value": "NSWG-ECO-154", + "type": "URL", + "value": "https://github.com/patriksimek/vm2/releases/tag/3.9.16", }, { "type": "URL", - "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + "value": "https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985", }, { "type": "URL", - "value": "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-29199", }, { "type": "URL", - "value": "https://github.com/punkave/sanitize-html/issues/100", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-29199", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "4.0.1", + "fixedVersion": "3.9.17", "foundIn": "Node.js", - "installedVersion": "2.0.1", - "packageName": "set-value", + "installedVersion": "3.9.3", + "packageName": "vm2", "references": [ - "https://github.com/advisories/GHSA-4jqc-8m5r-9rpr", - "https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452", - "https://github.com/jonschlinkert/set-value/pull/33", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23440", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212", - "https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541", - "https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/", + "https://access.redhat.com/security/cve/CVE-2023-30547", + "https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049", + "https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5", + "https://github.com/patriksimek/vm2/releases/tag/3.9.17", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m", + "https://nvd.nist.gov/vuln/detail/CVE-2023-30547", + "https://www.cve.org/CVERecord?id=CVE-2023-30547", ], - "vulnerabilityId": "CVE-2021-23440", + "vulnerabilityId": "CVE-2023-30547", }, "category": "NPM Package Vulnerability", - "description": "This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package set-value to the fixed version: 4.0.1 or remove the package from the image.", - "name": "nodejs-set-value: type confusion allows bypass of CVE-2019-10747", + "description": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside \`handleException()\` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version \`3.9.17\` of \`vm2\`. There are no known workarounds for this vulnerability. Users are advised to upgrade.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package vm2 to the fixed version: 3.9.17 or remove the package from the image.", + "name": "vm2: Sandbox Escape when exception sanitization", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-23440", + "value": "CVE-2023-30547", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-30547", + }, + { + "type": "URL", + "value": "https://access.redhat.com/security/cve/CVE-2023-30547", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23440", + "value": "https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-4jqc-8m5r-9rpr", + "value": "https://github.com/patriksimek/vm2", }, { "type": "URL", - "value": "https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452", + "value": "https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049", }, { "type": "URL", - "value": "https://github.com/jonschlinkert/set-value/pull/33", + "value": "https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23440", + "value": "https://github.com/patriksimek/vm2/releases/tag/3.9.17", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212", + "value": "https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-30547", }, { "type": "URL", - "value": "https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-30547", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "2.4.0", + "fixedVersion": "3.9.18", "foundIn": "Node.js", - "installedVersion": "2.3.0", - "packageName": "socket.io", + "installedVersion": "3.9.3", + "packageName": "vm2", "references": [ - "https://github.com/advisories/GHSA-fxwf-4rqh-v8g3", - "https://github.com/socketio/socket.io/issues/3671", - "https://nvd.nist.gov/vuln/detail/CVE-2020-28481", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357", - "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859", + "https://access.redhat.com/security/cve/CVE-2023-32314", + "https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf", + "https://github.com/patriksimek/vm2/releases/tag/3.9.18", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5", + "https://nvd.nist.gov/vuln/detail/CVE-2023-32314", + "https://www.cve.org/CVERecord?id=CVE-2023-32314", ], - "vulnerabilityId": "CVE-2020-28481", + "vulnerabilityId": "CVE-2023-32314", }, "category": "NPM Package Vulnerability", - "description": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package socket.io to the fixed version: 2.4.0 or remove the package from the image.", - "name": "Insecure defaults due to CORS misconfiguration in socket.io", + "description": "vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of \`Proxy\`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version \`3.9.18\` of \`vm2\`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package vm2 to the fixed version: 3.9.18 or remove the package from the image.", + "name": "vm2: Sandbox Escape", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-28481", + "value": "CVE-2023-32314", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28481", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-32314", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-fxwf-4rqh-v8g3", + "value": "https://access.redhat.com/security/cve/CVE-2023-32314", }, { "type": "URL", - "value": "https://github.com/socketio/socket.io/issues/3671", + "value": "https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28481", + "value": "https://github.com/patriksimek/vm2", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358", + "value": "https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357", + "value": "https://github.com/patriksimek/vm2/releases/tag/3.9.18", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859", + "value": "https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-32314", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-32314", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "3.4.1, 3.3.2", + "fixedVersion": undefined, "foundIn": "Node.js", - "installedVersion": "3.3.0", - "packageName": "socket.io-parser", + "installedVersion": "3.9.3", + "packageName": "vm2", "references": [ - "https://blog.caller.xyz/socketio-engineio-dos/", - "https://github.com/advisories/GHSA-xfhh-g9f5-x4m4", - "https://github.com/bcaller/kill-engine-io", - "https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55", - "https://nvd.nist.gov/vuln/detail/CVE-2020-36049", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056753", + "https://access.redhat.com/security/cve/CVE-2023-37466", + "https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5", + "https://nvd.nist.gov/vuln/detail/CVE-2023-37466", + "https://security.netapp.com/advisory/ntap-20230831-0007", + "https://www.cve.org/CVERecord?id=CVE-2023-37466", ], - "vulnerabilityId": "CVE-2020-36049", + "vulnerabilityId": "CVE-2023-37466", }, "category": "NPM Package Vulnerability", - "description": "socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package socket.io-parser to the fixed version: 3.4.1, 3.3.2 or remove the package from the image.", - "name": "yarnpkg-socket.io-parser: a denial of service (memory consumption) via a large packet because a concatenation approach is used", + "description": "vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, \`Promise\` handler sanitization can be bypassed with the \`@@species\` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package vm2 to the fixed version: undefined or remove the package from the image.", + "name": "vm2: Promise handler sanitization can be bypassed allowing attackers to escape the sandbox and run arbitrary code", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-36049", + "value": "CVE-2023-37466", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-36049", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-37466", }, { "type": "URL", - "value": "https://blog.caller.xyz/socketio-engineio-dos/", + "value": "https://access.redhat.com/security/cve/CVE-2023-37466", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-xfhh-g9f5-x4m4", + "value": "https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9", }, { "type": "URL", - "value": "https://github.com/bcaller/kill-engine-io", + "value": "https://github.com/patriksimek/vm2", }, { "type": "URL", - "value": "https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55", + "value": "https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-36049", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-37466", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056753", + "value": "https://security.netapp.com/advisory/ntap-20230831-0007", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-37466", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "3.4.1, 3.3.2", + "fixedVersion": undefined, "foundIn": "Node.js", - "installedVersion": "3.4.0", - "packageName": "socket.io-parser", + "installedVersion": "3.9.3", + "packageName": "vm2", "references": [ - "https://blog.caller.xyz/socketio-engineio-dos/", - "https://github.com/advisories/GHSA-xfhh-g9f5-x4m4", - "https://github.com/bcaller/kill-engine-io", - "https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55", - "https://nvd.nist.gov/vuln/detail/CVE-2020-36049", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056753", + "https://access.redhat.com/security/cve/CVE-2023-37903", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4", + "https://nvd.nist.gov/vuln/detail/CVE-2023-37903", + "https://security.netapp.com/advisory/ntap-20230831-0007", + "https://security.netapp.com/advisory/ntap-20230831-0007/", + "https://www.cve.org/CVERecord?id=CVE-2023-37903", ], - "vulnerabilityId": "CVE-2020-36049", + "vulnerabilityId": "CVE-2023-37903", }, "category": "NPM Package Vulnerability", - "description": "socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package socket.io-parser to the fixed version: 3.4.1, 3.3.2 or remove the package from the image.", - "name": "yarnpkg-socket.io-parser: a denial of service (memory consumption) via a large packet because a concatenation approach is used", + "description": "vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package vm2 to the fixed version: undefined or remove the package from the image.", + "name": "vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-36049", + "value": "CVE-2023-37903", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-36049", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-37903", }, { "type": "URL", - "value": "https://blog.caller.xyz/socketio-engineio-dos/", + "value": "https://access.redhat.com/security/cve/CVE-2023-37903", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-xfhh-g9f5-x4m4", + "value": "https://github.com/patriksimek/vm2", }, { "type": "URL", - "value": "https://github.com/bcaller/kill-engine-io", + "value": "https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4", }, { "type": "URL", - "value": "https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-37903", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-36049", + "value": "https://security.netapp.com/advisory/ntap-20230831-0007", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056753", + "value": "https://security.netapp.com/advisory/ntap-20230831-0007/", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-37903", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "8.0.1, 7.1.1, 6.0.2", - "foundIn": "Node.js", - "installedVersion": "6.0.1", - "packageName": "ssri", - "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290", - "https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf", - "https://github.com/advisories/GHSA-vx3p-948g-6vhq", - "https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf", - "https://linux.oracle.com/cve/CVE-2021-27290.html", - "https://linux.oracle.com/errata/ELSA-2021-3074.html", - "https://npmjs.com", - "https://nvd.nist.gov/vuln/detail/CVE-2021-27290", - "https://www.oracle.com/security-alerts/cpuoct2021.html", + "fixedVersion": "3.9.18", + "foundIn": "Node.js", + "installedVersion": "3.9.3", + "packageName": "vm2", + "references": [ + "https://access.redhat.com/security/cve/CVE-2023-32313", + "https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238", + "https://github.com/patriksimek/vm2/releases/tag/3.9.18", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v", + "https://nvd.nist.gov/vuln/detail/CVE-2023-32313", + "https://www.cve.org/CVERecord?id=CVE-2023-32313", ], - "vulnerabilityId": "CVE-2021-27290", + "vulnerabilityId": "CVE-2023-32313", }, "category": "NPM Package Vulnerability", - "description": "ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package ssri to the fixed version: 8.0.1, 7.1.1, 6.0.2 or remove the package from the image.", - "name": "nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode", + "description": "vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node \`inspect\` method and edit options for \`console.log\`. As a result a threat actor can edit options for the \`console.log\` command. This vulnerability was patched in the release of version \`3.9.18\` of \`vm2\`. Users are advised to upgrade. Users unable to upgrade may make the \`inspect\` method readonly with \`vm.readonly(inspect)\` after creating a vm.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package vm2 to the fixed version: 3.9.18 or remove the package from the image.", + "name": "vm2: Inspect Manipulation", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-27290", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-27290", + "value": "CVE-2023-32313", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-32313", }, { "type": "URL", - "value": "https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf", + "value": "https://access.redhat.com/security/cve/CVE-2023-32313", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-vx3p-948g-6vhq", + "value": "https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550", }, { "type": "URL", - "value": "https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf", + "value": "https://github.com/patriksimek/vm2", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2021-27290.html", + "value": "https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-3074.html", + "value": "https://github.com/patriksimek/vm2/releases/tag/3.9.18", }, { "type": "URL", - "value": "https://npmjs.com", + "value": "https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-27290", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-32313", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-32313", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "6.1.2, 5.0.7, 4.4.15, 3.2.3", + "fixedVersion": "1.2.4", "foundIn": "Node.js", - "installedVersion": "4.4.13", - "packageName": "tar", - "references": [ - "https://github.com/advisories/GHSA-r628-mhmh-qjhw", - "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", - "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw", - "https://linux.oracle.com/cve/CVE-2021-32803.html", - "https://linux.oracle.com/errata/ELSA-2021-3666.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", - "https://www.npmjs.com/advisories/1771", - "https://www.npmjs.com/package/tar", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2021-32803", + "installedVersion": "1.2.3", + "packageName": "word-wrap", + "references": [ + "https://access.redhat.com/security/cve/CVE-2023-26115", + "https://github.com/jonschlinkert/word-wrap", + "https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39", + "https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39", + "https://github.com/jonschlinkert/word-wrap/commit/420dce9a2412b21881202b73a3c34f0edc53cb2e", + "https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26115", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657", + "https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973", + "https://www.cve.org/CVERecord?id=CVE-2023-26115", + ], + "vulnerabilityId": "CVE-2023-26115", }, "category": "NPM Package Vulnerability", - "description": "The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. \`node-tar\` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary \`stat\` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the \`node-tar\` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where \`node-tar\` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass \`node-tar\` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package tar to the fixed version: 6.1.2, 5.0.7, 4.4.15, 3.2.3 or remove the package from the image.", - "name": "nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite", + "description": "All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable. + +", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package word-wrap to the fixed version: 1.2.4 or remove the package from the image.", + "name": "word-wrap: ReDoS", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-32803", + "value": "CVE-2023-26115", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26115", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-r628-mhmh-qjhw", + "value": "https://access.redhat.com/security/cve/CVE-2023-26115", }, { "type": "URL", - "value": "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", + "value": "https://github.com/jonschlinkert/word-wrap", }, { "type": "URL", - "value": "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw", + "value": "https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2021-32803.html", + "value": "https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "value": "https://github.com/jonschlinkert/word-wrap/commit/420dce9a2412b21881202b73a3c34f0edc53cb2e", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", + "value": "https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/1771", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26115", }, { "type": "URL", - "value": "https://www.npmjs.com/package/tar", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-26115", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "6.1.1, 5.0.6, 4.4.14, 3.2.2", + "fixedVersion": "5.2.4, 6.2.3, 7.5.10, 8.17.1", "foundIn": "Node.js", - "installedVersion": "4.4.13", - "packageName": "tar", + "installedVersion": "7.4.6", + "packageName": "ws", "references": [ - "https://github.com/advisories/GHSA-3jfq-g458-7qm9", - "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", - "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", - "https://linux.oracle.com/cve/CVE-2021-32804.html", - "https://linux.oracle.com/errata/ELSA-2021-3666.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", - "https://www.npmjs.com/advisories/1770", - "https://www.npmjs.com/package/tar", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2021-32804", + "https://access.redhat.com/security/cve/CVE-2024-37890", + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", + "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", + "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", + "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", + "https://github.com/websockets/ws/issues/2230", + "https://github.com/websockets/ws/pull/2231", + "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + "https://nodejs.org/api/http.html#servermaxheaderscount", + "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "https://www.cve.org/CVERecord?id=CVE-2024-37890", + ], + "vulnerabilityId": "CVE-2024-37890", }, "category": "NPM Package Vulnerability", - "description": "The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the \`preservePaths\` flag is not set to \`true\`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example \`/home/user/.bashrc\` would turn into \`home/user/.bashrc\`. This logic was insufficient when file paths contained repeated path roots such as \`////home/user/.bashrc\`. \`node-tar\` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. \`///home/user/.bashrc\`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom \`onentry\` method which sanitizes the \`entry.path\` or a \`filter\` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package tar to the fixed version: 6.1.1, 5.0.6, 4.4.14, 3.2.2 or remove the package from the image.", - "name": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", + "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ws to the fixed version: 5.2.4, 6.2.3, 7.5.10, 8.17.1 or remove the package from the image.", + "name": "nodejs-ws: denial of service when handling a request with many HTTP headers", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-32804", + "value": "CVE-2024-37890", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-3jfq-g458-7qm9", + "value": "https://access.redhat.com/security/cve/CVE-2024-37890", }, { "type": "URL", - "value": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", + "value": "https://github.com/websockets/ws", }, { "type": "URL", - "value": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", + "value": "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2021-32804.html", + "value": "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "value": "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", + "value": "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/1770", + "value": "https://github.com/websockets/ws/issues/2230", }, { "type": "URL", - "value": "https://www.npmjs.com/package/tar", + "value": "https://github.com/websockets/ws/pull/2231", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + }, + { + "type": "URL", + "value": "https://nodejs.org/api/http.html#servermaxheaderscount", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-37890", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "6.1.7, 5.0.8, 4.4.16", + "fixedVersion": "1.22.13", "foundIn": "Node.js", - "installedVersion": "4.4.13", - "packageName": "tar", + "installedVersion": "1.22.5", + "packageName": "yarn", "references": [ - "https://github.com/advisories/GHSA-9r2w-394v-53qc", - "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", - "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", - "https://www.npmjs.com/advisories/1779", - "https://www.npmjs.com/package/tar", - "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://access.redhat.com/security/cve/CVE-2021-4435", + "https://bugzilla.redhat.com/show_bug.cgi?id=2262284", + "https://github.com/yarnpkg/yarn", + "https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1", + "https://github.com/yarnpkg/yarn/releases/tag/v1.22.13", + "https://nvd.nist.gov/vuln/detail/CVE-2021-4435", + "https://www.cve.org/CVERecord?id=CVE-2021-4435", ], - "vulnerabilityId": "CVE-2021-37701", + "vulnerabilityId": "CVE-2021-4435", }, "category": "NPM Package Vulnerability", - "description": "The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \`\\\` and \`/\` characters as path separators, however \`\\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at \`FOO\`, followed by a symbolic link named \`foo\`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the \`FOO\` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package tar to the fixed version: 6.1.7, 5.0.8, 4.4.16 or remove the package from the image.", - "name": "nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", + "description": "An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.", + "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package yarn to the fixed version: 1.22.13 or remove the package from the image.", + "name": "yarn: untrusted search path", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-37701", + "value": "CVE-2021-4435", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-4435", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-9r2w-394v-53qc", + "value": "https://access.redhat.com/security/cve/CVE-2021-4435", }, { "type": "URL", - "value": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2262284", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", + "value": "https://github.com/yarnpkg/yarn", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/1779", + "value": "https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1", }, { "type": "URL", - "value": "https://www.npmjs.com/package/tar", + "value": "https://github.com/yarnpkg/yarn/releases/tag/v1.22.13", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-4435", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2021-4435", }, ], "severity": "HIGH", }, +] +`; + +exports[`parses securecodebox:master result file into findings 1`] = ` +[ { "attributes": { - "fixedVersion": "6.1.9, 5.0.10, 4.4.18", - "foundIn": "Node.js", - "installedVersion": "4.4.13", - "packageName": "tar", + "fixedVersion": undefined, + "foundIn": "auto-discovery/kubernetes/pull-secret-extractor/integration-test/package-lock.json", + "installedVersion": "2.88.2", + "packageName": "request", "references": [ - "https://github.com/advisories/GHSA-qq89-hq3f-393p", - "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", - "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", - "https://www.npmjs.com/advisories/1780", - "https://www.npmjs.com/package/tar", - "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/", ], - "vulnerabilityId": "CVE-2021-37712", + "vulnerabilityId": "CVE-2023-28155", }, "category": "NPM Package Vulnerability", - "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package tar to the fixed version: 6.1.9, 5.0.10, 4.4.18 or remove the package from the image.", - "name": "nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", + "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", + "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-37712", + "value": "CVE-2023-28155", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-qq89-hq3f-393p", + "value": "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", }, { "type": "URL", - "value": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", + "value": "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", + "value": "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/1780", + "value": "https://github.com/cypress-io/request/pull/28", }, { "type": "URL", - "value": "https://www.npmjs.com/package/tar", + "value": "https://github.com/cypress-io/request/releases/tag/v3.0.0", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://github.com/github/advisory-database/pull/2500", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "6.1.9, 5.0.10, 4.4.18", - "foundIn": "Node.js", - "installedVersion": "4.4.13", - "packageName": "tar", - "references": [ - "https://github.com/advisories/GHSA-5955-9wpr-37jh", - "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh", - "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", - "https://www.npmjs.com/package/tar", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2021-37713", - }, - "category": "NPM Package Vulnerability", - "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain \`..\` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as \`C:some\\path\`. If the drive letter does not match the extraction target, for example \`D:\\extraction\\dir\`, then the result of \`path.resolve(extractionDirectory, entryPath)\` would resolve against the current working directory on the \`C:\` drive, rather than the extraction target directory. Additionally, a \`..\` portion of the path could occur immediately after the drive letter, such as \`C:../foo\`, and was not properly sanitized by the logic that checked for \`..\` within the normalized and split portions of the path. This only affects users of \`node-tar\` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package tar to the fixed version: 6.1.9, 5.0.10, 4.4.18 or remove the package from the image.", - "name": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2021-37713", + "type": "URL", + "value": "https://github.com/request/request", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", + "value": "https://github.com/request/request/blob/master/lib/redirect.js#L111", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-5955-9wpr-37jh", + "value": "https://github.com/request/request/issues/3442", }, { "type": "URL", - "value": "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh", + "value": "https://github.com/request/request/pull/3444", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", }, { "type": "URL", - "value": "https://www.npmjs.com/package/tar", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007/", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "4.0.1, 3.0.1", - "foundIn": "Node.js", - "installedVersion": "1.0.0", - "packageName": "trim-newlines", + "fixedVersion": "4.1.3", + "foundIn": "auto-discovery/kubernetes/pull-secret-extractor/integration-test/package-lock.json", + "installedVersion": "2.5.0", + "packageName": "tough-cookie", "references": [ - "https://github.com/advisories/GHSA-7p7h-4mm5-852v", - "https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1", - "https://nvd.nist.gov/vuln/detail/CVE-2021-33623", - "https://www.npmjs.com/package/trim-newlines", + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136", ], - "vulnerabilityId": "CVE-2021-33623", + "vulnerabilityId": "CVE-2023-26136", }, "category": "NPM Package Vulnerability", - "description": "The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package trim-newlines to the fixed version: 4.0.1, 3.0.1 or remove the package from the image.", - "name": "nodejs-trim-newlines: ReDoS in .end() method", + "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", + "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-33623", + "value": "CVE-2023-26136", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-33623", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-7p7h-4mm5-852v", + "value": "https://access.redhat.com/security/cve/CVE-2023-26136", }, { "type": "URL", - "value": "https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1", + "value": "https://github.com/salesforce/tough-cookie", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-33623", + "value": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", }, { "type": "URL", - "value": "https://www.npmjs.com/package/trim-newlines", + "value": "https://github.com/salesforce/tough-cookie/issues/282", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "13.7.0", - "foundIn": "Node.js", - "installedVersion": "10.11.0", - "packageName": "validator", - "references": [ - "https://github.com/advisories/GHSA-qgmg-gppg-76g5", - "https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1", - "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", - ], - "vulnerabilityId": "CVE-2021-3765", - }, - "category": "NPM Package Vulnerability", - "description": "validator.js is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package validator to the fixed version: 13.7.0 or remove the package from the image.", - "name": "Inefficient Regular Expression Complexity in validator.js", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2021-3765", + "type": "URL", + "value": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", + "value": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-qgmg-gppg-76g5", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", }, { "type": "URL", - "value": "https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", }, { "type": "URL", - "value": "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-26136", }, ], "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "5.2.3, 6.2.2, 7.4.6", - "foundIn": "Node.js", - "installedVersion": "6.1.4", - "packageName": "ws", + "fixedVersion": "1.20.3", + "foundIn": "documentation/package-lock.json", + "installedVersion": "1.20.2", + "packageName": "body-parser", "references": [ - "https://github.com/advisories/GHSA-6fc8-4gx4-v693", - "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff", - "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693", - "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-32640", + "https://access.redhat.com/security/cve/CVE-2024-45590", + "https://github.com/expressjs/body-parser", + "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", + "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45590", + "https://www.cve.org/CVERecord?id=CVE-2024-45590", ], - "vulnerabilityId": "CVE-2021-32640", + "vulnerabilityId": "CVE-2024-45590", }, "category": "NPM Package Vulnerability", - "description": "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [\`--max-http-header-size=size\`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [\`maxHeaderSize\`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package ws to the fixed version: 5.2.3, 6.2.2, 7.4.6 or remove the package from the image.", - "name": "nodejs-ws: Specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server", + "description": "body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package body-parser to the fixed version: 1.20.3 or remove the package from the image.", + "name": "body-parser: Denial of Service Vulnerability in body-parser", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-32640", + "value": "CVE-2024-45590", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32640", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45590", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-6fc8-4gx4-v693", + "value": "https://access.redhat.com/security/cve/CVE-2024-45590", }, { "type": "URL", - "value": "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff", + "value": "https://github.com/expressjs/body-parser", }, { "type": "URL", - "value": "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693", + "value": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E", + "value": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45590", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32640", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-45590", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "5.2.3, 6.2.2, 7.4.6", - "foundIn": "Node.js", - "installedVersion": "7.2.3", - "packageName": "ws", + "fixedVersion": "0.7.0", + "foundIn": "documentation/package-lock.json", + "installedVersion": "0.6.0", + "packageName": "cookie", "references": [ - "https://github.com/advisories/GHSA-6fc8-4gx4-v693", - "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff", - "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693", - "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-32640", + "https://access.redhat.com/security/cve/CVE-2024-47764", + "https://github.com/jshttp/cookie", + "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", + "https://github.com/jshttp/cookie/pull/167", + "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + "https://www.cve.org/CVERecord?id=CVE-2024-47764", ], - "vulnerabilityId": "CVE-2021-32640", + "vulnerabilityId": "CVE-2024-47764", }, "category": "NPM Package Vulnerability", - "description": "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [\`--max-http-header-size=size\`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [\`maxHeaderSize\`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package ws to the fixed version: 5.2.3, 6.2.2, 7.4.6 or remove the package from the image.", - "name": "nodejs-ws: Specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server", + "description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package cookie to the fixed version: 0.7.0 or remove the package from the image.", + "name": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-32640", + "value": "CVE-2024-47764", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32640", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-6fc8-4gx4-v693", + "value": "https://access.redhat.com/security/cve/CVE-2024-47764", }, { "type": "URL", - "value": "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff", + "value": "https://github.com/jshttp/cookie", }, { "type": "URL", - "value": "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693", + "value": "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E", + "value": "https://github.com/jshttp/cookie/pull/167", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32640", + "value": "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-47764", }, ], - "severity": "MEDIUM", + "severity": "LOW", }, { "attributes": { - "fixedVersion": "1.6.1", - "foundIn": "Node.js", - "installedVersion": "1.5.5", - "packageName": "xmlhttprequest-ssl", + "fixedVersion": "4.20.0, 5.0.0", + "foundIn": "documentation/package-lock.json", + "installedVersion": "4.19.2", + "packageName": "express", "references": [ - "https://github.com/advisories/GHSA-72mh-269x-7mh5", - "https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2", - "https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1", - "https://nvd.nist.gov/vuln/detail/CVE-2021-31597", - "https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt", - "https://security.netapp.com/advisory/ntap-20210618-0004/", + "https://access.redhat.com/security/cve/CVE-2024-43796", + "https://github.com/expressjs/express", + "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", + "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", + "https://www.cve.org/CVERecord?id=CVE-2024-43796", ], - "vulnerabilityId": "CVE-2021-31597", + "vulnerabilityId": "CVE-2024-43796", }, "category": "NPM Package Vulnerability", - "description": "The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package xmlhttprequest-ssl to the fixed version: 1.6.1 or remove the package from the image.", - "name": "xmlhttprequest-ssl: SSL certificate validation disabled by default", + "description": "Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package express to the fixed version: 4.20.0, 5.0.0 or remove the package from the image.", + "name": "express: Improper Input Handling in Express Redirects", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-31597", + "value": "CVE-2024-43796", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-31597", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-72mh-269x-7mh5", + "value": "https://access.redhat.com/security/cve/CVE-2024-43796", }, { "type": "URL", - "value": "https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2", + "value": "https://github.com/expressjs/express", }, { "type": "URL", - "value": "https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1", + "value": "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-31597", + "value": "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", }, { "type": "URL", - "value": "https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210618-0004/", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-43796", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "1.6.2", - "foundIn": "Node.js", - "installedVersion": "1.5.5", - "packageName": "xmlhttprequest-ssl", + "fixedVersion": "2.0.7, 3.0.3", + "foundIn": "documentation/package-lock.json", + "installedVersion": "2.0.6", + "packageName": "http-proxy-middleware", "references": [ - "https://github.com/advisories/GHSA-h4j5-c7cj-74xg", - "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480", - "https://nvd.nist.gov/vuln/detail/CVE-2020-28502", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938", - "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935", - "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936", + "https://access.redhat.com/security/cve/CVE-2024-21536", + "https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a", + "https://github.com/chimurai/http-proxy-middleware", + "https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5", + "https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21536", + "https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906", + "https://www.cve.org/CVERecord?id=CVE-2024-21536", ], - "vulnerabilityId": "CVE-2020-28502", + "vulnerabilityId": "CVE-2024-21536", }, "category": "NPM Package Vulnerability", - "description": "This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package xmlhttprequest-ssl to the fixed version: 1.6.2 or remove the package from the image.", - "name": "nodejs-xmlhttprequest: Code injection through user input to xhr.send", + "description": "Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package http-proxy-middleware to the fixed version: 2.0.7, 3.0.3 or remove the package from the image.", + "name": "http-proxy-middleware: Denial of Service", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-28502", + "value": "CVE-2024-21536", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28502", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21536", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-h4j5-c7cj-74xg", + "value": "https://access.redhat.com/security/cve/CVE-2024-21536", }, { "type": "URL", - "value": "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480", + "value": "https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-28502", + "value": "https://github.com/chimurai/http-proxy-middleware", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937", + "value": "https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938", + "value": "https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21536", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936", + "value": "https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-21536", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "5.0.5, 4.0.1, 3.2.2", - "foundIn": "Node.js", - "installedVersion": "3.2.1", - "packageName": "y18n", + "fixedVersion": "4.0.8", + "foundIn": "documentation/package-lock.json", + "installedVersion": "4.0.5", + "packageName": "micromatch", "references": [ - "https://github.com/advisories/GHSA-c4w7-xm78-47vh", - "https://github.com/yargs/y18n/issues/96", - "https://github.com/yargs/y18n/pull/108", - "https://linux.oracle.com/cve/CVE-2020-7774.html", - "https://linux.oracle.com/errata/ELSA-2021-0551.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", - "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", - "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://access.redhat.com/security/cve/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067/", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/", + "https://github.com/micromatch/micromatch", + "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", + "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", + "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", + "https://github.com/micromatch/micromatch/issues/243", + "https://github.com/micromatch/micromatch/pull/247", + "https://github.com/micromatch/micromatch/pull/266", + "https://github.com/micromatch/micromatch/releases/tag/4.0.8", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + "https://www.cve.org/CVERecord?id=CVE-2024-4067", ], - "vulnerabilityId": "CVE-2020-7774", + "vulnerabilityId": "CVE-2024-4067", }, "category": "NPM Package Vulnerability", - "description": "This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package y18n to the fixed version: 5.0.5, 4.0.1, 3.2.2 or remove the package from the image.", - "name": "nodejs-y18n: prototype pollution vulnerability", + "description": "The NPM package \`micromatch\` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in \`micromatch.braces()\` in \`index.js\` because the pattern \`.*\` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package micromatch to the fixed version: 4.0.8 or remove the package from the image.", + "name": "micromatch: vulnerable to Regular Expression Denial of Service", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-7774", + "value": "CVE-2024-4067", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-c4w7-xm78-47vh", + "value": "https://access.redhat.com/security/cve/CVE-2024-4067", }, { "type": "URL", - "value": "https://github.com/yargs/y18n/issues/96", + "value": "https://advisory.checkmarx.net/advisory/CVE-2024-4067", }, { "type": "URL", - "value": "https://github.com/yargs/y18n/pull/108", + "value": "https://advisory.checkmarx.net/advisory/CVE-2024-4067/", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2020-7774.html", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-0551.html", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", + "value": "https://github.com/micromatch/micromatch", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", + "value": "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", + "value": "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/issues/243", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/pull/247", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/pull/266", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/releases/tag/4.0.8", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-4067", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "5.0.5, 4.0.1, 3.2.2", - "foundIn": "Node.js", - "installedVersion": "4.0.0", - "packageName": "y18n", + "fixedVersion": "1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0", + "foundIn": "documentation/package-lock.json", + "installedVersion": "0.1.7", + "packageName": "path-to-regexp", "references": [ - "https://github.com/advisories/GHSA-c4w7-xm78-47vh", - "https://github.com/yargs/y18n/issues/96", - "https://github.com/yargs/y18n/pull/108", - "https://linux.oracle.com/cve/CVE-2020-7774.html", - "https://linux.oracle.com/errata/ELSA-2021-0551.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", - "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", - "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://access.redhat.com/security/cve/CVE-2024-45296", + "https://github.com/pillarjs/path-to-regexp", + "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", + "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", + "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", + "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", + "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", + "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", + "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", + "https://www.cve.org/CVERecord?id=CVE-2024-45296", ], - "vulnerabilityId": "CVE-2020-7774", + "vulnerabilityId": "CVE-2024-45296", }, "category": "NPM Package Vulnerability", - "description": "This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package y18n to the fixed version: 5.0.5, 4.0.1, 3.2.2 or remove the package from the image.", - "name": "nodejs-y18n: prototype pollution vulnerability", + "description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package path-to-regexp to the fixed version: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 or remove the package from the image.", + "name": "path-to-regexp: Backtracking regular expressions cause ReDoS", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-7774", + "value": "CVE-2024-45296", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-c4w7-xm78-47vh", + "value": "https://access.redhat.com/security/cve/CVE-2024-45296", }, { "type": "URL", - "value": "https://github.com/yargs/y18n/issues/96", + "value": "https://github.com/pillarjs/path-to-regexp", }, { "type": "URL", - "value": "https://github.com/yargs/y18n/pull/108", + "value": "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2020-7774.html", + "value": "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-0551.html", + "value": "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", + "value": "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", + "value": "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", + "value": "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-45296", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "5.0.1, 13.1.2, 18.1.2, 15.0.1", - "foundIn": "Node.js", - "installedVersion": "11.1.1", - "packageName": "yargs-parser", + "fixedVersion": "1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0", + "foundIn": "documentation/package-lock.json", + "installedVersion": "1.8.0", + "packageName": "path-to-regexp", "references": [ - "https://github.com/advisories/GHSA-p9pc-299p-vxgp", - "https://linux.oracle.com/cve/CVE-2020-7608.html", - "https://linux.oracle.com/errata/ELSA-2021-0548.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", - "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381", + "https://access.redhat.com/security/cve/CVE-2024-45296", + "https://github.com/pillarjs/path-to-regexp", + "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", + "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", + "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", + "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", + "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", + "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", + "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", + "https://www.cve.org/CVERecord?id=CVE-2024-45296", ], - "vulnerabilityId": "CVE-2020-7608", + "vulnerabilityId": "CVE-2024-45296", }, "category": "NPM Package Vulnerability", - "description": "yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package yargs-parser to the fixed version: 5.0.1, 13.1.2, 18.1.2, 15.0.1 or remove the package from the image.", - "name": "nodejs-yargs-parser: prototype pollution vulnerability", + "description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package path-to-regexp to the fixed version: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 or remove the package from the image.", + "name": "path-to-regexp: Backtracking regular expressions cause ReDoS", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-7608", + "value": "CVE-2024-45296", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-p9pc-299p-vxgp", + "value": "https://access.redhat.com/security/cve/CVE-2024-45296", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2020-7608.html", + "value": "https://github.com/pillarjs/path-to-regexp", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-0548.html", + "value": "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", + "value": "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381", - }, - ], - "severity": "MEDIUM", - }, - { - "attributes": { - "fixedVersion": "5.0.1, 13.1.2, 18.1.2, 15.0.1", - "foundIn": "Node.js", - "installedVersion": "9.0.2", - "packageName": "yargs-parser", - "references": [ - "https://github.com/advisories/GHSA-p9pc-299p-vxgp", - "https://linux.oracle.com/cve/CVE-2020-7608.html", - "https://linux.oracle.com/errata/ELSA-2021-0548.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", - "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381", - ], - "vulnerabilityId": "CVE-2020-7608", - }, - "category": "NPM Package Vulnerability", - "description": "yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.", - "location": "bkimminich/juice-shop:v10.2.0", - "mitigation": "Update the affected package yargs-parser to the fixed version: 5.0.1, 13.1.2, 18.1.2, 15.0.1 or remove the package from the image.", - "name": "nodejs-yargs-parser: prototype pollution vulnerability", - "osi_layer": "NOT_APPLICABLE", - "references": [ - { - "type": "CVE", - "value": "CVE-2020-7608", + "value": "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", + "value": "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-p9pc-299p-vxgp", + "value": "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2020-7608.html", + "value": "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-0548.html", + "value": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-45296", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, -] -`; - -exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` -[ { "attributes": { - "fixedVersion": "5.0.1, 6.0.1", - "foundIn": "Node.js", - "installedVersion": "3.0.0", - "packageName": "ansi-regex", + "fixedVersion": "1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0", + "foundIn": "documentation/package-lock.json", + "installedVersion": "2.2.1", + "packageName": "path-to-regexp", "references": [ - "https://github.com/advisories/GHSA-93q8-gq69-wqmw", - "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", - "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://access.redhat.com/security/cve/CVE-2024-45296", + "https://github.com/pillarjs/path-to-regexp", + "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", + "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", + "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", + "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", + "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", + "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", + "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", + "https://www.cve.org/CVERecord?id=CVE-2024-45296", ], - "vulnerabilityId": "CVE-2021-3807", + "vulnerabilityId": "CVE-2024-45296", }, "category": "NPM Package Vulnerability", - "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package ansi-regex to the fixed version: 5.0.1, 6.0.1 or remove the package from the image.", - "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package path-to-regexp to the fixed version: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 or remove the package from the image.", + "name": "path-to-regexp: Backtracking regular expressions cause ReDoS", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-3807", + "value": "CVE-2024-45296", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", + "value": "https://access.redhat.com/security/cve/CVE-2024-45296", }, { "type": "URL", - "value": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "value": "https://github.com/pillarjs/path-to-regexp", }, { "type": "URL", - "value": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "value": "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "value": "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "5.0.1, 6.0.1", - "foundIn": "Node.js", - "installedVersion": "4.1.0", - "packageName": "ansi-regex", - "references": [ - "https://github.com/advisories/GHSA-93q8-gq69-wqmw", - "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", - "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", - ], - "vulnerabilityId": "CVE-2021-3807", - }, - "category": "NPM Package Vulnerability", - "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package ansi-regex to the fixed version: 5.0.1, 6.0.1 or remove the package from the image.", - "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2021-3807", + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", + }, + { + "type": "URL", + "value": "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "value": "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", + "value": "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", }, { "type": "URL", - "value": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "value": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", }, { "type": "URL", - "value": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-45296", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": ">=3.0.0", - "foundIn": "Node.js", - "installedVersion": "0.0.6", - "packageName": "base64url", + "fixedVersion": "0.19.0", + "foundIn": "documentation/package-lock.json", + "installedVersion": "0.18.0", + "packageName": "send", "references": [ - "https://github.com/brianloveswords/base64url/pull/25", - "https://hackerone.com/reports/321687", + "https://access.redhat.com/security/cve/CVE-2024-43799", + "https://github.com/pillarjs/send", + "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", + "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", + "https://www.cve.org/CVERecord?id=CVE-2024-43799", ], - "vulnerabilityId": "NSWG-ECO-428", + "vulnerabilityId": "CVE-2024-43799", }, "category": "NPM Package Vulnerability", - "description": "\`base64url\` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package base64url to the fixed version: >=3.0.0 or remove the package from the image.", - "name": "Out-of-bounds Read", + "description": "Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package send to the fixed version: 0.19.0 or remove the package from the image.", + "name": "send: Code Execution Vulnerability in Send Library", "osi_layer": "NOT_APPLICABLE", "references": [ { - "type": "NSWG", - "value": "NSWG-ECO-428", + "type": "CVE", + "value": "CVE-2024-43799", }, { "type": "URL", - "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", }, { "type": "URL", - "value": "https://github.com/brianloveswords/base64url/pull/25", + "value": "https://access.redhat.com/security/cve/CVE-2024-43799", }, { "type": "URL", - "value": "https://hackerone.com/reports/321687", + "value": "https://github.com/pillarjs/send", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "3.0.0", - "foundIn": "Node.js", - "installedVersion": "0.0.6", - "packageName": "base64url", - "references": [ - "https://github.com/advisories/GHSA-rvg8-pwq2-xj7q", - "https://github.com/brianloveswords/base64url/pull/25", - ], - "vulnerabilityId": "GHSA-rvg8-pwq2-xj7q", - }, - "category": "NPM Package Vulnerability", - "description": "Versions of \`base64url\` before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below. - - -## Recommendation - -Update to version 3.0.0 or later.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package base64url to the fixed version: 3.0.0 or remove the package from the image.", - "name": "Out-of-bounds Read in base64url", - "osi_layer": "NOT_APPLICABLE", - "references": [ { "type": "URL", - "value": "https://github.com/advisories/GHSA-rvg8-pwq2-xj7q", + "value": "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", }, { "type": "URL", - "value": "https://github.com/brianloveswords/base64url/pull/25", + "value": "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-43799", }, ], "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "3.5.0", - "foundIn": "Node.js", - "installedVersion": "1.0.2", - "packageName": "diff", + "fixedVersion": "1.16.0, 2.1.0", + "foundIn": "documentation/package-lock.json", + "installedVersion": "1.15.0", + "packageName": "serve-static", "references": [ - "https://github.com/advisories/GHSA-h6ch-v84p-w6p9", - "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0", + "https://access.redhat.com/security/cve/CVE-2024-43800", + "https://github.com/expressjs/serve-static", + "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", + "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", + "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", + "https://www.cve.org/CVERecord?id=CVE-2024-43800", ], - "vulnerabilityId": "GHSA-h6ch-v84p-w6p9", + "vulnerabilityId": "CVE-2024-43800", }, "category": "NPM Package Vulnerability", - "description": "A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package diff to the fixed version: 3.5.0 or remove the package from the image.", - "name": "Regular Expression Denial of Service (ReDoS)", + "description": "serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package serve-static to the fixed version: 1.16.0, 2.1.0 or remove the package from the image.", + "name": "serve-static: Improper Sanitization in serve-static", "osi_layer": "NOT_APPLICABLE", "references": [ + { + "type": "CVE", + "value": "CVE-2024-43800", + }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-h6ch-v84p-w6p9", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", }, { "type": "URL", - "value": "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0", + "value": "https://access.redhat.com/security/cve/CVE-2024-43800", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/serve-static", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", + }, + { + "type": "URL", + "value": "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-43800", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "6.0.0", - "foundIn": "Node.js", - "installedVersion": "0.1.3", - "packageName": "express-jwt", + "fixedVersion": "5.94.0", + "foundIn": "documentation/package-lock.json", + "installedVersion": "5.89.0", + "packageName": "webpack", "references": [ - "https://github.com/advisories/GHSA-6g6m-m6h5-w9gf", - "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", - "https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf", - "https://nvd.nist.gov/vuln/detail/CVE-2020-15084", + "https://access.redhat.com/security/cve/CVE-2024-43788", + "https://github.com/webpack/webpack", + "https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61", + "https://github.com/webpack/webpack/issues/18718#issuecomment-2326296270", + "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43788", + "https://research.securitum.com/xss-in-amp4email-dom-clobbering", + "https://scnps.co/papers/sp23_domclob.pdf", + "https://www.cve.org/CVERecord?id=CVE-2024-43788", ], - "vulnerabilityId": "CVE-2020-15084", + "vulnerabilityId": "CVE-2024-43788", }, "category": "NPM Package Vulnerability", - "description": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package express-jwt to the fixed version: 6.0.0 or remove the package from the image.", - "name": "Authorization bypass in express-jwt", + "description": "Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s \`AutoPublicPathRuntimeModule\`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an \`img\` tag with an unsanitized \`name\` attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package webpack to the fixed version: 5.94.0 or remove the package from the image.", + "name": "webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-15084", + "value": "CVE-2024-43788", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15084", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43788", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-6g6m-m6h5-w9gf", + "value": "https://access.redhat.com/security/cve/CVE-2024-43788", }, { "type": "URL", - "value": "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", + "value": "https://github.com/webpack/webpack", }, { "type": "URL", - "value": "https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf", + "value": "https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15084", + "value": "https://github.com/webpack/webpack/issues/18718#issuecomment-2326296270", + }, + { + "type": "URL", + "value": "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-43788", + }, + { + "type": "URL", + "value": "https://research.securitum.com/xss-in-amp4email-dom-clobbering", + }, + { + "type": "URL", + "value": "https://scnps.co/papers/sp23_domclob.pdf", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-43788", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "1.10.0", - "foundIn": "Node.js", - "installedVersion": "1.5.1", - "packageName": "growl", + "fixedVersion": "1.7.4", + "foundIn": "hook-sdk/nodejs/package-lock.json", + "installedVersion": "1.6.0", + "packageName": "axios", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16042", - "https://github.com/advisories/GHSA-qh2h-chj9-jffq", - "https://github.com/tj/node-growl/issues/60", - "https://github.com/tj/node-growl/pull/61", - "https://nodesecurity.io/advisories/146", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16042", + "https://access.redhat.com/security/cve/CVE-2024-39338", + "https://github.com/axios/axios", + "https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a", + "https://github.com/axios/axios/issues/6463", + "https://github.com/axios/axios/pull/6539", + "https://github.com/axios/axios/pull/6543", + "https://github.com/axios/axios/releases", + "https://github.com/axios/axios/releases/tag/v1.7.4", + "https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", + "https://www.cve.org/CVERecord?id=CVE-2024-39338", ], - "vulnerabilityId": "CVE-2017-16042", + "vulnerabilityId": "CVE-2024-39338", }, "category": "NPM Package Vulnerability", - "description": "Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package growl to the fixed version: 1.10.0 or remove the package from the image.", - "name": "nodejs-growl: Does not properly sanitize input before passing it to exec", + "description": "axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package axios to the fixed version: 1.7.4 or remove the package from the image.", + "name": "axios: axios: Server-Side Request Forgery", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2017-16042", + "value": "CVE-2024-39338", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16042", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16042", + "value": "https://access.redhat.com/security/cve/CVE-2024-39338", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-qh2h-chj9-jffq", + "value": "https://github.com/axios/axios", }, { "type": "URL", - "value": "https://github.com/tj/node-growl/issues/60", + "value": "https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a", }, { "type": "URL", - "value": "https://github.com/tj/node-growl/pull/61", + "value": "https://github.com/axios/axios/issues/6463", }, { "type": "URL", - "value": "https://nodesecurity.io/advisories/146", + "value": "https://github.com/axios/axios/pull/6539", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16042", + "value": "https://github.com/axios/axios/pull/6543", + }, + { + "type": "URL", + "value": "https://github.com/axios/axios/releases", + }, + { + "type": "URL", + "value": "https://github.com/axios/axios/releases/tag/v1.7.4", + }, + { + "type": "URL", + "value": "https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-39338", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": undefined, - "foundIn": "Node.js", - "installedVersion": "4.1.2", - "packageName": "hbs", + "fixedVersion": "10.0.0", + "foundIn": "hook-sdk/nodejs/package-lock.json", + "installedVersion": "7.2.0", + "packageName": "jsonpath-plus", "references": [ - "https://github.com/advisories/GHSA-7f5c-rpf4-86p8", - "https://nvd.nist.gov/vuln/detail/CVE-2021-32822", - "https://securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs/", + "https://access.redhat.com/security/cve/CVE-2024-21534", + "https://github.com/JSONPath-Plus/JSONPath", + "https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3", + "https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72", + "https://github.com/JSONPath-Plus/JSONPath/issues/226", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019", + "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884", + "https://www.cve.org/CVERecord?id=CVE-2024-21534", ], - "vulnerabilityId": "CVE-2021-32822", + "vulnerabilityId": "CVE-2024-21534", }, "category": "NPM Package Vulnerability", - "description": "The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulnerability. hbs mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options a file disclosure vulnerability may be triggered in downstream applications. For an example PoC see the referenced GHSL-2021-020.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package hbs to the fixed version: undefined or remove the package from the image.", - "name": "Insertion of Sensitive Information into Externally-Accessible File or Directory and Exposure of Sensitive Information to an Unauthorized Actor in hbs", + "description": "Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. + +**Note:** + +There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package jsonpath-plus to the fixed version: 10.0.0 or remove the package from the image.", + "name": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-32822", + "value": "CVE-2024-21534", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32822", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-7f5c-rpf4-86p8", + "value": "https://access.redhat.com/security/cve/CVE-2024-21534", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32822", + "value": "https://github.com/JSONPath-Plus/JSONPath", }, { "type": "URL", - "value": "https://securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs/", + "value": "https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3", + }, + { + "type": "URL", + "value": "https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72", + }, + { + "type": "URL", + "value": "https://github.com/JSONPath-Plus/JSONPath/issues/226", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-21534", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "4.2.2", - "foundIn": "Node.js", - "installedVersion": "0.1.0", - "packageName": "jsonwebtoken", + "fixedVersion": undefined, + "foundIn": "hook-sdk/nodejs/package-lock.json", + "installedVersion": "2.88.2", + "packageName": "request", "references": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", - "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", - "https://nodesecurity.io/advisories/17", - "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", - "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/", ], - "vulnerabilityId": "CVE-2015-9235", + "vulnerabilityId": "CVE-2023-28155", }, "category": "NPM Package Vulnerability", - "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", - "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", + "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", + "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2015-9235", + "value": "CVE-2023-28155", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", }, { "type": "URL", - "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "value": "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + "value": "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", }, { "type": "URL", - "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "value": "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", }, { "type": "URL", - "value": "https://nodesecurity.io/advisories/17", + "value": "https://github.com/cypress-io/request/pull/28", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "value": "https://github.com/cypress-io/request/releases/tag/v3.0.0", }, { "type": "URL", - "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + "value": "https://github.com/github/advisory-database/pull/2500", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": ">=4.2.2", - "foundIn": "Node.js", - "installedVersion": "0.1.0", - "packageName": "jsonwebtoken", - "references": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", - "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", - ], - "vulnerabilityId": "NSWG-ECO-17", - }, - "category": "NPM Package Vulnerability", - "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", - "name": "Verification Bypass", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "NSWG", - "value": "NSWG-ECO-17", + "type": "URL", + "value": "https://github.com/request/request", }, { "type": "URL", - "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + "value": "https://github.com/request/request/blob/master/lib/redirect.js#L111", + }, + { + "type": "URL", + "value": "https://github.com/request/request/issues/3442", + }, + { + "type": "URL", + "value": "https://github.com/request/request/pull/3444", }, { "type": "URL", - "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", }, { "type": "URL", - "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007", }, { "type": "URL", - "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007/", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "4.2.2", - "foundIn": "Node.js", - "installedVersion": "0.4.0", - "packageName": "jsonwebtoken", + "fixedVersion": "4.1.3", + "foundIn": "hook-sdk/nodejs/package-lock.json", + "installedVersion": "2.5.0", + "packageName": "tough-cookie", "references": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", - "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", - "https://nodesecurity.io/advisories/17", - "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", - "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136", ], - "vulnerabilityId": "CVE-2015-9235", + "vulnerabilityId": "CVE-2023-26136", }, "category": "NPM Package Vulnerability", - "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", - "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", + "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", + "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2015-9235", + "value": "CVE-2023-26136", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", }, { "type": "URL", - "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "value": "https://access.redhat.com/security/cve/CVE-2023-26136", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + "value": "https://github.com/salesforce/tough-cookie", }, { "type": "URL", - "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "value": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", }, { "type": "URL", - "value": "https://nodesecurity.io/advisories/17", + "value": "https://github.com/salesforce/tough-cookie/issues/282", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "value": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", }, { "type": "URL", - "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", - }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": ">=4.2.2", - "foundIn": "Node.js", - "installedVersion": "0.4.0", - "packageName": "jsonwebtoken", - "references": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", - "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", - ], - "vulnerabilityId": "NSWG-ECO-17", - }, - "category": "NPM Package Vulnerability", - "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", - "name": "Verification Bypass", - "osi_layer": "NOT_APPLICABLE", - "references": [ - { - "type": "NSWG", - "value": "NSWG-ECO-17", + "value": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", }, { "type": "URL", - "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", }, { "type": "URL", - "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", }, { "type": "URL", - "value": "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", }, { "type": "URL", - "value": "https://www.timmclean.net/2015/02/25/jwt-alg-none.html", - }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "3.0.0", - "foundIn": "Node.js", - "installedVersion": "0.2.6", - "packageName": "jws", - "references": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/advisories/GHSA-gjcw-v447-2w7q", - "https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e", - "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223", - ], - "vulnerabilityId": "CVE-2016-1000223", - }, - "category": "NPM Package Vulnerability", - "description": "Since "algorithm" isn't enforced in \`jws.verify()\`, a malicious user could choose what algorithm is sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants. - -In addition, there is the \`none\` algorithm to be concerned about. In versions prior to 3.0.0, verification of the token could be bypassed when the \`alg\` field is set to \`none\`. - -*Edit ( 7/29/16 ): A previous version of this advisory incorrectly stated that the vulnerability was patched in version 2.0.0 instead of 3.0.0. The advisory has been updated to reflect this new information. Thanks to Fabien Catteau for reporting the error.*", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package jws to the fixed version: 3.0.0 or remove the package from the image.", - "name": "Forgeable Public/Private Tokens", - "osi_layer": "NOT_APPLICABLE", - "references": [ - { - "type": "CVE", - "value": "CVE-2016-1000223", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", }, { "type": "URL", - "value": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-gjcw-v447-2w7q", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", }, { "type": "URL", - "value": "https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e", + "value": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-26136", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "4.17.12", - "foundIn": "Node.js", - "installedVersion": "2.4.2", - "packageName": "lodash", + "fixedVersion": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "foundIn": "hook-sdk/nodejs/package-lock.json", + "installedVersion": "8.13.0", + "packageName": "ws", "references": [ - "https://access.redhat.com/errata/RHSA-2019:3024", - "https://github.com/advisories/GHSA-jf85-cpcp-j695", - "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", - "https://security.netapp.com/advisory/ntap-20191004-0005/", - "https://snyk.io/vuln/SNYK-JS-LODASH-450202", - "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html", - ], - "vulnerabilityId": "CVE-2019-10744", + "https://access.redhat.com/security/cve/CVE-2024-37890", + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", + "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", + "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", + "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", + "https://github.com/websockets/ws/issues/2230", + "https://github.com/websockets/ws/pull/2231", + "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + "https://nodejs.org/api/http.html#servermaxheaderscount", + "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "https://www.cve.org/CVERecord?id=CVE-2024-37890", + ], + "vulnerabilityId": "CVE-2024-37890", }, "category": "NPM Package Vulnerability", - "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", - "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", + "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package ws to the fixed version: 5.2.4, 6.2.3, 7.5.10, 8.17.1 or remove the package from the image.", + "name": "nodejs-ws: denial of service when handling a request with many HTTP headers", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2019-10744", + "value": "CVE-2024-37890", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", }, { "type": "URL", - "value": "https://access.redhat.com/errata/RHSA-2019:3024", + "value": "https://access.redhat.com/security/cve/CVE-2024-37890", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-jf85-cpcp-j695", + "value": "https://github.com/websockets/ws", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "value": "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20191004-0005/", + "value": "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "value": "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", }, { "type": "URL", - "value": "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", + "value": "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpujan2021.html", + "value": "https://github.com/websockets/ws/issues/2230", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2020.html", + "value": "https://github.com/websockets/ws/pull/2231", + }, + { + "type": "URL", + "value": "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + }, + { + "type": "URL", + "value": "https://nodejs.org/api/http.html#servermaxheaderscount", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-37890", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "4.17.19", - "foundIn": "Node.js", - "installedVersion": "2.4.2", - "packageName": "lodash", + "fixedVersion": "10.0.0", + "foundIn": "hooks/cascading-scans/hook/package-lock.json", + "installedVersion": "7.2.0", + "packageName": "jsonpath-plus", "references": [ - "https://github.com/advisories/GHSA-p6mc-m468-83gw", - "https://github.com/lodash/lodash/issues/4874", - "https://hackerone.com/reports/712065", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", - "https://security.netapp.com/advisory/ntap-20200724-0006/", - "https://www.npmjs.com/advisories/1523", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://access.redhat.com/security/cve/CVE-2024-21534", + "https://github.com/JSONPath-Plus/JSONPath", + "https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3", + "https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72", + "https://github.com/JSONPath-Plus/JSONPath/issues/226", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019", + "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884", + "https://www.cve.org/CVERecord?id=CVE-2024-21534", ], - "vulnerabilityId": "CVE-2020-8203", + "vulnerabilityId": "CVE-2024-21534", }, "category": "NPM Package Vulnerability", - "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", - "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "description": "Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. + +**Note:** + +There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package jsonpath-plus to the fixed version: 10.0.0 or remove the package from the image.", + "name": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-8203", + "value": "CVE-2024-21534", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-p6mc-m468-83gw", + "value": "https://access.redhat.com/security/cve/CVE-2024-21534", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/issues/4874", + "value": "https://github.com/JSONPath-Plus/JSONPath", }, { "type": "URL", - "value": "https://hackerone.com/reports/712065", + "value": "https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "value": "https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20200724-0006/", + "value": "https://github.com/JSONPath-Plus/JSONPath/issues/226", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/1523", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-21534", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "4.17.21", - "foundIn": "Node.js", - "installedVersion": "2.4.2", - "packageName": "lodash", + "fixedVersion": undefined, + "foundIn": "hooks/cascading-scans/hook/package-lock.json", + "installedVersion": "2.88.2", + "packageName": "request", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337", - "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", - "https://security.netapp.com/advisory/ntap-20210312-0006/", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", - "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/", ], - "vulnerabilityId": "CVE-2021-23337", + "vulnerabilityId": "CVE-2023-28155", }, "category": "NPM Package Vulnerability", - "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", - "name": "nodejs-lodash: command injection via template", + "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", + "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-23337", + "value": "CVE-2023-28155", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337", + "value": "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", + "value": "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "value": "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "value": "https://github.com/cypress-io/request/pull/28", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210312-0006/", + "value": "https://github.com/cypress-io/request/releases/tag/v3.0.0", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "value": "https://github.com/github/advisory-database/pull/2500", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "value": "https://github.com/request/request", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "value": "https://github.com/request/request/blob/master/lib/redirect.js#L111", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "value": "https://github.com/request/request/issues/3442", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "value": "https://github.com/request/request/pull/3444", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007/", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "4.17.11", - "foundIn": "Node.js", - "installedVersion": "2.4.2", - "packageName": "lodash", + "fixedVersion": "4.1.3", + "foundIn": "hooks/cascading-scans/hook/package-lock.json", + "installedVersion": "2.5.0", + "packageName": "tough-cookie", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487", - "https://github.com/advisories/GHSA-4xc9-xhrj-v574", - "https://hackerone.com/reports/380873", - "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", - "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136", ], - "vulnerabilityId": "CVE-2018-16487", + "vulnerabilityId": "CVE-2023-26136", }, "category": "NPM Package Vulnerability", - "description": "A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.11 or remove the package from the image.", - "name": "lodash: Prototype pollution in utilities function", + "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", + "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2018-16487", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", - }, - { - "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487", - }, - { - "type": "URL", - "value": "https://github.com/advisories/GHSA-4xc9-xhrj-v574", + "value": "CVE-2023-26136", }, { "type": "URL", - "value": "https://hackerone.com/reports/380873", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", + "value": "https://access.redhat.com/security/cve/CVE-2023-26136", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20190919-0004/", + "value": "https://github.com/salesforce/tough-cookie", }, - ], - "severity": "MEDIUM", - }, - { - "attributes": { - "fixedVersion": "4.17.5", - "foundIn": "Node.js", - "installedVersion": "2.4.2", - "packageName": "lodash", - "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721", - "https://github.com/advisories/GHSA-fvqr-27wr-82fm", - "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", - "https://hackerone.com/reports/310443", - "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", - "https://security.netapp.com/advisory/ntap-20190919-0004/", - "https://snyk.io/vuln/npm:lodash:20180130", - "https://www.npmjs.com/advisories/577", - ], - "vulnerabilityId": "CVE-2018-3721", - }, - "category": "NPM Package Vulnerability", - "description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.5 or remove the package from the image.", - "name": "lodash: Prototype pollution in utilities function", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2018-3721", + "type": "URL", + "value": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", + "value": "https://github.com/salesforce/tough-cookie/issues/282", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721", + "value": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-fvqr-27wr-82fm", + "value": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", }, { "type": "URL", - "value": "https://hackerone.com/reports/310443", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20190919-0004/", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", }, { "type": "URL", - "value": "https://snyk.io/vuln/npm:lodash:20180130", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/577", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-26136", }, ], "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "4.17.11", - "foundIn": "Node.js", - "installedVersion": "2.4.2", - "packageName": "lodash", + "fixedVersion": "1.7.4", + "foundIn": "hooks/generic-webhook/hook/package-lock.json", + "installedVersion": "1.6.0", + "packageName": "axios", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266", - "https://github.com/advisories/GHSA-x5rq-j2xg-h7qm", - "https://github.com/lodash/lodash/issues/3359", - "https://github.com/lodash/lodash/wiki/Changelog", - "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", - "https://security.netapp.com/advisory/ntap-20190919-0004/", - "https://snyk.io/vuln/SNYK-JS-LODASH-73639", + "https://access.redhat.com/security/cve/CVE-2024-39338", + "https://github.com/axios/axios", + "https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a", + "https://github.com/axios/axios/issues/6463", + "https://github.com/axios/axios/pull/6539", + "https://github.com/axios/axios/pull/6543", + "https://github.com/axios/axios/releases", + "https://github.com/axios/axios/releases/tag/v1.7.4", + "https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", + "https://www.cve.org/CVERecord?id=CVE-2024-39338", ], - "vulnerabilityId": "CVE-2019-1010266", + "vulnerabilityId": "CVE-2024-39338", }, "category": "NPM Package Vulnerability", - "description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.11 or remove the package from the image.", - "name": "lodash: uncontrolled resource consumption in Data handler causing denial of service", + "description": "axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package axios to the fixed version: 1.7.4 or remove the package from the image.", + "name": "axios: axios: Server-Side Request Forgery", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2019-1010266", + "value": "CVE-2024-39338", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266", + "value": "https://access.redhat.com/security/cve/CVE-2024-39338", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-x5rq-j2xg-h7qm", + "value": "https://github.com/axios/axios", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/issues/3359", + "value": "https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/wiki/Changelog", + "value": "https://github.com/axios/axios/issues/6463", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", + "value": "https://github.com/axios/axios/pull/6539", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20190919-0004/", + "value": "https://github.com/axios/axios/pull/6543", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-LODASH-73639", + "value": "https://github.com/axios/axios/releases", + }, + { + "type": "URL", + "value": "https://github.com/axios/axios/releases/tag/v1.7.4", + }, + { + "type": "URL", + "value": "https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-39338", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "4.17.12", - "foundIn": "Node.js", - "installedVersion": "4.17.11", - "packageName": "lodash", + "fixedVersion": "1.7.4", + "foundIn": "hooks/notification/hook/package-lock.json", + "installedVersion": "1.6.0", + "packageName": "axios", "references": [ - "https://access.redhat.com/errata/RHSA-2019:3024", - "https://github.com/advisories/GHSA-jf85-cpcp-j695", - "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", - "https://security.netapp.com/advisory/ntap-20191004-0005/", - "https://snyk.io/vuln/SNYK-JS-LODASH-450202", - "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://access.redhat.com/security/cve/CVE-2024-39338", + "https://github.com/axios/axios", + "https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a", + "https://github.com/axios/axios/issues/6463", + "https://github.com/axios/axios/pull/6539", + "https://github.com/axios/axios/pull/6543", + "https://github.com/axios/axios/releases", + "https://github.com/axios/axios/releases/tag/v1.7.4", + "https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", + "https://www.cve.org/CVERecord?id=CVE-2024-39338", ], - "vulnerabilityId": "CVE-2019-10744", + "vulnerabilityId": "CVE-2024-39338", }, "category": "NPM Package Vulnerability", - "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", - "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", + "description": "axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package axios to the fixed version: 1.7.4 or remove the package from the image.", + "name": "axios: axios: Server-Side Request Forgery", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2019-10744", + "value": "CVE-2024-39338", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", }, { "type": "URL", - "value": "https://access.redhat.com/errata/RHSA-2019:3024", + "value": "https://access.redhat.com/security/cve/CVE-2024-39338", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-jf85-cpcp-j695", + "value": "https://github.com/axios/axios", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "value": "https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20191004-0005/", + "value": "https://github.com/axios/axios/issues/6463", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "value": "https://github.com/axios/axios/pull/6539", }, { "type": "URL", - "value": "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS", + "value": "https://github.com/axios/axios/pull/6543", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpujan2021.html", + "value": "https://github.com/axios/axios/releases", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2020.html", + "value": "https://github.com/axios/axios/releases/tag/v1.7.4", + }, + { + "type": "URL", + "value": "https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-39338", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "4.17.19", - "foundIn": "Node.js", - "installedVersion": "4.17.11", - "packageName": "lodash", + "fixedVersion": "10.0.0", + "foundIn": "hooks/notification/hook/package-lock.json", + "installedVersion": "7.2.0", + "packageName": "jsonpath-plus", "references": [ - "https://github.com/advisories/GHSA-p6mc-m468-83gw", - "https://github.com/lodash/lodash/issues/4874", - "https://hackerone.com/reports/712065", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", - "https://security.netapp.com/advisory/ntap-20200724-0006/", - "https://www.npmjs.com/advisories/1523", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://access.redhat.com/security/cve/CVE-2024-21534", + "https://github.com/JSONPath-Plus/JSONPath", + "https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3", + "https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72", + "https://github.com/JSONPath-Plus/JSONPath/issues/226", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019", + "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884", + "https://www.cve.org/CVERecord?id=CVE-2024-21534", ], - "vulnerabilityId": "CVE-2020-8203", + "vulnerabilityId": "CVE-2024-21534", }, "category": "NPM Package Vulnerability", - "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", - "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "description": "Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. + +**Note:** + +There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package jsonpath-plus to the fixed version: 10.0.0 or remove the package from the image.", + "name": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-8203", + "value": "CVE-2024-21534", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-p6mc-m468-83gw", + "value": "https://access.redhat.com/security/cve/CVE-2024-21534", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/issues/4874", + "value": "https://github.com/JSONPath-Plus/JSONPath", }, { "type": "URL", - "value": "https://hackerone.com/reports/712065", + "value": "https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "value": "https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20200724-0006/", + "value": "https://github.com/JSONPath-Plus/JSONPath/issues/226", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/1523", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", + "value": "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-21534", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "4.17.21", - "foundIn": "Node.js", - "installedVersion": "4.17.11", - "packageName": "lodash", + "fixedVersion": undefined, + "foundIn": "hooks/notification/hook/package-lock.json", + "installedVersion": "2.88.2", + "packageName": "request", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337", - "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", - "https://security.netapp.com/advisory/ntap-20210312-0006/", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", - "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/", ], - "vulnerabilityId": "CVE-2021-23337", + "vulnerabilityId": "CVE-2023-28155", }, "category": "NPM Package Vulnerability", - "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", - "name": "nodejs-lodash: command injection via template", + "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", + "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-23337", + "value": "CVE-2023-28155", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337", + "value": "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", + "value": "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", }, { "type": "URL", - "value": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "value": "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "value": "https://github.com/cypress-io/request/pull/28", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210312-0006/", + "value": "https://github.com/cypress-io/request/releases/tag/v3.0.0", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "value": "https://github.com/github/advisory-database/pull/2500", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "value": "https://github.com/request/request", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "value": "https://github.com/request/request/blob/master/lib/redirect.js#L111", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "value": "https://github.com/request/request/issues/3442", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "value": "https://github.com/request/request/pull/3444", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", }, { "type": "URL", - "value": "https://www.oracle.com//security-alerts/cpujul2021.html", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007/", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": undefined, - "foundIn": "Node.js", - "installedVersion": "0.6.11", - "packageName": "marsdb", + "fixedVersion": "4.1.3", + "foundIn": "hooks/notification/hook/package-lock.json", + "installedVersion": "2.5.0", + "packageName": "tough-cookie", "references": [ - "https://github.com/advisories/GHSA-5mrr-rgp6-x4gr", - "https://github.com/bkimminich/juice-shop/issues/1173", + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136", ], - "vulnerabilityId": "GHSA-5mrr-rgp6-x4gr", + "vulnerabilityId": "CVE-2023-26136", }, "category": "NPM Package Vulnerability", - "description": "All versions of \`marsdb\` are vulnerable to Command Injection. In the \`DocumentMatcher\` class, selectors on \`$where\` clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed. - - -## Recommendation - -No fix is currently available. Consider using an alternative package until a fix is made available.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package marsdb to the fixed version: undefined or remove the package from the image.", - "name": "Command Injection in marsdb", + "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", + "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", "references": [ + { + "type": "CVE", + "value": "CVE-2023-26136", + }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-5mrr-rgp6-x4gr", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", }, { "type": "URL", - "value": "https://github.com/bkimminich/juice-shop/issues/1173", + "value": "https://access.redhat.com/security/cve/CVE-2023-26136", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "2.19.3", - "foundIn": "Node.js", - "installedVersion": "2.0.0", - "packageName": "moment", - "references": [ - "https://github.com/advisories/GHSA-446m-mv8f-q348", - "https://github.com/moment/moment/issues/4163", - "https://nodesecurity.io/advisories/532", - "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", - "https://www.tenable.com/security/tns-2019-02", - ], - "vulnerabilityId": "CVE-2017-18214", - }, - "category": "NPM Package Vulnerability", - "description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package moment to the fixed version: 2.19.3 or remove the package from the image.", - "name": "nodejs-moment: Regular expression denial of service", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2017-18214", + "type": "URL", + "value": "https://github.com/salesforce/tough-cookie", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", + "value": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-446m-mv8f-q348", + "value": "https://github.com/salesforce/tough-cookie/issues/282", }, { "type": "URL", - "value": "https://github.com/moment/moment/issues/4163", + "value": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", }, { "type": "URL", - "value": "https://nodesecurity.io/advisories/532", + "value": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2019-02", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-26136", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "2.11.2", - "foundIn": "Node.js", - "installedVersion": "2.0.0", - "packageName": "moment", + "fixedVersion": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "foundIn": "hooks/notification/hook/package-lock.json", + "installedVersion": "8.12.0", + "packageName": "ws", "references": [ - "http://www.openwall.com/lists/oss-security/2016/04/20/11", - "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "http://www.securityfocus.com/bid/95849", - "https://github.com/advisories/GHSA-87vv-r9j6-g5qv", - "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E", - "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E", - "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E", - "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E", - "https://nodesecurity.io/advisories/55", - "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", - "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS", - "https://www.tenable.com/security/tns-2019-02", - ], - "vulnerabilityId": "CVE-2016-4055", + "https://access.redhat.com/security/cve/CVE-2024-37890", + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", + "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", + "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", + "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", + "https://github.com/websockets/ws/issues/2230", + "https://github.com/websockets/ws/pull/2231", + "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + "https://nodejs.org/api/http.html#servermaxheaderscount", + "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "https://www.cve.org/CVERecord?id=CVE-2024-37890", + ], + "vulnerabilityId": "CVE-2024-37890", }, - "category": "NPM Package Vulnerability", - "description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package moment to the fixed version: 2.11.2 or remove the package from the image.", - "name": "moment.js: regular expression denial of service", + "category": "NPM Package Vulnerability", + "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package ws to the fixed version: 5.2.4, 6.2.3, 7.5.10, 8.17.1 or remove the package from the image.", + "name": "nodejs-ws: denial of service when handling a request with many HTTP headers", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2016-4055", + "value": "CVE-2024-37890", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2016/04/20/11", + "value": "https://access.redhat.com/security/cve/CVE-2024-37890", }, { "type": "URL", - "value": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "value": "https://github.com/websockets/ws", }, { "type": "URL", - "value": "http://www.securityfocus.com/bid/95849", + "value": "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-87vv-r9j6-g5qv", + "value": "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E", + "value": "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E", + "value": "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E", + "value": "https://github.com/websockets/ws/issues/2230", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E", + "value": "https://github.com/websockets/ws/pull/2231", }, { "type": "URL", - "value": "https://nodesecurity.io/advisories/55", + "value": "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", + "value": "https://nodejs.org/api/http.html#servermaxheaderscount", }, { "type": "URL", - "value": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", }, { "type": "URL", - "value": "https://www.tenable.com/security/tns-2019-02", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-37890", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.4.3", - "foundIn": "Node.js", - "installedVersion": "1.4.2", - "packageName": "sanitize-html", + "fixedVersion": "10.0.0", + "foundIn": "hooks/package-lock.json", + "installedVersion": "7.2.0", + "packageName": "jsonpath-plus", "references": [ - "https://github.com/advisories/GHSA-3j7m-hmh3-9jmp", - "https://github.com/punkave/sanitize-html/issues/29", - "https://nodesecurity.io/advisories/135", - "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", - "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json", + "https://access.redhat.com/security/cve/CVE-2024-21534", + "https://github.com/JSONPath-Plus/JSONPath", + "https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3", + "https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72", + "https://github.com/JSONPath-Plus/JSONPath/issues/226", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019", + "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884", + "https://www.cve.org/CVERecord?id=CVE-2024-21534", ], - "vulnerabilityId": "CVE-2016-1000237", + "vulnerabilityId": "CVE-2024-21534", }, "category": "NPM Package Vulnerability", - "description": "sanitize-html before 1.4.3 has XSS.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package sanitize-html to the fixed version: 1.4.3 or remove the package from the image.", - "name": "XSS - Sanitization not applied recursively", + "description": "Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. + +**Note:** + +There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package jsonpath-plus to the fixed version: 10.0.0 or remove the package from the image.", + "name": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2016-1000237", + "value": "CVE-2024-21534", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-3j7m-hmh3-9jmp", + "value": "https://access.redhat.com/security/cve/CVE-2024-21534", }, { "type": "URL", - "value": "https://github.com/punkave/sanitize-html/issues/29", + "value": "https://github.com/JSONPath-Plus/JSONPath", }, { "type": "URL", - "value": "https://nodesecurity.io/advisories/135", + "value": "https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", + "value": "https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72", }, { "type": "URL", - "value": "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json", + "value": "https://github.com/JSONPath-Plus/JSONPath/issues/226", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-21534", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { - "fixedVersion": "1.11.4", - "foundIn": "Node.js", - "installedVersion": "1.4.2", - "packageName": "sanitize-html", + "fixedVersion": undefined, + "foundIn": "hooks/package-lock.json", + "installedVersion": "2.88.2", + "packageName": "request", "references": [ - "https://github.com/advisories/GHSA-xc6g-ggrc-qq4r", - "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", - "https://github.com/punkave/sanitize-html/issues/100", - "https://nodesecurity.io/advisories/154", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/", ], - "vulnerabilityId": "CVE-2017-16016", + "vulnerabilityId": "CVE-2023-28155", }, "category": "NPM Package Vulnerability", - "description": "Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package sanitize-html to the fixed version: 1.11.4 or remove the package from the image.", - "name": "Cross-Site Scripting in sanitize-html", + "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", + "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2017-16016", + "value": "CVE-2023-28155", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-xc6g-ggrc-qq4r", + "value": "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", }, { "type": "URL", - "value": "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "value": "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", }, { "type": "URL", - "value": "https://github.com/punkave/sanitize-html/issues/100", + "value": "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", }, { "type": "URL", - "value": "https://nodesecurity.io/advisories/154", + "value": "https://github.com/cypress-io/request/pull/28", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", + "value": "https://github.com/cypress-io/request/releases/tag/v3.0.0", }, - ], - "severity": "MEDIUM", - }, - { - "attributes": { - "fixedVersion": "2.3.1", - "foundIn": "Node.js", - "installedVersion": "1.4.2", - "packageName": "sanitize-html", - "references": [ - "https://advisory.checkmarx.net/advisory/CX-2021-4308", - "https://github.com/advisories/GHSA-rjqq-98f6-6j3r", - "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22", - "https://github.com/apostrophecms/sanitize-html/pull/458", - "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", - ], - "vulnerabilityId": "CVE-2021-26539", - }, - "category": "NPM Package Vulnerability", - "description": "Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.1 or remove the package from the image.", - "name": "sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2021-26539", + "type": "URL", + "value": "https://github.com/github/advisory-database/pull/2500", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", + "value": "https://github.com/request/request", }, { "type": "URL", - "value": "https://advisory.checkmarx.net/advisory/CX-2021-4308", + "value": "https://github.com/request/request/blob/master/lib/redirect.js#L111", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-rjqq-98f6-6j3r", + "value": "https://github.com/request/request/issues/3442", }, { "type": "URL", - "value": "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22", + "value": "https://github.com/request/request/pull/3444", }, { "type": "URL", - "value": "https://github.com/apostrophecms/sanitize-html/pull/458", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007/", }, ], "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "2.3.2", - "foundIn": "Node.js", - "installedVersion": "1.4.2", - "packageName": "sanitize-html", + "fixedVersion": "4.1.3", + "foundIn": "hooks/package-lock.json", + "installedVersion": "2.5.0", + "packageName": "tough-cookie", "references": [ - "https://advisory.checkmarx.net/advisory/CX-2021-4309", - "https://github.com/advisories/GHSA-mjxr-4v3x-q3m4", - "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26", - "https://github.com/apostrophecms/sanitize-html/pull/460", - "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136", ], - "vulnerabilityId": "CVE-2021-26540", + "vulnerabilityId": "CVE-2023-26136", }, "category": "NPM Package Vulnerability", - "description": "Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\\\example.com".", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.2 or remove the package from the image.", - "name": "sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element", + "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", + "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-26540", + "value": "CVE-2023-26136", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", }, { "type": "URL", - "value": "https://advisory.checkmarx.net/advisory/CX-2021-4309", + "value": "https://access.redhat.com/security/cve/CVE-2023-26136", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-mjxr-4v3x-q3m4", + "value": "https://github.com/salesforce/tough-cookie", }, { "type": "URL", - "value": "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26", + "value": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", }, { "type": "URL", - "value": "https://github.com/apostrophecms/sanitize-html/pull/460", + "value": "https://github.com/salesforce/tough-cookie/issues/282", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", + "value": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", }, - ], - "severity": "MEDIUM", - }, - { - "attributes": { - "fixedVersion": ">=1.11.4", - "foundIn": "Node.js", - "installedVersion": "1.4.2", - "packageName": "sanitize-html", - "references": [ - "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", - "https://github.com/punkave/sanitize-html/issues/100", - ], - "vulnerabilityId": "NSWG-ECO-154", - }, - "category": "NPM Package Vulnerability", - "description": "Sanitize-html is a library for scrubbing html input of malicious values. - -Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: - -If allowed at least one nonTextTags, the result is a potential XSS vulnerability. -PoC: - -\`\`\` -var sanitizeHtml = require('sanitize-html'); - -var dirty = '!! -\`\`\`", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package sanitize-html to the fixed version: >=1.11.4 or remove the package from the image.", - "name": "Cross Site Scripting", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "NSWG", - "value": "NSWG-ECO-154", + "type": "URL", + "value": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", }, { "type": "URL", - "value": "https://github.com/nodejs/security-wg/tree/master/vuln", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", }, { "type": "URL", - "value": "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", }, { "type": "URL", - "value": "https://github.com/punkave/sanitize-html/issues/100", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", + }, + { + "type": "URL", + "value": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-26136", }, ], "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "4.0.1", - "foundIn": "Node.js", - "installedVersion": "2.0.1", - "packageName": "set-value", + "fixedVersion": undefined, + "foundIn": "hooks/update-field-hook/hook/package-lock.json", + "installedVersion": "4.3.2", + "packageName": "lodash.set", "references": [ - "https://github.com/advisories/GHSA-4jqc-8m5r-9rpr", - "https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452", - "https://github.com/jonschlinkert/set-value/pull/33", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23440", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212", - "https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541", - "https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/", + "https://access.redhat.com/security/cve/CVE-2020-8203", + "https://github.com/github/advisory-database/pull/2884", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + "https://github.com/lodash/lodash/issues/4744", + "https://github.com/lodash/lodash/issues/4874", + "https://github.com/lodash/lodash/wiki/Changelog#v41719", + "https://hackerone.com/reports/712065", + "https://hackerone.com/reports/864701", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "https://security.netapp.com/advisory/ntap-20200724-0006", + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + "https://www.cve.org/CVERecord?id=CVE-2020-8203", + "https://www.npmjs.com/advisories/1523", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", ], - "vulnerabilityId": "CVE-2021-23440", + "vulnerabilityId": "CVE-2020-8203", }, "category": "NPM Package Vulnerability", - "description": "This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package set-value to the fixed version: 4.0.1 or remove the package from the image.", - "name": "nodejs-set-value: type confusion allows bypass of CVE-2019-10747", + "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package lodash.set to the fixed version: undefined or remove the package from the image.", + "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-23440", + "value": "CVE-2020-8203", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23440", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-4jqc-8m5r-9rpr", + "value": "https://access.redhat.com/security/cve/CVE-2020-8203", }, { "type": "URL", - "value": "https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452", + "value": "https://github.com/github/advisory-database/pull/2884", }, { "type": "URL", - "value": "https://github.com/jonschlinkert/set-value/pull/33", + "value": "https://github.com/lodash/lodash", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23440", + "value": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212", + "value": "https://github.com/lodash/lodash/issues/4744", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541", + "value": "https://github.com/lodash/lodash/issues/4874", }, { "type": "URL", - "value": "https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/", + "value": "https://github.com/lodash/lodash/wiki/Changelog#v41719", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "6.1.2, 5.0.7, 4.4.15, 3.2.3", - "foundIn": "Node.js", - "installedVersion": "2.2.2", - "packageName": "tar", - "references": [ - "https://github.com/advisories/GHSA-r628-mhmh-qjhw", - "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", - "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw", - "https://linux.oracle.com/cve/CVE-2021-32803.html", - "https://linux.oracle.com/errata/ELSA-2021-3666.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", - "https://www.npmjs.com/advisories/1771", - "https://www.npmjs.com/package/tar", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2021-32803", - }, - "category": "NPM Package Vulnerability", - "description": "The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. \`node-tar\` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary \`stat\` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the \`node-tar\` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where \`node-tar\` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass \`node-tar\` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package tar to the fixed version: 6.1.2, 5.0.7, 4.4.15, 3.2.3 or remove the package from the image.", - "name": "nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2021-32803", + "type": "URL", + "value": "https://hackerone.com/reports/712065", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", + "value": "https://hackerone.com/reports/864701", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-r628-mhmh-qjhw", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", }, { "type": "URL", - "value": "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", + "value": "https://security.netapp.com/advisory/ntap-20200724-0006", }, { "type": "URL", - "value": "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw", + "value": "https://security.netapp.com/advisory/ntap-20200724-0006/", + }, + { + "type": "URL", + "value": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2020-8203", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2021-32803.html", + "value": "https://www.npmjs.com/advisories/1523", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "value": "https://www.oracle.com//security-alerts/cpujul2021.html", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", + "value": "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/1771", + "value": "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { "type": "URL", - "value": "https://www.npmjs.com/package/tar", + "value": "https://www.oracle.com/security-alerts/cpujan2022.html", }, { "type": "URL", @@ -8901,1201 +45858,1100 @@ console.log(clean); }, { "attributes": { - "fixedVersion": "6.1.1, 5.0.6, 4.4.14, 3.2.2", - "foundIn": "Node.js", - "installedVersion": "2.2.2", - "packageName": "tar", + "fixedVersion": "0.23.0", + "foundIn": "lurker/go.mod", + "installedVersion": "0.17.0", + "packageName": "golang.org/x/net", "references": [ - "https://github.com/advisories/GHSA-3jfq-g458-7qm9", - "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", - "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", - "https://linux.oracle.com/cve/CVE-2021-32804.html", - "https://linux.oracle.com/errata/ELSA-2021-3666.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", - "https://www.npmjs.com/advisories/1770", - "https://www.npmjs.com/package/tar", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2021-32804", + "http://www.openwall.com/lists/oss-security/2024/04/03/16", + "http://www.openwall.com/lists/oss-security/2024/04/05/4", + "https://access.redhat.com/errata/RHSA-2024:2724", + "https://access.redhat.com/security/cve/CVE-2023-45288", + "https://bugzilla.redhat.com/2268017", + "https://bugzilla.redhat.com/2268018", + "https://bugzilla.redhat.com/2268019", + "https://bugzilla.redhat.com/2268273", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268017", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268018", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268019", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268273", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45289", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24783", + "https://errata.almalinux.org/9/ALSA-2024-2724.html", + "https://errata.rockylinux.org/RLSA-2024:2724", + "https://go.dev/cl/576155", + "https://go.dev/issue/65051", + "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M", + "https://kb.cert.org/vuls/id/421644", + "https://linux.oracle.com/cve/CVE-2023-45288.html", + "https://linux.oracle.com/errata/ELSA-2024-3346.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/", + "https://nowotarski.info/http2-continuation-flood-technical-details", + "https://nowotarski.info/http2-continuation-flood/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-45288", + "https://pkg.go.dev/vuln/GO-2024-2687", + "https://security.netapp.com/advisory/ntap-20240419-0009", + "https://security.netapp.com/advisory/ntap-20240419-0009/", + "https://ubuntu.com/security/notices/USN-6886-1", + "https://www.cve.org/CVERecord?id=CVE-2023-45288", + "https://www.kb.cert.org/vuls/id/421644", + ], + "vulnerabilityId": "CVE-2023-45288", }, - "category": "NPM Package Vulnerability", - "description": "The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the \`preservePaths\` flag is not set to \`true\`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example \`/home/user/.bashrc\` would turn into \`home/user/.bashrc\`. This logic was insufficient when file paths contained repeated path roots such as \`////home/user/.bashrc\`. \`node-tar\` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. \`///home/user/.bashrc\`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom \`onentry\` method which sanitizes the \`entry.path\` or a \`filter\` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package tar to the fixed version: 6.1.1, 5.0.6, 4.4.14, 3.2.2 or remove the package from the image.", - "name": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", + "category": "Image Vulnerability", + "description": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package golang.org/x/net to the fixed version: 0.23.0 or remove the package from the image.", + "name": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-32804", + "value": "CVE-2023-45288", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-3jfq-g458-7qm9", + "value": "http://www.openwall.com/lists/oss-security/2024/04/03/16", }, { "type": "URL", - "value": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", + "value": "http://www.openwall.com/lists/oss-security/2024/04/05/4", }, { "type": "URL", - "value": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", + "value": "https://access.redhat.com/errata/RHSA-2024:2724", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2021-32804.html", + "value": "https://access.redhat.com/security/cve/CVE-2023-45288", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "value": "https://bugzilla.redhat.com/2268017", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", + "value": "https://bugzilla.redhat.com/2268018", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/1770", + "value": "https://bugzilla.redhat.com/2268019", }, { "type": "URL", - "value": "https://www.npmjs.com/package/tar", + "value": "https://bugzilla.redhat.com/2268273", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", - }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "6.1.7, 5.0.8, 4.4.16", - "foundIn": "Node.js", - "installedVersion": "2.2.2", - "packageName": "tar", - "references": [ - "https://github.com/advisories/GHSA-9r2w-394v-53qc", - "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", - "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", - "https://www.npmjs.com/advisories/1779", - "https://www.npmjs.com/package/tar", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2021-37701", - }, - "category": "NPM Package Vulnerability", - "description": "The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \`\\\` and \`/\` characters as path separators, however \`\\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at \`FOO\`, followed by a symbolic link named \`foo\`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the \`FOO\` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package tar to the fixed version: 6.1.7, 5.0.8, 4.4.16 or remove the package from the image.", - "name": "nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", - "osi_layer": "NOT_APPLICABLE", - "references": [ - { - "type": "CVE", - "value": "CVE-2021-37701", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2268017", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2268018", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-9r2w-394v-53qc", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2268019", }, { "type": "URL", - "value": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", + "value": "https://bugzilla.redhat.com/show_bug.cgi?id=2268273", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/1779", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45289", }, { "type": "URL", - "value": "https://www.npmjs.com/package/tar", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", - }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "6.1.9, 5.0.10, 4.4.18", - "foundIn": "Node.js", - "installedVersion": "2.2.2", - "packageName": "tar", - "references": [ - "https://github.com/advisories/GHSA-qq89-hq3f-393p", - "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", - "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", - "https://www.npmjs.com/advisories/1780", - "https://www.npmjs.com/package/tar", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2021-37712", - }, - "category": "NPM Package Vulnerability", - "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package tar to the fixed version: 6.1.9, 5.0.10, 4.4.18 or remove the package from the image.", - "name": "nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", - "osi_layer": "NOT_APPLICABLE", - "references": [ - { - "type": "CVE", - "value": "CVE-2021-37712", + "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24783", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", + "value": "https://errata.almalinux.org/9/ALSA-2024-2724.html", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-qq89-hq3f-393p", + "value": "https://errata.rockylinux.org/RLSA-2024:2724", }, { "type": "URL", - "value": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", + "value": "https://go.dev/cl/576155", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", + "value": "https://go.dev/issue/65051", }, { "type": "URL", - "value": "https://www.npmjs.com/advisories/1780", + "value": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M", }, { "type": "URL", - "value": "https://www.npmjs.com/package/tar", + "value": "https://kb.cert.org/vuls/id/421644", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", - }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "6.1.9, 5.0.10, 4.4.18", - "foundIn": "Node.js", - "installedVersion": "2.2.2", - "packageName": "tar", - "references": [ - "https://github.com/advisories/GHSA-5955-9wpr-37jh", - "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh", - "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", - "https://www.npmjs.com/package/tar", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - ], - "vulnerabilityId": "CVE-2021-37713", - }, - "category": "NPM Package Vulnerability", - "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain \`..\` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as \`C:some\\path\`. If the drive letter does not match the extraction target, for example \`D:\\extraction\\dir\`, then the result of \`path.resolve(extractionDirectory, entryPath)\` would resolve against the current working directory on the \`C:\` drive, rather than the extraction target directory. Additionally, a \`..\` portion of the path could occur immediately after the drive letter, such as \`C:../foo\`, and was not properly sanitized by the logic that checked for \`..\` within the normalized and split portions of the path. This only affects users of \`node-tar\` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package tar to the fixed version: 6.1.9, 5.0.10, 4.4.18 or remove the package from the image.", - "name": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", - "osi_layer": "NOT_APPLICABLE", - "references": [ - { - "type": "CVE", - "value": "CVE-2021-37713", + "value": "https://linux.oracle.com/cve/CVE-2023-45288.html", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", + "value": "https://linux.oracle.com/errata/ELSA-2024-3346.html", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-5955-9wpr-37jh", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT", }, { "type": "URL", - "value": "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", + "value": "https://nowotarski.info/http2-continuation-flood-technical-details", }, { "type": "URL", - "value": "https://www.npmjs.com/package/tar", + "value": "https://nowotarski.info/http2-continuation-flood/", }, { "type": "URL", - "value": "https://www.oracle.com/security-alerts/cpuoct2021.html", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "13.7.0", - "foundIn": "Node.js", - "installedVersion": "13.6.0", - "packageName": "validator", - "references": [ - "https://github.com/advisories/GHSA-qgmg-gppg-76g5", - "https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1", - "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", - ], - "vulnerabilityId": "CVE-2021-3765", - }, - "category": "NPM Package Vulnerability", - "description": "validator.js is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package validator to the fixed version: 13.7.0 or remove the package from the image.", - "name": "Inefficient Regular Expression Complexity in validator.js", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2021-3765", + "type": "URL", + "value": "https://pkg.go.dev/vuln/GO-2024-2687", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", + "value": "https://security.netapp.com/advisory/ntap-20240419-0009", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-qgmg-gppg-76g5", + "value": "https://security.netapp.com/advisory/ntap-20240419-0009/", }, { "type": "URL", - "value": "https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1", + "value": "https://ubuntu.com/security/notices/USN-6886-1", }, { "type": "URL", - "value": "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-45288", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", + "value": "https://www.kb.cert.org/vuls/id/421644", }, ], "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "3.9.4", - "foundIn": "Node.js", - "installedVersion": "3.9.3", - "packageName": "vm2", + "fixedVersion": undefined, + "foundIn": "package-lock.json", + "installedVersion": "2.88.2", + "packageName": "request", "references": [ - "https://github.com/advisories/GHSA-rjf2-j2r6-q8gr", - "https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886", - "https://github.com/patriksimek/vm2/issues/363", - "https://github.com/patriksimek/vm2/releases/tag/3.9.4", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23449", - "https://security.netapp.com/advisory/ntap-20211029-0010/", - "https://snyk.io/vuln/SNYK-JS-VM2-1585918", + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/", ], - "vulnerabilityId": "CVE-2021-23449", + "vulnerabilityId": "CVE-2023-28155", }, "category": "NPM Package Vulnerability", - "description": "This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.", - "location": "bkimminich/juice-shop:v12.10.2", - "mitigation": "Update the affected package vm2 to the fixed version: 3.9.4 or remove the package from the image.", - "name": "Prototype Pollution in vm2", + "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", + "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-23449", + "value": "CVE-2023-28155", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23449", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", }, { "type": "URL", - "value": "https://github.com/advisories/GHSA-rjf2-j2r6-q8gr", + "value": "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", }, { "type": "URL", - "value": "https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886", + "value": "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", }, { "type": "URL", - "value": "https://github.com/patriksimek/vm2/issues/363", + "value": "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", }, { "type": "URL", - "value": "https://github.com/patriksimek/vm2/releases/tag/3.9.4", + "value": "https://github.com/cypress-io/request/pull/28", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-23449", + "value": "https://github.com/cypress-io/request/releases/tag/v3.0.0", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20211029-0010/", + "value": "https://github.com/github/advisory-database/pull/2500", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-JS-VM2-1585918", + "value": "https://github.com/request/request", }, - ], - "severity": "HIGH", - }, -] -`; - -exports[`parses securecodebox:master result file into findings 1`] = ` -[ - { - "attributes": { - "fixedVersion": undefined, - "foundIn": "auto-discovery/kubernetes/go.sum", - "installedVersion": "3.2.0+incompatible", - "packageName": "github.com/dgrijalva/jwt-go", - "references": [ - "https://github.com/dgrijalva/jwt-go/pull/426", - "https://nvd.nist.gov/vuln/detail/CVE-2020-26160", - "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515", - ], - "vulnerabilityId": "CVE-2020-26160", - }, - "category": "Go Package Vulnerability", - "description": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.", - "location": "https://github.com/secureCodeBox/secureCodeBox", - "mitigation": "Update the affected package github.com/dgrijalva/jwt-go to the fixed version: undefined or remove the package from the image.", - "name": "jwt-go: access restriction bypass vulnerability", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2020-26160", + "type": "URL", + "value": "https://github.com/request/request/blob/master/lib/redirect.js#L111", + }, + { + "type": "URL", + "value": "https://github.com/request/request/issues/3442", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-26160", + "value": "https://github.com/request/request/pull/3444", }, { "type": "URL", - "value": "https://github.com/dgrijalva/jwt-go/pull/426", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-26160", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007/", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "v1.3.2", - "foundIn": "auto-discovery/kubernetes/go.sum", - "installedVersion": "1.3.1", - "packageName": "github.com/gogo/protobuf", + "fixedVersion": "4.1.3", + "foundIn": "package-lock.json", + "installedVersion": "2.5.0", + "packageName": "tough-cookie", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121", - "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025", - "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc", - "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2", - "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", - "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3121", - "https://security.netapp.com/advisory/ntap-20210219-0006/", + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136", ], - "vulnerabilityId": "CVE-2021-3121", + "vulnerabilityId": "CVE-2023-26136", }, - "category": "Go Package Vulnerability", - "description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.", + "category": "NPM Package Vulnerability", + "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", "location": "https://github.com/secureCodeBox/secureCodeBox", - "mitigation": "Update the affected package github.com/gogo/protobuf to the fixed version: v1.3.2 or remove the package from the image.", - "name": "gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation", + "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", + "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-3121", - }, - { - "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121", - }, - { - "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121", - }, - { - "type": "URL", - "value": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025", + "value": "CVE-2023-26136", }, { "type": "URL", - "value": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", }, { "type": "URL", - "value": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2", + "value": "https://access.redhat.com/security/cve/CVE-2023-26136", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", + "value": "https://github.com/salesforce/tough-cookie", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E", + "value": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E", + "value": "https://github.com/salesforce/tough-cookie/issues/282", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121", + "value": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210219-0006/", - }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "v1.1.25-0.20191211073109-8ebf2e419df7", - "foundIn": "auto-discovery/kubernetes/go.sum", - "installedVersion": "1.0.14", - "packageName": "github.com/miekg/dns", - "references": [ - "https://github.com/coredns/coredns/issues/3519", - "https://github.com/coredns/coredns/issues/3547", - "https://github.com/miekg/dns/compare/v1.1.24...v1.1.25", - "https://github.com/miekg/dns/issues/1043", - "https://github.com/miekg/dns/pull/1044", - ], - "vulnerabilityId": "CVE-2019-19794", - }, - "category": "Go Package Vulnerability", - "description": "The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.", - "location": "https://github.com/secureCodeBox/secureCodeBox", - "mitigation": "Update the affected package github.com/miekg/dns to the fixed version: v1.1.25-0.20191211073109-8ebf2e419df7 or remove the package from the image.", - "name": "golang-github-miekg-dns: predictable TXID can lead to response forgeries", - "osi_layer": "NOT_APPLICABLE", - "references": [ + "value": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + }, { - "type": "CVE", - "value": "CVE-2019-19794", + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + }, + { + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-19794", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", }, { "type": "URL", - "value": "https://github.com/coredns/coredns/issues/3519", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", }, { "type": "URL", - "value": "https://github.com/coredns/coredns/issues/3547", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", }, { "type": "URL", - "value": "https://github.com/miekg/dns/compare/v1.1.24...v1.1.25", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", }, { "type": "URL", - "value": "https://github.com/miekg/dns/issues/1043", + "value": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", }, { "type": "URL", - "value": "https://github.com/miekg/dns/pull/1044", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-26136", }, ], "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "v0.0.0-20201216223049-8b5274cf687f", - "foundIn": "auto-discovery/kubernetes/go.sum", - "installedVersion": "0.0.0-20201002170205-7f63de1d35b0", - "packageName": "golang.org/x/crypto", + "fixedVersion": "1.7.4", + "foundIn": "parser-sdk/nodejs/package-lock.json", + "installedVersion": "1.6.0", + "packageName": "axios", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29652", - "https://go-review.googlesource.com/c/crypto/+/278852", - "https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1", - "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2020-29652", + "https://access.redhat.com/security/cve/CVE-2024-39338", + "https://github.com/axios/axios", + "https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a", + "https://github.com/axios/axios/issues/6463", + "https://github.com/axios/axios/pull/6539", + "https://github.com/axios/axios/pull/6543", + "https://github.com/axios/axios/releases", + "https://github.com/axios/axios/releases/tag/v1.7.4", + "https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", + "https://www.cve.org/CVERecord?id=CVE-2024-39338", ], - "vulnerabilityId": "CVE-2020-29652", + "vulnerabilityId": "CVE-2024-39338", }, - "category": "Go Package Vulnerability", - "description": "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.", + "category": "NPM Package Vulnerability", + "description": "axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.", "location": "https://github.com/secureCodeBox/secureCodeBox", - "mitigation": "Update the affected package golang.org/x/crypto to the fixed version: v0.0.0-20201216223049-8b5274cf687f or remove the package from the image.", - "name": "golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference", + "mitigation": "Update the affected package axios to the fixed version: 1.7.4 or remove the package from the image.", + "name": "axios: axios: Server-Side Request Forgery", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-29652", + "value": "CVE-2024-39338", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-29652", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29652", + "value": "https://access.redhat.com/security/cve/CVE-2024-39338", }, { "type": "URL", - "value": "https://go-review.googlesource.com/c/crypto/+/278852", + "value": "https://github.com/axios/axios", }, { "type": "URL", - "value": "https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1", + "value": "https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", + "value": "https://github.com/axios/axios/issues/6463", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-29652", + "value": "https://github.com/axios/axios/pull/6539", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": undefined, - "foundIn": "lurker/go.sum", - "installedVersion": "3.2.0+incompatible", - "packageName": "github.com/dgrijalva/jwt-go", - "references": [ - "https://github.com/dgrijalva/jwt-go/pull/426", - "https://nvd.nist.gov/vuln/detail/CVE-2020-26160", - "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515", - ], - "vulnerabilityId": "CVE-2020-26160", - }, - "category": "Go Package Vulnerability", - "description": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.", - "location": "https://github.com/secureCodeBox/secureCodeBox", - "mitigation": "Update the affected package github.com/dgrijalva/jwt-go to the fixed version: undefined or remove the package from the image.", - "name": "jwt-go: access restriction bypass vulnerability", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2020-26160", + "type": "URL", + "value": "https://github.com/axios/axios/pull/6543", + }, + { + "type": "URL", + "value": "https://github.com/axios/axios/releases", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-26160", + "value": "https://github.com/axios/axios/releases/tag/v1.7.4", }, { "type": "URL", - "value": "https://github.com/dgrijalva/jwt-go/pull/426", + "value": "https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-26160", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-39338", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "v1.3.2", - "foundIn": "lurker/go.sum", - "installedVersion": "1.2.2-0.20190723190241-65acae22fc9d", - "packageName": "github.com/gogo/protobuf", + "fixedVersion": "10.0.0", + "foundIn": "parser-sdk/nodejs/package-lock.json", + "installedVersion": "7.2.0", + "packageName": "jsonpath-plus", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121", - "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025", - "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc", - "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2", - "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", - "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3121", - "https://security.netapp.com/advisory/ntap-20210219-0006/", + "https://access.redhat.com/security/cve/CVE-2024-21534", + "https://github.com/JSONPath-Plus/JSONPath", + "https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3", + "https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72", + "https://github.com/JSONPath-Plus/JSONPath/issues/226", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019", + "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884", + "https://www.cve.org/CVERecord?id=CVE-2024-21534", ], - "vulnerabilityId": "CVE-2021-3121", + "vulnerabilityId": "CVE-2024-21534", }, - "category": "Go Package Vulnerability", - "description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.", + "category": "NPM Package Vulnerability", + "description": "Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. + +**Note:** + +There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", "location": "https://github.com/secureCodeBox/secureCodeBox", - "mitigation": "Update the affected package github.com/gogo/protobuf to the fixed version: v1.3.2 or remove the package from the image.", - "name": "gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation", + "mitigation": "Update the affected package jsonpath-plus to the fixed version: 10.0.0 or remove the package from the image.", + "name": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-3121", + "value": "CVE-2024-21534", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121", + "value": "https://access.redhat.com/security/cve/CVE-2024-21534", }, { "type": "URL", - "value": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025", + "value": "https://github.com/JSONPath-Plus/JSONPath", }, { "type": "URL", - "value": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc", + "value": "https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3", }, { "type": "URL", - "value": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2", + "value": "https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", + "value": "https://github.com/JSONPath-Plus/JSONPath/issues/226", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E", + "value": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121", + "value": "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210219-0006/", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-21534", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "v0.0.0-20201216223049-8b5274cf687f", - "foundIn": "lurker/go.sum", - "installedVersion": "0.0.0-20190611184440-5c40567a22f8", - "packageName": "golang.org/x/crypto", + "fixedVersion": undefined, + "foundIn": "parser-sdk/nodejs/package-lock.json", + "installedVersion": "2.88.2", + "packageName": "request", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29652", - "https://go-review.googlesource.com/c/crypto/+/278852", - "https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1", - "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2020-29652", + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/", ], - "vulnerabilityId": "CVE-2020-29652", + "vulnerabilityId": "CVE-2023-28155", }, - "category": "Go Package Vulnerability", - "description": "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.", + "category": "NPM Package Vulnerability", + "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", "location": "https://github.com/secureCodeBox/secureCodeBox", - "mitigation": "Update the affected package golang.org/x/crypto to the fixed version: v0.0.0-20201216223049-8b5274cf687f or remove the package from the image.", - "name": "golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference", + "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", + "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-29652", + "value": "CVE-2023-28155", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-29652", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29652", + "value": "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", }, { "type": "URL", - "value": "https://go-review.googlesource.com/c/crypto/+/278852", + "value": "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", }, { "type": "URL", - "value": "https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1", + "value": "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", + "value": "https://github.com/cypress-io/request/pull/28", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-29652", + "value": "https://github.com/cypress-io/request/releases/tag/v3.0.0", + }, + { + "type": "URL", + "value": "https://github.com/github/advisory-database/pull/2500", + }, + { + "type": "URL", + "value": "https://github.com/request/request", + }, + { + "type": "URL", + "value": "https://github.com/request/request/blob/master/lib/redirect.js#L111", + }, + { + "type": "URL", + "value": "https://github.com/request/request/issues/3442", + }, + { + "type": "URL", + "value": "https://github.com/request/request/pull/3444", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007", + }, + { + "type": "URL", + "value": "https://security.netapp.com/advisory/ntap-20230413-0007/", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "v0.0.0-20200220183623-bac4c82f6975", - "foundIn": "lurker/go.sum", - "installedVersion": "0.0.0-20190611184440-5c40567a22f8", - "packageName": "golang.org/x/crypto", + "fixedVersion": "4.1.3", + "foundIn": "parser-sdk/nodejs/package-lock.json", + "installedVersion": "2.5.0", + "packageName": "tough-cookie", "references": [ - "http://packetstormsecurity.com/files/156480/Go-SSH-0.0.2-Denial-Of-Service.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9283", - "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY", - "https://lists.debian.org/debian-lts-announce/2020/10/msg00014.html", - "https://lists.debian.org/debian-lts-announce/2020/11/msg00027.html", - "https://lists.debian.org/debian-lts-announce/2020/11/msg00031.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-9283", + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136", ], - "vulnerabilityId": "CVE-2020-9283", + "vulnerabilityId": "CVE-2023-26136", }, - "category": "Go Package Vulnerability", - "description": "golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.", + "category": "NPM Package Vulnerability", + "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", "location": "https://github.com/secureCodeBox/secureCodeBox", - "mitigation": "Update the affected package golang.org/x/crypto to the fixed version: v0.0.0-20200220183623-bac4c82f6975 or remove the package from the image.", - "name": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic", + "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", + "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-9283", + "value": "CVE-2023-26136", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", }, { "type": "URL", - "value": "http://packetstormsecurity.com/files/156480/Go-SSH-0.0.2-Denial-Of-Service.html", + "value": "https://access.redhat.com/security/cve/CVE-2023-26136", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9283", + "value": "https://github.com/salesforce/tough-cookie", }, { "type": "URL", - "value": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY", + "value": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2020/10/msg00014.html", + "value": "https://github.com/salesforce/tough-cookie/issues/282", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2020/11/msg00027.html", + "value": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", }, { "type": "URL", - "value": "https://lists.debian.org/debian-lts-announce/2020/11/msg00031.html", + "value": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", }, - ], - "severity": "HIGH", - }, - { - "attributes": { - "fixedVersion": "v2.2.8", - "foundIn": "lurker/go.sum", - "installedVersion": "2.2.4", - "packageName": "gopkg.in/yaml.v2", - "references": [ - "https://github.com/kubernetes/kubernetes/issues/89535", - "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ", - "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wuwEwZigXBc", - "https://linux.oracle.com/cve/CVE-2019-11254.html", - "https://linux.oracle.com/errata/ELSA-2020-5653.html", - "https://security.netapp.com/advisory/ntap-20200413-0003/", - ], - "vulnerabilityId": "CVE-2019-11254", - }, - "category": "Go Package Vulnerability", - "description": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.", - "location": "https://github.com/secureCodeBox/secureCodeBox", - "mitigation": "Update the affected package gopkg.in/yaml.v2 to the fixed version: v2.2.8 or remove the package from the image.", - "name": "kubernetes: Denial of service in API server via crafted YAML payloads by authorized users", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2019-11254", + "type": "URL", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-11254", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", }, { "type": "URL", - "value": "https://github.com/kubernetes/kubernetes/issues/89535", + "value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", }, { "type": "URL", - "value": "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", }, { "type": "URL", - "value": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wuwEwZigXBc", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006", }, { "type": "URL", - "value": "https://linux.oracle.com/cve/CVE-2019-11254.html", + "value": "https://security.netapp.com/advisory/ntap-20240621-0006/", }, { "type": "URL", - "value": "https://linux.oracle.com/errata/ELSA-2020-5653.html", + "value": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20200413-0003/", + "value": "https://www.cve.org/CVERecord?id=CVE-2023-26136", }, ], "severity": "MEDIUM", }, { "attributes": { - "fixedVersion": "v0.17.0", - "foundIn": "lurker/go.sum", - "installedVersion": "0.0.0-20191114101535-6c5935290e33", - "packageName": "k8s.io/client-go", + "fixedVersion": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "foundIn": "parser-sdk/nodejs/package-lock.json", + "installedVersion": "8.13.0", + "packageName": "ws", "references": [ - "http://www.openwall.com/lists/oss-security/2020/10/16/2", - "https://access.redhat.com/errata/RHSA-2019:4052", - "https://access.redhat.com/errata/RHSA-2019:4087", - "https://github.com/kubernetes/kubernetes/issues/81114", - "https://nvd.nist.gov/vuln/detail/CVE-2019-11250", - "https://security.netapp.com/advisory/ntap-20190919-0003/", - ], - "vulnerabilityId": "CVE-2019-11250", + "https://access.redhat.com/security/cve/CVE-2024-37890", + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", + "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", + "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", + "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", + "https://github.com/websockets/ws/issues/2230", + "https://github.com/websockets/ws/pull/2231", + "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + "https://nodejs.org/api/http.html#servermaxheaderscount", + "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "https://www.cve.org/CVERecord?id=CVE-2024-37890", + ], + "vulnerabilityId": "CVE-2024-37890", }, - "category": "Go Package Vulnerability", - "description": "The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.", + "category": "NPM Package Vulnerability", + "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", "location": "https://github.com/secureCodeBox/secureCodeBox", - "mitigation": "Update the affected package k8s.io/client-go to the fixed version: v0.17.0 or remove the package from the image.", - "name": "kubernetes: Bearer tokens written to logs at high verbosity levels (>= 7)", + "mitigation": "Update the affected package ws to the fixed version: 5.2.4, 6.2.3, 7.5.10, 8.17.1 or remove the package from the image.", + "name": "nodejs-ws: denial of service when handling a request with many HTTP headers", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2019-11250", + "value": "CVE-2024-37890", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-11250", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", }, { "type": "URL", - "value": "http://www.openwall.com/lists/oss-security/2020/10/16/2", + "value": "https://access.redhat.com/security/cve/CVE-2024-37890", }, { "type": "URL", - "value": "https://access.redhat.com/errata/RHSA-2019:4052", + "value": "https://github.com/websockets/ws", }, { "type": "URL", - "value": "https://access.redhat.com/errata/RHSA-2019:4087", + "value": "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", }, { "type": "URL", - "value": "https://github.com/kubernetes/kubernetes/issues/81114", + "value": "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-11250", + "value": "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20190919-0003/", + "value": "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", }, - ], - "severity": "MEDIUM", - }, - { - "attributes": { - "fixedVersion": "v0.20.0-alpha.2", - "foundIn": "lurker/go.sum", - "installedVersion": "0.0.0-20191114101535-6c5935290e33", - "packageName": "k8s.io/client-go", - "references": [ - "https://github.com/kubernetes/kubernetes/issues/95623", - "https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk", - "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8565", - ], - "vulnerabilityId": "CVE-2020-8565", - }, - "category": "Go Package Vulnerability", - "description": "In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.", - "location": "https://github.com/secureCodeBox/secureCodeBox", - "mitigation": "Update the affected package k8s.io/client-go to the fixed version: v0.20.0-alpha.2 or remove the package from the image.", - "name": "kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2020-8565", + "type": "URL", + "value": "https://github.com/websockets/ws/issues/2230", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8565", + "value": "https://github.com/websockets/ws/pull/2231", }, { "type": "URL", - "value": "https://github.com/kubernetes/kubernetes/issues/95623", + "value": "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", }, { "type": "URL", - "value": "https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk", + "value": "https://nodejs.org/api/http.html#servermaxheaderscount", }, { "type": "URL", - "value": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-8565", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-37890", }, ], - "severity": "MEDIUM", + "severity": "HIGH", }, { "attributes": { "fixedVersion": undefined, - "foundIn": "operator/go.sum", - "installedVersion": "3.2.0+incompatible", - "packageName": "github.com/dgrijalva/jwt-go", + "foundIn": "scanners/amass/parser/package-lock.json", + "installedVersion": "2.0.1", + "packageName": "ip", "references": [ - "https://github.com/dgrijalva/jwt-go/pull/426", - "https://nvd.nist.gov/vuln/detail/CVE-2020-26160", - "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515", + "https://access.redhat.com/security/cve/CVE-2024-29415", + "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", + "https://github.com/indutny/node-ip", + "https://github.com/indutny/node-ip/issues/150", + "https://github.com/indutny/node-ip/pull/143", + "https://github.com/indutny/node-ip/pull/144", + "https://nvd.nist.gov/vuln/detail/CVE-2024-29415", + "https://www.cve.org/CVERecord?id=CVE-2024-29415", ], - "vulnerabilityId": "CVE-2020-26160", + "vulnerabilityId": "CVE-2024-29415", }, - "category": "Go Package Vulnerability", - "description": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.", + "category": "NPM Package Vulnerability", + "description": "The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.", "location": "https://github.com/secureCodeBox/secureCodeBox", - "mitigation": "Update the affected package github.com/dgrijalva/jwt-go to the fixed version: undefined or remove the package from the image.", - "name": "jwt-go: access restriction bypass vulnerability", + "mitigation": "Update the affected package ip to the fixed version: undefined or remove the package from the image.", + "name": "node-ip: Incomplete fix for CVE-2023-42282", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2020-26160", + "value": "CVE-2024-29415", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-29415", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-26160", + "value": "https://access.redhat.com/security/cve/CVE-2024-29415", }, { "type": "URL", - "value": "https://github.com/dgrijalva/jwt-go/pull/426", + "value": "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-26160", + "value": "https://github.com/indutny/node-ip", }, { "type": "URL", - "value": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515", + "value": "https://github.com/indutny/node-ip/issues/150", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip/pull/143", + }, + { + "type": "URL", + "value": "https://github.com/indutny/node-ip/pull/144", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-29415", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-29415", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "v1.3.2", - "foundIn": "operator/go.sum", - "installedVersion": "1.3.1", - "packageName": "github.com/gogo/protobuf", + "fixedVersion": "3.0.3", + "foundIn": "tests/integration/package-lock.json", + "installedVersion": "3.0.2", + "packageName": "braces", "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121", - "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025", - "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc", - "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2", - "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", - "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3121", - "https://security.netapp.com/advisory/ntap-20210219-0006/", + "https://access.redhat.com/security/cve/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", + "https://github.com/micromatch/braces", + "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", + "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", + "https://github.com/micromatch/braces/issues/35", + "https://github.com/micromatch/braces/pull/37", + "https://github.com/micromatch/braces/pull/40", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "https://www.cve.org/CVERecord?id=CVE-2024-4068", ], - "vulnerabilityId": "CVE-2021-3121", + "vulnerabilityId": "CVE-2024-4068", }, - "category": "Go Package Vulnerability", - "description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.", + "category": "NPM Package Vulnerability", + "description": "The NPM package \`braces\`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In \`lib/parse.js,\` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", "location": "https://github.com/secureCodeBox/secureCodeBox", - "mitigation": "Update the affected package github.com/gogo/protobuf to the fixed version: v1.3.2 or remove the package from the image.", - "name": "gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation", + "mitigation": "Update the affected package braces to the fixed version: 3.0.3 or remove the package from the image.", + "name": "braces: fails to limit the number of characters it can handle", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2021-3121", + "value": "CVE-2024-4068", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121", + "value": "https://access.redhat.com/security/cve/CVE-2024-4068", }, { "type": "URL", - "value": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", }, { "type": "URL", - "value": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", }, { "type": "URL", - "value": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2", + "value": "https://github.com/micromatch/braces", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", + "value": "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E", + "value": "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E", + "value": "https://github.com/micromatch/braces/issues/35", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121", + "value": "https://github.com/micromatch/braces/pull/37", }, { "type": "URL", - "value": "https://security.netapp.com/advisory/ntap-20210219-0006/", + "value": "https://github.com/micromatch/braces/pull/40", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-4068", }, ], "severity": "HIGH", }, { "attributes": { - "fixedVersion": "v1.1.25-0.20191211073109-8ebf2e419df7", - "foundIn": "operator/go.sum", - "installedVersion": "1.0.14", - "packageName": "github.com/miekg/dns", + "fixedVersion": "4.0.8", + "foundIn": "tests/integration/package-lock.json", + "installedVersion": "4.0.5", + "packageName": "micromatch", "references": [ - "https://github.com/coredns/coredns/issues/3519", - "https://github.com/coredns/coredns/issues/3547", - "https://github.com/miekg/dns/compare/v1.1.24...v1.1.25", - "https://github.com/miekg/dns/issues/1043", - "https://github.com/miekg/dns/pull/1044", + "https://access.redhat.com/security/cve/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067/", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/", + "https://github.com/micromatch/micromatch", + "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", + "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", + "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", + "https://github.com/micromatch/micromatch/issues/243", + "https://github.com/micromatch/micromatch/pull/247", + "https://github.com/micromatch/micromatch/pull/266", + "https://github.com/micromatch/micromatch/releases/tag/4.0.8", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + "https://www.cve.org/CVERecord?id=CVE-2024-4067", ], - "vulnerabilityId": "CVE-2019-19794", + "vulnerabilityId": "CVE-2024-4067", }, - "category": "Go Package Vulnerability", - "description": "The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.", + "category": "NPM Package Vulnerability", + "description": "The NPM package \`micromatch\` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in \`micromatch.braces()\` in \`index.js\` because the pattern \`.*\` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.", "location": "https://github.com/secureCodeBox/secureCodeBox", - "mitigation": "Update the affected package github.com/miekg/dns to the fixed version: v1.1.25-0.20191211073109-8ebf2e419df7 or remove the package from the image.", - "name": "golang-github-miekg-dns: predictable TXID can lead to response forgeries", + "mitigation": "Update the affected package micromatch to the fixed version: 4.0.8 or remove the package from the image.", + "name": "micromatch: vulnerable to Regular Expression Denial of Service", "osi_layer": "NOT_APPLICABLE", "references": [ { "type": "CVE", - "value": "CVE-2019-19794", + "value": "CVE-2024-4067", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2019-19794", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", }, { "type": "URL", - "value": "https://github.com/coredns/coredns/issues/3519", + "value": "https://access.redhat.com/security/cve/CVE-2024-4067", }, { "type": "URL", - "value": "https://github.com/coredns/coredns/issues/3547", + "value": "https://advisory.checkmarx.net/advisory/CVE-2024-4067", }, { "type": "URL", - "value": "https://github.com/miekg/dns/compare/v1.1.24...v1.1.25", + "value": "https://advisory.checkmarx.net/advisory/CVE-2024-4067/", }, { "type": "URL", - "value": "https://github.com/miekg/dns/issues/1043", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", }, { "type": "URL", - "value": "https://github.com/miekg/dns/pull/1044", + "value": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/", }, - ], - "severity": "MEDIUM", - }, - { - "attributes": { - "fixedVersion": "v0.0.0-20201216223049-8b5274cf687f", - "foundIn": "operator/go.sum", - "installedVersion": "0.0.0-20201002170205-7f63de1d35b0", - "packageName": "golang.org/x/crypto", - "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29652", - "https://go-review.googlesource.com/c/crypto/+/278852", - "https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1", - "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2020-29652", - ], - "vulnerabilityId": "CVE-2020-29652", - }, - "category": "Go Package Vulnerability", - "description": "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.", - "location": "https://github.com/secureCodeBox/secureCodeBox", - "mitigation": "Update the affected package golang.org/x/crypto to the fixed version: v0.0.0-20201216223049-8b5274cf687f or remove the package from the image.", - "name": "golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference", - "osi_layer": "NOT_APPLICABLE", - "references": [ { - "type": "CVE", - "value": "CVE-2020-29652", + "type": "URL", + "value": "https://github.com/micromatch/micromatch", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-29652", + "value": "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", }, { "type": "URL", - "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29652", + "value": "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", }, { "type": "URL", - "value": "https://go-review.googlesource.com/c/crypto/+/278852", + "value": "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", }, { "type": "URL", - "value": "https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1", + "value": "https://github.com/micromatch/micromatch/issues/243", }, { "type": "URL", - "value": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", + "value": "https://github.com/micromatch/micromatch/pull/247", }, { "type": "URL", - "value": "https://nvd.nist.gov/vuln/detail/CVE-2020-29652", + "value": "https://github.com/micromatch/micromatch/pull/266", + }, + { + "type": "URL", + "value": "https://github.com/micromatch/micromatch/releases/tag/4.0.8", + }, + { + "type": "URL", + "value": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + }, + { + "type": "URL", + "value": "https://www.cve.org/CVERecord?id=CVE-2024-4067", }, ], - "severity": "HIGH", + "severity": "MEDIUM", }, ] `; diff --git a/scanners/trivy/parser/__testFiles__/juice-shop-v10.2.0.json b/scanners/trivy/parser/__testFiles__/juice-shop-v10.2.0.json index aa198fa72e..1b6032ab88 100644 --- a/scanners/trivy/parser/__testFiles__/juice-shop-v10.2.0.json +++ b/scanners/trivy/parser/__testFiles__/juice-shop-v10.2.0.json @@ -1,5 +1,6 @@ { "SchemaVersion": 2, + "CreatedAt": "2024-10-28T15:18:53.825953605Z", "ArtifactName": "bkimminich/juice-shop:v10.2.0", "ArtifactType": "container_image", "Metadata": { @@ -178,55 +179,92 @@ "Vulnerabilities": [ { "VulnerabilityID": "CVE-2021-36159", + "PkgID": "apk-tools@2.10.4-r3", "PkgName": "apk-tools", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/apk-tools@2.10.4-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "36a5b04d7612c890" + }, "InstalledVersion": "2.10.4-r3", "FixedVersion": "2.10.7-r0", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash", "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", "Severity": "CRITICAL", "CweIDs": [ "CWE-125" ], + "VendorSeverity": { + "nvd": 4, + "redhat": 3 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "V2Score": 6.4, "V3Score": 9.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "V3Score": 9.1 } }, "References": [ + "https://access.redhat.com/security/cve/CVE-2021-36159", "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch", "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749", - "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E" - ], - "PublishedDate": "2021-08-03T14:15:00Z", - "LastModifiedDate": "2021-10-18T12:19:00Z" + "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-36159", + "https://www.cve.org/CVERecord?id=CVE-2021-36159" + ], + "PublishedDate": "2021-08-03T14:15:08.233Z", + "LastModifiedDate": "2023-11-07T03:36:43.337Z" }, { "VulnerabilityID": "CVE-2021-30139", + "PkgID": "apk-tools@2.10.4-r3", "PkgName": "apk-tools", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/apk-tools@2.10.4-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "36a5b04d7612c890" + }, "InstalledVersion": "2.10.4-r3", "FixedVersion": "2.10.6-r0", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-30139", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, "Description": "In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer overflow and crash.", "Severity": "HIGH", "CweIDs": [ "CWE-125" ], + "VendorSeverity": { + "nvd": 3 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", @@ -239,26 +277,44 @@ "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10741", "https://gitlab.alpinelinux.org/alpine/aports/-/issues/12606" ], - "PublishedDate": "2021-04-21T16:15:00Z", - "LastModifiedDate": "2021-04-22T18:21:00Z" + "PublishedDate": "2021-04-21T16:15:08.83Z", + "LastModifiedDate": "2021-04-22T18:21:47.167Z" }, { "VulnerabilityID": "CVE-2021-28831", + "PkgID": "busybox@1.31.1-r9", "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "533889b2024291fa" + }, "InstalledVersion": "1.31.1-r9", "FixedVersion": "1.31.1-r10", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-28831", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, "Title": "busybox: invalid free or segmentation fault via malformed gzip data", "Description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", "Severity": "HIGH", "CweIDs": [ "CWE-755" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", @@ -272,579 +328,667 @@ } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831", + "https://access.redhat.com/security/cve/CVE-2021-28831", "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", - "https://security.gentoo.org/glsa/202105-09" - ], - "PublishedDate": "2021-03-19T05:15:00Z", - "LastModifiedDate": "2021-05-26T10:15:00Z" + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", + "https://security.gentoo.org/glsa/202105-09", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://ubuntu.com/security/notices/USN-5179-2", + "https://ubuntu.com/security/notices/USN-6335-1", + "https://www.cve.org/CVERecord?id=CVE-2021-28831" + ], + "PublishedDate": "2021-03-19T05:15:13.15Z", + "LastModifiedDate": "2023-11-07T03:32:23.577Z" }, { - "VulnerabilityID": "CVE-2021-3711", - "PkgName": "libcrypto1.1", - "InstalledVersion": "1.1.1d-r3", - "FixedVersion": "1.1.1l-r0", + "VulnerabilityID": "CVE-2021-42378", + "PkgID": "busybox@1.31.1-r9", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "533889b2024291fa" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3711", - "Title": "openssl: SM2 Decryption Buffer Overflow", - "Description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", - "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42378", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", + "Severity": "HIGH", "CweIDs": [ - "CWE-120" + "CWE-416" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 7.5, - "V3Score": 9.8 + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 9.8 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 } }, "References": [ - "http://www.openwall.com/lists/oss-security/2021/08/26/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3711", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", - "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", - "https://security.netapp.com/advisory/ntap-20210827-0010/", - "https://security.netapp.com/advisory/ntap-20211022-0003/", - "https://ubuntu.com/security/notices/USN-5051-1", - "https://www.debian.org/security/2021/dsa-4963", - "https://www.openssl.org/news/secadv/20210824.txt", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-16" - ], - "PublishedDate": "2021-08-24T15:15:00Z", - "LastModifiedDate": "2021-10-22T18:15:00Z" + "https://access.redhat.com/security/cve/CVE-2021-42378", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42378" + ], + "PublishedDate": "2021-11-15T21:15:07.753Z", + "LastModifiedDate": "2023-11-07T03:39:10.25Z" }, { - "VulnerabilityID": "CVE-2020-1967", - "PkgName": "libcrypto1.1", - "InstalledVersion": "1.1.1d-r3", - "FixedVersion": "1.1.1g-r0", + "VulnerabilityID": "CVE-2021-42379", + "PkgID": "busybox@1.31.1-r9", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "533889b2024291fa" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-1967", - "Title": "openssl: Segmentation fault in SSL_check_chain causes denial of service", - "Description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42379", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", "Severity": "HIGH", "CweIDs": [ - "CWE-476" + "CWE-416" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 5, - "V3Score": 7.5 + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 } }, "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html", - "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html", - "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html", - "http://seclists.org/fulldisclosure/2020/May/5", - "http://www.openwall.com/lists/oss-security/2020/04/22/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1", - "https://github.com/irsl/CVE-2020-1967", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440", - "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", - "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", - "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc", - "https://security.gentoo.org/glsa/202004-10", - "https://security.netapp.com/advisory/ntap-20200424-0003/", - "https://security.netapp.com/advisory/ntap-20200717-0004/", - "https://www.debian.org/security/2020/dsa-4661", - "https://www.openssl.org/news/secadv/20200421.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpujul2020.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.synology.com/security/advisory/Synology_SA_20_05", - "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL", - "https://www.tenable.com/security/tns-2020-03", - "https://www.tenable.com/security/tns-2020-04", - "https://www.tenable.com/security/tns-2020-11", - "https://www.tenable.com/security/tns-2021-10" - ], - "PublishedDate": "2020-04-21T14:15:00Z", - "LastModifiedDate": "2021-10-20T11:15:00Z" + "https://access.redhat.com/security/cve/CVE-2021-42379", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42379" + ], + "PublishedDate": "2021-11-15T21:15:07.807Z", + "LastModifiedDate": "2023-11-07T03:39:10.34Z" }, { - "VulnerabilityID": "CVE-2021-23840", - "PkgName": "libcrypto1.1", - "InstalledVersion": "1.1.1d-r3", - "FixedVersion": "1.1.1j-r0", + "VulnerabilityID": "CVE-2021-42380", + "PkgID": "busybox@1.31.1-r9", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "533889b2024291fa" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23840", - "Title": "openssl: integer overflow in CipherUpdate", - "Description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissible length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42380", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", "Severity": "HIGH", "CweIDs": [ - "CWE-190" + "CWE-416" ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 5, - "V3Score": 7.5 + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23840", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366", - "https://linux.oracle.com/cve/CVE-2021-23840.html", - "https://linux.oracle.com/errata/ELSA-2021-9528.html", - "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E", - "https://security.gentoo.org/glsa/202103-03", - "https://security.netapp.com/advisory/ntap-20210219-0009/", - "https://ubuntu.com/security/notices/USN-4738-1", - "https://ubuntu.com/security/notices/USN-5088-1", - "https://www.debian.org/security/2021/dsa-4855", - "https://www.openssl.org/news/secadv/20210216.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-03", - "https://www.tenable.com/security/tns-2021-09", - "https://www.tenable.com/security/tns-2021-10" - ], - "PublishedDate": "2021-02-16T17:15:00Z", - "LastModifiedDate": "2021-10-22T08:15:00Z" + "https://access.redhat.com/security/cve/CVE-2021-42380", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42380" + ], + "PublishedDate": "2021-11-15T21:15:07.857Z", + "LastModifiedDate": "2023-11-07T03:39:10.423Z" }, { - "VulnerabilityID": "CVE-2021-3450", - "PkgName": "libcrypto1.1", - "InstalledVersion": "1.1.1d-r3", - "FixedVersion": "1.1.1k-r0", + "VulnerabilityID": "CVE-2021-42381", + "PkgID": "busybox@1.31.1-r9", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "533889b2024291fa" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3450", - "Title": "openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT", - "Description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42381", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", "Severity": "HIGH", "CweIDs": [ - "CWE-295" + "CWE-416" ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "V2Score": 5.8, - "V3Score": 7.4 + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "V3Score": 7.4 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 } }, "References": [ - "http://www.openwall.com/lists/oss-security/2021/03/27/1", - "http://www.openwall.com/lists/oss-security/2021/03/27/2", - "http://www.openwall.com/lists/oss-security/2021/03/28/3", - "http://www.openwall.com/lists/oss-security/2021/03/28/4", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10356", - "https://linux.oracle.com/cve/CVE-2021-3450.html", - "https://linux.oracle.com/errata/ELSA-2021-9151.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", - "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", - "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", - "https://security.gentoo.org/glsa/202103-03", - "https://security.netapp.com/advisory/ntap-20210326-0006/", - "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", - "https://www.openssl.org/news/secadv/20210325.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-05", - "https://www.tenable.com/security/tns-2021-08", - "https://www.tenable.com/security/tns-2021-09" - ], - "PublishedDate": "2021-03-25T15:15:00Z", - "LastModifiedDate": "2021-10-20T11:17:00Z" + "https://access.redhat.com/security/cve/CVE-2021-42381", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42381" + ], + "PublishedDate": "2021-11-15T21:15:07.913Z", + "LastModifiedDate": "2023-11-07T03:39:10.5Z" }, { - "VulnerabilityID": "CVE-2021-3712", - "PkgName": "libcrypto1.1", - "InstalledVersion": "1.1.1d-r3", - "FixedVersion": "1.1.1l-r0", + "VulnerabilityID": "CVE-2021-42382", + "PkgID": "busybox@1.31.1-r9", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "533889b2024291fa" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3712", - "Title": "openssl: Read buffer overruns processing ASN.1 strings", - "Description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42382", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", "Severity": "HIGH", "CweIDs": [ - "CWE-125" + "CWE-416" ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "V2Score": 5.8, - "V3Score": 7.4 + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "V3Score": 7.4 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 } }, "References": [ - "http://www.openwall.com/lists/oss-security/2021/08/26/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366", - "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", - "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", - "https://security.netapp.com/advisory/ntap-20210827-0010/", - "https://ubuntu.com/security/notices/USN-5051-1", - "https://ubuntu.com/security/notices/USN-5051-2", - "https://ubuntu.com/security/notices/USN-5051-3", - "https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)", - "https://ubuntu.com/security/notices/USN-5088-1", - "https://www.debian.org/security/2021/dsa-4963", - "https://www.openssl.org/news/secadv/20210824.txt", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-16" - ], - "PublishedDate": "2021-08-24T15:15:00Z", - "LastModifiedDate": "2021-10-22T08:15:00Z" + "https://access.redhat.com/security/cve/CVE-2021-42382", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42382" + ], + "PublishedDate": "2021-11-15T21:15:07.963Z", + "LastModifiedDate": "2023-11-07T03:39:10.577Z" }, { - "VulnerabilityID": "CVE-2020-1971", - "PkgName": "libcrypto1.1", - "InstalledVersion": "1.1.1d-r3", - "FixedVersion": "1.1.1i-r0", + "VulnerabilityID": "CVE-2021-42383", + "PkgID": "busybox@1.31.1-r9", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "533889b2024291fa" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-1971", - "Title": "openssl: EDIPARTYNAME NULL pointer de-reference", - "Description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", - "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42383", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "Severity": "HIGH", "CweIDs": [ - "CWE-476" + "CWE-416" ], + "VendorSeverity": { + "nvd": 3, + "redhat": 2 + }, "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 4.3, - "V3Score": 5.9 + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 5.9 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 } }, "References": [ - "http://www.openwall.com/lists/oss-security/2021/09/14/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f960d81215ebf3f65e03d4d5d857fb9b666d6920", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676", - "https://linux.oracle.com/cve/CVE-2020-1971.html", - "https://linux.oracle.com/errata/ELSA-2021-9150.html", - "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143@%3Ccommits.pulsar.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", - "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", - "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", - "https://security.gentoo.org/glsa/202012-13", - "https://security.netapp.com/advisory/ntap-20201218-0005/", - "https://security.netapp.com/advisory/ntap-20210513-0002/", - "https://ubuntu.com/security/notices/USN-4662-1", - "https://ubuntu.com/security/notices/USN-4745-1", - "https://www.debian.org/security/2020/dsa-4807", - "https://www.openssl.org/news/secadv/20201208.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2020-11", - "https://www.tenable.com/security/tns-2021-09", - "https://www.tenable.com/security/tns-2021-10" - ], - "PublishedDate": "2020-12-08T16:15:00Z", - "LastModifiedDate": "2021-10-20T11:15:00Z" + "https://access.redhat.com/security/cve/CVE-2021-42383", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-42383" + ], + "PublishedDate": "2021-11-15T21:15:08.017Z", + "LastModifiedDate": "2023-11-07T03:39:10.66Z" }, { - "VulnerabilityID": "CVE-2021-23841", - "PkgName": "libcrypto1.1", - "InstalledVersion": "1.1.1d-r3", - "FixedVersion": "1.1.1j-r0", + "VulnerabilityID": "CVE-2021-42384", + "PkgID": "busybox@1.31.1-r9", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "533889b2024291fa" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23841", - "Title": "openssl: NULL pointer dereference in X509_issuer_and_serial_hash()", - "Description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", - "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42384", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", + "Severity": "HIGH", "CweIDs": [ - "CWE-190" + "CWE-416" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 4.3, - "V3Score": 5.9 + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 5.9 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 } }, "References": [ - "http://seclists.org/fulldisclosure/2021/May/67", - "http://seclists.org/fulldisclosure/2021/May/68", - "http://seclists.org/fulldisclosure/2021/May/70", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23841", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", - "https://linux.oracle.com/cve/CVE-2021-23841.html", - "https://linux.oracle.com/errata/ELSA-2021-9528.html", - "https://security.gentoo.org/glsa/202103-03", - "https://security.netapp.com/advisory/ntap-20210219-0009/", - "https://security.netapp.com/advisory/ntap-20210513-0002/", - "https://support.apple.com/kb/HT212528", - "https://support.apple.com/kb/HT212529", - "https://support.apple.com/kb/HT212534", - "https://ubuntu.com/security/notices/USN-4738-1", - "https://ubuntu.com/security/notices/USN-4745-1", - "https://www.debian.org/security/2021/dsa-4855", - "https://www.openssl.org/news/secadv/20210216.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-03", - "https://www.tenable.com/security/tns-2021-09" - ], - "PublishedDate": "2021-02-16T17:15:00Z", - "LastModifiedDate": "2021-10-20T11:16:00Z" + "https://access.redhat.com/security/cve/CVE-2021-42384", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42384" + ], + "PublishedDate": "2021-11-15T21:15:08.07Z", + "LastModifiedDate": "2023-11-07T03:39:10.737Z" }, { - "VulnerabilityID": "CVE-2021-3449", - "PkgName": "libcrypto1.1", - "InstalledVersion": "1.1.1d-r3", - "FixedVersion": "1.1.1k-r0", + "VulnerabilityID": "CVE-2021-42385", + "PkgID": "busybox@1.31.1-r9", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "533889b2024291fa" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3449", - "Title": "openssl: NULL pointer dereference in signature_algorithms processing", - "Description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", - "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42385", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "Severity": "HIGH", "CweIDs": [ - "CWE-476" + "CWE-416" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 4.3, - "V3Score": 5.9 + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 5.9 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 } }, "References": [ - "http://www.openwall.com/lists/oss-security/2021/03/27/1", - "http://www.openwall.com/lists/oss-security/2021/03/27/2", - "http://www.openwall.com/lists/oss-security/2021/03/28/3", - "http://www.openwall.com/lists/oss-security/2021/03/28/4", - "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10356", - "https://linux.oracle.com/cve/CVE-2021-3449.html", - "https://linux.oracle.com/errata/ELSA-2021-9151.html", - "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", - "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", - "https://security.gentoo.org/glsa/202103-03", - "https://security.netapp.com/advisory/ntap-20210326-0006/", - "https://security.netapp.com/advisory/ntap-20210513-0002/", - "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", - "https://ubuntu.com/security/notices/USN-4891-1", - "https://ubuntu.com/security/notices/USN-5038-1", - "https://www.debian.org/security/2021/dsa-4875", - "https://www.openssl.org/news/secadv/20210325.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-05", - "https://www.tenable.com/security/tns-2021-06", - "https://www.tenable.com/security/tns-2021-09", - "https://www.tenable.com/security/tns-2021-10" - ], - "PublishedDate": "2021-03-25T15:15:00Z", - "LastModifiedDate": "2021-10-20T11:17:00Z" + "https://access.redhat.com/security/cve/CVE-2021-42385", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42385" + ], + "PublishedDate": "2021-11-15T21:15:08.123Z", + "LastModifiedDate": "2023-11-07T03:39:10.82Z" }, { - "VulnerabilityID": "CVE-2021-23839", - "PkgName": "libcrypto1.1", - "InstalledVersion": "1.1.1d-r3", - "FixedVersion": "1.1.1j-r0", + "VulnerabilityID": "CVE-2021-42386", + "PkgID": "busybox@1.31.1-r9", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "533889b2024291fa" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23839", - "Title": "openssl: incorrect SSLv2 rollback protection", - "Description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", - "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42386", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", + "Severity": "HIGH", "CweIDs": [ - "CWE-326" + "CWE-416" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V2Score": 4.3, - "V3Score": 3.7 + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V3Score": 3.7 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 } }, "References": [ - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30919ab80a478f2d81f2e9acdcca3fa4740cd547", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", - "https://security.netapp.com/advisory/ntap-20210219-0009/", - "https://www.openssl.org/news/secadv/20210216.txt", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2021-02-16T17:15:00Z", - "LastModifiedDate": "2021-10-20T11:16:00Z" + "https://access.redhat.com/security/cve/CVE-2021-42386", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42386" + ], + "PublishedDate": "2021-11-15T21:15:08.173Z", + "LastModifiedDate": "2023-11-07T03:39:10.903Z" }, { - "VulnerabilityID": "CVE-2019-15847", - "PkgName": "libgcc", - "InstalledVersion": "9.2.0-r4", - "FixedVersion": "9.3.0-r0", + "VulnerabilityID": "CVE-2021-42374", + "PkgID": "busybox@1.31.1-r9", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "533889b2024291fa" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", "Layer": { - "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", - "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15847", - "Title": "gcc: POWER9 \"DARN\" RNG intrinsic produces repeated output", - "Description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", - "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42374", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: out-of-bounds read in unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed", + "Description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "Severity": "MEDIUM", "CweIDs": [ - "CWE-331" + "CWE-125" ], + "VendorSeverity": { + "azure": 2, + "cbl-mariner": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "V2Score": 5, - "V3Score": 7.5 + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H", + "V2Score": 3.3, + "V3Score": 5.3 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "V3Score": 7.5 + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", + "V3Score": 5.7 } }, "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", - "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481", - "https://linux.oracle.com/cve/CVE-2019-15847.html", - "https://linux.oracle.com/errata/ELSA-2020-1864.html" - ], - "PublishedDate": "2019-09-02T23:15:00Z", - "LastModifiedDate": "2020-09-17T13:38:00Z" + "https://access.redhat.com/security/cve/CVE-2021-42374", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42374" + ], + "PublishedDate": "2021-11-15T21:15:07.54Z", + "LastModifiedDate": "2023-11-07T03:39:09.877Z" }, { "VulnerabilityID": "CVE-2021-3711", - "PkgName": "libssl1.1", + "PkgID": "libcrypto1.1@1.1.1d-r3", + "PkgName": "libcrypto1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "d953e24c85316efe" + }, "InstalledVersion": "1.1.1d-r3", "FixedVersion": "1.1.1l-r0", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3711", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, "Title": "openssl: SM2 Decryption Buffer Overflow", "Description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", "Severity": "CRITICAL", "CweIDs": [ "CWE-120" ], + "VendorSeverity": { + "azure": 4, + "cbl-mariner": 4, + "ghsa": 4, + "nvd": 4, + "photon": 4, + "redhat": 3, + "ubuntu": 3 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", @@ -858,39 +1002,77 @@ }, "References": [ "http://www.openwall.com/lists/oss-security/2021/08/26/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3711", + "https://access.redhat.com/security/cve/CVE-2021-3711", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3711", + "https://rustsec.org/advisories/RUSTSEC-2021-0097.html", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010", "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20211022-0003", "https://security.netapp.com/advisory/ntap-20211022-0003/", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", "https://ubuntu.com/security/notices/USN-5051-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3711", "https://www.debian.org/security/2021/dsa-4963", "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-16" + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02" ], - "PublishedDate": "2021-08-24T15:15:00Z", - "LastModifiedDate": "2021-10-22T18:15:00Z" + "PublishedDate": "2021-08-24T15:15:09.133Z", + "LastModifiedDate": "2024-06-21T19:15:20.213Z" }, { "VulnerabilityID": "CVE-2020-1967", - "PkgName": "libssl1.1", + "PkgID": "libcrypto1.1@1.1.1d-r3", + "PkgName": "libcrypto1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "d953e24c85316efe" + }, "InstalledVersion": "1.1.1d-r3", "FixedVersion": "1.1.1g-r0", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-1967", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, "Title": "openssl: Segmentation fault in SSL_check_chain causes denial of service", "Description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", "Severity": "HIGH", "CweIDs": [ "CWE-476" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "photon": 3, + "redhat": 3, + "ubuntu": 3 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", @@ -908,21 +1090,32 @@ "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html", "http://seclists.org/fulldisclosure/2020/May/5", "http://www.openwall.com/lists/oss-security/2020/04/22/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967", + "https://access.redhat.com/security/cve/CVE-2020-1967", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1", "https://github.com/irsl/CVE-2020-1967", "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440", + "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E", "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E", "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E", "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO", "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", + "https://rustsec.org/advisories/RUSTSEC-2020-0015.html", "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc", "https://security.gentoo.org/glsa/202004-10", + "https://security.netapp.com/advisory/ntap-20200424-0003", "https://security.netapp.com/advisory/ntap-20200424-0003/", + "https://security.netapp.com/advisory/ntap-20200717-0004", "https://security.netapp.com/advisory/ntap-20200717-0004/", + "https://www.cve.org/CVERecord?id=CVE-2020-1967", "https://www.debian.org/security/2020/dsa-4661", "https://www.openssl.org/news/secadv/20200421.txt", "https://www.oracle.com//security-alerts/cpujul2021.html", @@ -938,27 +1131,57 @@ "https://www.tenable.com/security/tns-2020-11", "https://www.tenable.com/security/tns-2021-10" ], - "PublishedDate": "2020-04-21T14:15:00Z", - "LastModifiedDate": "2021-10-20T11:15:00Z" + "PublishedDate": "2020-04-21T14:15:11.287Z", + "LastModifiedDate": "2023-11-07T03:19:39.09Z" }, { "VulnerabilityID": "CVE-2021-23840", - "PkgName": "libssl1.1", + "PkgID": "libcrypto1.1@1.1.1d-r3", + "PkgName": "libcrypto1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "d953e24c85316efe" + }, "InstalledVersion": "1.1.1d-r3", "FixedVersion": "1.1.1j-r0", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23840", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, "Title": "openssl: integer overflow in CipherUpdate", - "Description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissible length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "Description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", "Severity": "HIGH", "CweIDs": [ "CWE-190" ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "bitnami": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", @@ -971,49 +1194,91 @@ } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23840", + "https://access.redhat.com/security/cve/CVE-2021-23840", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "https://github.com/alexcrichton/openssl-src-rs", "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366", "https://linux.oracle.com/cve/CVE-2021-23840.html", - "https://linux.oracle.com/errata/ELSA-2021-9528.html", + "https://linux.oracle.com/errata/ELSA-2021-9561.html", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23840", + "https://rustsec.org/advisories/RUSTSEC-2021-0057.html", "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210219-0009", "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", "https://ubuntu.com/security/notices/USN-4738-1", "https://ubuntu.com/security/notices/USN-5088-1", + "https://ubuntu.com/security/notices/USN-7018-1", + "https://www.cve.org/CVERecord?id=CVE-2021-23840", "https://www.debian.org/security/2021/dsa-4855", "https://www.openssl.org/news/secadv/20210216.txt", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://www.tenable.com/security/tns-2021-03", "https://www.tenable.com/security/tns-2021-09", "https://www.tenable.com/security/tns-2021-10" ], - "PublishedDate": "2021-02-16T17:15:00Z", - "LastModifiedDate": "2021-10-22T08:15:00Z" + "PublishedDate": "2021-02-16T17:15:13.3Z", + "LastModifiedDate": "2024-06-21T19:15:17.007Z" }, { "VulnerabilityID": "CVE-2021-3450", - "PkgName": "libssl1.1", + "PkgID": "libcrypto1.1@1.1.1d-r3", + "PkgName": "libcrypto1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "d953e24c85316efe" + }, "InstalledVersion": "1.1.1d-r3", "FixedVersion": "1.1.1k-r0", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3450", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, "Title": "openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT", "Description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", "Severity": "HIGH", "CweIDs": [ "CWE-295" ], + "VendorSeverity": { + "amazon": 3, + "bitnami": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3 + }, "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 7.4 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 7.4 + }, "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", @@ -1030,47 +1295,85 @@ "http://www.openwall.com/lists/oss-security/2021/03/27/2", "http://www.openwall.com/lists/oss-security/2021/03/28/3", "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://access.redhat.com/security/cve/CVE-2021-3450", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + "https://github.com/alexcrichton/openssl-src-rs", "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10356", "https://linux.oracle.com/cve/CVE-2021-3450.html", "https://linux.oracle.com/errata/ELSA-2021-9151.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP", "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3450", "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://rustsec.org/advisories/RUSTSEC-2021-0056.html", "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006", "https://security.netapp.com/advisory/ntap-20210326-0006/", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "https://www.cve.org/CVERecord?id=CVE-2021-3450", "https://www.openssl.org/news/secadv/20210325.txt", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://www.tenable.com/security/tns-2021-05", "https://www.tenable.com/security/tns-2021-08", "https://www.tenable.com/security/tns-2021-09" ], - "PublishedDate": "2021-03-25T15:15:00Z", - "LastModifiedDate": "2021-10-20T11:17:00Z" + "PublishedDate": "2021-03-25T15:15:13.56Z", + "LastModifiedDate": "2023-11-07T03:38:00.923Z" }, { "VulnerabilityID": "CVE-2021-3712", - "PkgName": "libssl1.1", + "PkgID": "libcrypto1.1@1.1.1d-r3", + "PkgName": "libcrypto1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "d953e24c85316efe" + }, "InstalledVersion": "1.1.1d-r3", "FixedVersion": "1.1.1l-r0", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3712", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, "Title": "openssl: Read buffer overruns processing ASN.1 strings", "Description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", "Severity": "HIGH", "CweIDs": [ "CWE-125" ], + "VendorSeverity": { + "amazon": 3, + "azure": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "V3Score": 7.4 + }, "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", @@ -1084,46 +1387,91 @@ }, "References": [ "http://www.openwall.com/lists/oss-security/2021/08/26/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712", + "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json", + "https://access.redhat.com/security/cve/CVE-2021-3712", + "https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366", + "https://linux.oracle.com/cve/CVE-2021-3712.html", + "https://linux.oracle.com/errata/ELSA-2022-9023.html", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3712", + "https://rustsec.org/advisories/RUSTSEC-2021-0098.html", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010", "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", "https://ubuntu.com/security/notices/USN-5051-1", "https://ubuntu.com/security/notices/USN-5051-2", "https://ubuntu.com/security/notices/USN-5051-3", "https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)", "https://ubuntu.com/security/notices/USN-5088-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3712", "https://www.debian.org/security/2021/dsa-4963", "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-16" + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02" ], - "PublishedDate": "2021-08-24T15:15:00Z", - "LastModifiedDate": "2021-10-22T08:15:00Z" + "PublishedDate": "2021-08-24T15:15:09.533Z", + "LastModifiedDate": "2024-06-21T19:15:20.433Z" }, { "VulnerabilityID": "CVE-2020-1971", - "PkgName": "libssl1.1", + "PkgID": "libcrypto1.1@1.1.1d-r3", + "PkgName": "libcrypto1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "d953e24c85316efe" + }, "InstalledVersion": "1.1.1d-r3", "FixedVersion": "1.1.1i-r0", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-1971", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, "Title": "openssl: EDIPARTYNAME NULL pointer de-reference", "Description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", "Severity": "MEDIUM", "CweIDs": [ "CWE-476" ], + "VendorSeverity": { + "amazon": 3, + "bitnami": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 3, + "photon": 2, + "redhat": 3, + "ubuntu": 3 + }, "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + }, "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", @@ -1137,55 +1485,85 @@ }, "References": [ "http://www.openwall.com/lists/oss-security/2021/09/14/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f960d81215ebf3f65e03d4d5d857fb9b666d6920", + "https://access.redhat.com/security/cve/CVE-2020-1971", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920", "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676", "https://linux.oracle.com/cve/CVE-2020-1971.html", "https://linux.oracle.com/errata/ELSA-2021-9150.html", - "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c@%3Cdev.tomcat.apache.org%3E", - "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143@%3Ccommits.pulsar.apache.org%3E", + "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", + "https://nvd.nist.gov/vuln/detail/CVE-2020-1971", "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", "https://security.gentoo.org/glsa/202012-13", "https://security.netapp.com/advisory/ntap-20201218-0005/", "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", "https://ubuntu.com/security/notices/USN-4662-1", "https://ubuntu.com/security/notices/USN-4745-1", + "https://www.cve.org/CVERecord?id=CVE-2020-1971", "https://www.debian.org/security/2020/dsa-4807", "https://www.openssl.org/news/secadv/20201208.txt", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://www.oracle.com/security-alerts/cpujan2021.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://www.tenable.com/security/tns-2020-11", "https://www.tenable.com/security/tns-2021-09", "https://www.tenable.com/security/tns-2021-10" ], - "PublishedDate": "2020-12-08T16:15:00Z", - "LastModifiedDate": "2021-10-20T11:15:00Z" + "PublishedDate": "2020-12-08T16:15:11.73Z", + "LastModifiedDate": "2024-06-21T19:15:16.17Z" }, { "VulnerabilityID": "CVE-2021-23841", - "PkgName": "libssl1.1", + "PkgID": "libcrypto1.1@1.1.1d-r3", + "PkgName": "libcrypto1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "d953e24c85316efe" + }, "InstalledVersion": "1.1.1d-r3", "FixedVersion": "1.1.1j-r0", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23841", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, "Title": "openssl: NULL pointer dereference in X509_issuer_and_serial_hash()", "Description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", "Severity": "MEDIUM", "CweIDs": [ - "CWE-190" + "CWE-476" ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + }, "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", @@ -1201,56 +1579,99 @@ "http://seclists.org/fulldisclosure/2021/May/67", "http://seclists.org/fulldisclosure/2021/May/68", "http://seclists.org/fulldisclosure/2021/May/70", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23841", + "https://access.redhat.com/security/cve/CVE-2021-23841", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "https://github.com/alexcrichton/openssl-src-rs", "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", "https://linux.oracle.com/cve/CVE-2021-23841.html", - "https://linux.oracle.com/errata/ELSA-2021-9528.html", + "https://linux.oracle.com/errata/ELSA-2021-9561.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23841", + "https://rustsec.org/advisories/RUSTSEC-2021-0058", + "https://rustsec.org/advisories/RUSTSEC-2021-0058.html", "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210219-0009", "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20210513-0002", "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", "https://support.apple.com/kb/HT212528", "https://support.apple.com/kb/HT212529", "https://support.apple.com/kb/HT212534", "https://ubuntu.com/security/notices/USN-4738-1", "https://ubuntu.com/security/notices/USN-4745-1", + "https://www.cve.org/CVERecord?id=CVE-2021-23841", "https://www.debian.org/security/2021/dsa-4855", "https://www.openssl.org/news/secadv/20210216.txt", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://www.tenable.com/security/tns-2021-03", "https://www.tenable.com/security/tns-2021-09" ], - "PublishedDate": "2021-02-16T17:15:00Z", - "LastModifiedDate": "2021-10-20T11:16:00Z" + "PublishedDate": "2021-02-16T17:15:13.377Z", + "LastModifiedDate": "2024-06-21T19:15:17.377Z" }, { "VulnerabilityID": "CVE-2021-3449", - "PkgName": "libssl1.1", + "PkgID": "libcrypto1.1@1.1.1d-r3", + "PkgName": "libcrypto1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "d953e24c85316efe" + }, "InstalledVersion": "1.1.1d-r3", "FixedVersion": "1.1.1k-r0", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3449", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, "Title": "openssl: NULL pointer dereference in signature_algorithms processing", "Description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", "Severity": "MEDIUM", "CweIDs": [ "CWE-476" ], + "VendorSeverity": { + "amazon": 3, + "bitnami": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 3, + "photon": 2, + "redhat": 3, + "ubuntu": 3 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "bitnami": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 4.3, "V3Score": 5.9 }, - "redhat": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 4.3, + "V3Score": 5.9 + }, + "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } @@ -1260,53 +1681,84 @@ "http://www.openwall.com/lists/oss-security/2021/03/27/2", "http://www.openwall.com/lists/oss-security/2021/03/28/3", "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://access.redhat.com/security/cve/CVE-2021-3449", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148", + "https://github.com/alexcrichton/openssl-src-rs", + "https://github.com/nodejs/node/pull/38083", "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10356", "https://linux.oracle.com/cve/CVE-2021-3449.html", "https://linux.oracle.com/errata/ELSA-2021-9151.html", "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3449", "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://rustsec.org/advisories/RUSTSEC-2021-0055", + "https://rustsec.org/advisories/RUSTSEC-2021-0055.html", "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006", "https://security.netapp.com/advisory/ntap-20210326-0006/", + "https://security.netapp.com/advisory/ntap-20210513-0002", "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", "https://ubuntu.com/security/notices/USN-4891-1", "https://ubuntu.com/security/notices/USN-5038-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3449", "https://www.debian.org/security/2021/dsa-4875", "https://www.openssl.org/news/secadv/20210325.txt", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://www.tenable.com/security/tns-2021-05", "https://www.tenable.com/security/tns-2021-06", "https://www.tenable.com/security/tns-2021-09", "https://www.tenable.com/security/tns-2021-10" ], - "PublishedDate": "2021-03-25T15:15:00Z", - "LastModifiedDate": "2021-10-20T11:17:00Z" + "PublishedDate": "2021-03-25T15:15:13.45Z", + "LastModifiedDate": "2024-06-21T19:15:19.71Z" }, { "VulnerabilityID": "CVE-2021-23839", - "PkgName": "libssl1.1", + "PkgID": "libcrypto1.1@1.1.1d-r3", + "PkgName": "libcrypto1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "d953e24c85316efe" + }, "InstalledVersion": "1.1.1d-r3", "FixedVersion": "1.1.1j-r0", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23839", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, "Title": "openssl: incorrect SSLv2 rollback protection", "Description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", "Severity": "LOW", "CweIDs": [ - "CWE-326" + "CWE-327" ], + "VendorSeverity": { + "amazon": 2, + "nvd": 1, + "photon": 1, + "redhat": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", @@ -1320,34 +1772,58 @@ } }, "References": [ - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30919ab80a478f2d81f2e9acdcca3fa4740cd547", + "https://access.redhat.com/security/cve/CVE-2021-23839", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30919ab80a478f2d81f2e9acdcca3fa4740cd547", "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23839", "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-23839", "https://www.openssl.org/news/secadv/20210216.txt", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://www.oracle.com/security-alerts/cpuoct2021.html" ], - "PublishedDate": "2021-02-16T17:15:00Z", - "LastModifiedDate": "2021-10-20T11:16:00Z" + "PublishedDate": "2021-02-16T17:15:13.19Z", + "LastModifiedDate": "2024-06-21T19:15:16.83Z" }, { "VulnerabilityID": "CVE-2019-15847", - "PkgName": "libstdc++", + "PkgID": "libgcc@9.2.0-r4", + "PkgName": "libgcc", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libgcc@9.2.0-r4?arch=x86_64\u0026distro=3.11.5", + "UID": "1606c5670ef762a3" + }, "InstalledVersion": "9.2.0-r4", "FixedVersion": "9.3.0-r0", + "Status": "fixed", "Layer": { "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15847", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, "Title": "gcc: POWER9 \"DARN\" RNG intrinsic produces repeated output", "Description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", "Severity": "HIGH", "CweIDs": [ "CWE-331" ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -1364,159 +1840,257 @@ "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", + "https://access.redhat.com/security/cve/CVE-2019-15847", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481", + "https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=457dac402027dd7e14543fbd59a75858422cf6c6", + "https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=e99bfdd2a8db732ea84cf0a6486707e5e821ad7e", "https://linux.oracle.com/cve/CVE-2019-15847.html", - "https://linux.oracle.com/errata/ELSA-2020-1864.html" + "https://linux.oracle.com/errata/ELSA-2020-1864.html", + "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + "https://www.cve.org/CVERecord?id=CVE-2019-15847" ], - "PublishedDate": "2019-09-02T23:15:00Z", - "LastModifiedDate": "2020-09-17T13:38:00Z" + "PublishedDate": "2019-09-02T23:15:10.837Z", + "LastModifiedDate": "2020-09-17T13:38:06.51Z" }, { - "VulnerabilityID": "CVE-2020-28928", - "PkgName": "musl", - "InstalledVersion": "1.1.24-r2", - "FixedVersion": "1.1.24-r3", + "VulnerabilityID": "CVE-2021-3711", + "PkgID": "libssl1.1@1.1.1d-r3", + "PkgName": "libssl1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "ef32f7c9566b9f8c" + }, + "InstalledVersion": "1.1.1d-r3", + "FixedVersion": "1.1.1l-r0", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28928", - "Description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", - "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3711", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "openssl: SM2 Decryption Buffer Overflow", + "Description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", + "Severity": "CRITICAL", "CweIDs": [ - "CWE-787" + "CWE-120" ], + "VendorSeverity": { + "azure": 4, + "cbl-mariner": 4, + "ghsa": 4, + "nvd": 4, + "photon": 4, + "redhat": 3, + "ubuntu": 3 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, "nvd": { - "V2Vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 2.1, - "V3Score": 5.5 + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 } }, "References": [ - "http://www.openwall.com/lists/oss-security/2020/11/20/4", - "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1@%3Cnotifications.apisix.apache.org%3E", - "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e@%3Cnotifications.apisix.apache.org%3E", - "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2@%3Cnotifications.apisix.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", - "https://musl.libc.org/releases.html", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" + "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "https://access.redhat.com/security/cve/CVE-2021-3711", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3711", + "https://rustsec.org/advisories/RUSTSEC-2021-0097.html", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010", + "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20211022-0003", + "https://security.netapp.com/advisory/ntap-20211022-0003/", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://ubuntu.com/security/notices/USN-5051-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3711", + "https://www.debian.org/security/2021/dsa-4963", + "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02" ], - "PublishedDate": "2020-11-24T18:15:00Z", - "LastModifiedDate": "2021-10-20T11:15:00Z" + "PublishedDate": "2021-08-24T15:15:09.133Z", + "LastModifiedDate": "2024-06-21T19:15:20.213Z" }, { - "VulnerabilityID": "CVE-2020-28928", - "PkgName": "musl-utils", - "InstalledVersion": "1.1.24-r2", - "FixedVersion": "1.1.24-r3", + "VulnerabilityID": "CVE-2020-1967", + "PkgID": "libssl1.1@1.1.1d-r3", + "PkgName": "libssl1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "ef32f7c9566b9f8c" + }, + "InstalledVersion": "1.1.1d-r3", + "FixedVersion": "1.1.1g-r0", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28928", - "Description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", - "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-1967", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "openssl: Segmentation fault in SSL_check_chain causes denial of service", + "Description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", + "Severity": "HIGH", "CweIDs": [ - "CWE-787" + "CWE-476" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "photon": 3, + "redhat": 3, + "ubuntu": 3 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { - "V2Vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 2.1, - "V3Score": 5.5 + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } }, "References": [ - "http://www.openwall.com/lists/oss-security/2020/11/20/4", - "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1@%3Cnotifications.apisix.apache.org%3E", - "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e@%3Cnotifications.apisix.apache.org%3E", - "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2@%3Cnotifications.apisix.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", - "https://musl.libc.org/releases.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html", + "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html", + "http://seclists.org/fulldisclosure/2020/May/5", + "http://www.openwall.com/lists/oss-security/2020/04/22/2", + "https://access.redhat.com/security/cve/CVE-2020-1967", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1", + "https://github.com/irsl/CVE-2020-1967", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440", + "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO", + "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", + "https://rustsec.org/advisories/RUSTSEC-2020-0015.html", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc", + "https://security.gentoo.org/glsa/202004-10", + "https://security.netapp.com/advisory/ntap-20200424-0003", + "https://security.netapp.com/advisory/ntap-20200424-0003/", + "https://security.netapp.com/advisory/ntap-20200717-0004", + "https://security.netapp.com/advisory/ntap-20200717-0004/", + "https://www.cve.org/CVERecord?id=CVE-2020-1967", + "https://www.debian.org/security/2020/dsa-4661", + "https://www.openssl.org/news/secadv/20200421.txt", "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.synology.com/security/advisory/Synology_SA_20_05", + "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL", + "https://www.tenable.com/security/tns-2020-03", + "https://www.tenable.com/security/tns-2020-04", + "https://www.tenable.com/security/tns-2020-11", + "https://www.tenable.com/security/tns-2021-10" ], - "PublishedDate": "2020-11-24T18:15:00Z", - "LastModifiedDate": "2021-10-20T11:15:00Z" + "PublishedDate": "2020-04-21T14:15:11.287Z", + "LastModifiedDate": "2023-11-07T03:19:39.09Z" }, { - "VulnerabilityID": "CVE-2021-28831", - "PkgName": "ssl_client", - "InstalledVersion": "1.31.1-r9", - "FixedVersion": "1.31.1-r10", + "VulnerabilityID": "CVE-2021-23840", + "PkgID": "libssl1.1@1.1.1d-r3", + "PkgName": "libssl1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "ef32f7c9566b9f8c" + }, + "InstalledVersion": "1.1.1d-r3", + "FixedVersion": "1.1.1j-r0", + "Status": "fixed", "Layer": { "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-28831", - "Title": "busybox: invalid free or segmentation fault via malformed gzip data", - "Description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23840", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "openssl: integer overflow in CipherUpdate", + "Description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", "Severity": "HIGH", "CweIDs": [ - "CWE-755" + "CWE-190" ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "bitnami": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "bitnami": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 5, "V3Score": 7.5 }, - "redhat": { + "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 - } - }, - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831", - "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", - "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", - "https://security.gentoo.org/glsa/202105-09" - ], - "PublishedDate": "2021-03-19T05:15:00Z", - "LastModifiedDate": "2021-05-26T10:15:00Z" - } - ] - }, - { - "Target": "Node.js", - "Class": "lang-pkgs", - "Type": "node-pkg", - "Vulnerabilities": [ - { - "VulnerabilityID": "CVE-2021-3807", - "PkgName": "ansi-regex", - "PkgPath": "usr/local/lib/node_modules/npm/node_modules/cliui/node_modules/ansi-regex/package.json", - "InstalledVersion": "3.0.0", - "FixedVersion": "5.0.1, 6.0.1", - "Layer": { - "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", - "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" - }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3807", - "Title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", - "Description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "Severity": "HIGH", - "CVSS": { + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 7.8, + "V2Score": 5, "V3Score": 7.5 }, "redhat": { @@ -1525,1379 +2099,11029 @@ } }, "References": [ - "https://github.com/advisories/GHSA-93q8-gq69-wqmw", - "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", - "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3807" + "https://access.redhat.com/security/cve/CVE-2021-23840", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "https://github.com/alexcrichton/openssl-src-rs", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366", + "https://linux.oracle.com/cve/CVE-2021-23840.html", + "https://linux.oracle.com/errata/ELSA-2021-9561.html", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23840", + "https://rustsec.org/advisories/RUSTSEC-2021-0057.html", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210219-0009", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://ubuntu.com/security/notices/USN-4738-1", + "https://ubuntu.com/security/notices/USN-5088-1", + "https://ubuntu.com/security/notices/USN-7018-1", + "https://www.cve.org/CVERecord?id=CVE-2021-23840", + "https://www.debian.org/security/2021/dsa-4855", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-03", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10" ], - "PublishedDate": "2021-09-17T07:15:00Z", - "LastModifiedDate": "2021-10-19T13:11:00Z" + "PublishedDate": "2021-02-16T17:15:13.3Z", + "LastModifiedDate": "2024-06-21T19:15:17.007Z" }, { - "VulnerabilityID": "CVE-2021-3807", - "PkgName": "ansi-regex", - "PkgPath": "juice-shop/node_modules/ansi-regex/package.json", - "InstalledVersion": "4.1.0", - "FixedVersion": "5.0.1, 6.0.1", + "VulnerabilityID": "CVE-2021-3450", + "PkgID": "libssl1.1@1.1.1d-r3", + "PkgName": "libssl1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "ef32f7c9566b9f8c" + }, + "InstalledVersion": "1.1.1d-r3", + "FixedVersion": "1.1.1k-r0", + "Status": "fixed", "Layer": { - "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", - "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" }, "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3807", - "Title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", - "Description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3450", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT", + "Description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", "Severity": "HIGH", + "CweIDs": [ + "CWE-295" + ], + "VendorSeverity": { + "amazon": 3, + "bitnami": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3 + }, "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 7.4 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 7.4 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 7.8, - "V3Score": 7.5 + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V2Score": 5.8, + "V3Score": 7.4 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 7.4 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://access.redhat.com/security/cve/CVE-2021-3450", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + "https://github.com/alexcrichton/openssl-src-rs", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10356", + "https://linux.oracle.com/cve/CVE-2021-3450.html", + "https://linux.oracle.com/errata/ELSA-2021-9151.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP", + "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3450", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://rustsec.org/advisories/RUSTSEC-2021-0056.html", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006", + "https://security.netapp.com/advisory/ntap-20210326-0006/", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "https://www.cve.org/CVERecord?id=CVE-2021-3450", + "https://www.openssl.org/news/secadv/20210325.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-05", + "https://www.tenable.com/security/tns-2021-08", + "https://www.tenable.com/security/tns-2021-09" + ], + "PublishedDate": "2021-03-25T15:15:13.56Z", + "LastModifiedDate": "2023-11-07T03:38:00.923Z" + }, + { + "VulnerabilityID": "CVE-2021-3712", + "PkgID": "libssl1.1@1.1.1d-r3", + "PkgName": "libssl1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "ef32f7c9566b9f8c" + }, + "InstalledVersion": "1.1.1d-r3", + "FixedVersion": "1.1.1l-r0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3712", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "openssl: Read buffer overruns processing ASN.1 strings", + "Description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", + "Severity": "HIGH", + "CweIDs": [ + "CWE-125" + ], + "VendorSeverity": { + "amazon": 3, + "azure": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "V3Score": 7.4 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "V2Score": 5.8, + "V3Score": 7.4 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "V3Score": 7.4 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json", + "https://access.redhat.com/security/cve/CVE-2021-3712", + "https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366", + "https://linux.oracle.com/cve/CVE-2021-3712.html", + "https://linux.oracle.com/errata/ELSA-2022-9023.html", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3712", + "https://rustsec.org/advisories/RUSTSEC-2021-0098.html", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010", + "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://ubuntu.com/security/notices/USN-5051-1", + "https://ubuntu.com/security/notices/USN-5051-2", + "https://ubuntu.com/security/notices/USN-5051-3", + "https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)", + "https://ubuntu.com/security/notices/USN-5088-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3712", + "https://www.debian.org/security/2021/dsa-4963", + "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02" + ], + "PublishedDate": "2021-08-24T15:15:09.533Z", + "LastModifiedDate": "2024-06-21T19:15:20.433Z" + }, + { + "VulnerabilityID": "CVE-2020-1971", + "PkgID": "libssl1.1@1.1.1d-r3", + "PkgName": "libssl1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "ef32f7c9566b9f8c" + }, + "InstalledVersion": "1.1.1d-r3", + "FixedVersion": "1.1.1i-r0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-1971", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "openssl: EDIPARTYNAME NULL pointer de-reference", + "Description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "amazon": 3, + "bitnami": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 3, + "photon": 2, + "redhat": 3, + "ubuntu": 3 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 4.3, + "V3Score": 5.9 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2021/09/14/2", + "https://access.redhat.com/security/cve/CVE-2020-1971", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676", + "https://linux.oracle.com/cve/CVE-2020-1971.html", + "https://linux.oracle.com/errata/ELSA-2021-9150.html", + "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", + "https://nvd.nist.gov/vuln/detail/CVE-2020-1971", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", + "https://security.gentoo.org/glsa/202012-13", + "https://security.netapp.com/advisory/ntap-20201218-0005/", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://ubuntu.com/security/notices/USN-4662-1", + "https://ubuntu.com/security/notices/USN-4745-1", + "https://www.cve.org/CVERecord?id=CVE-2020-1971", + "https://www.debian.org/security/2020/dsa-4807", + "https://www.openssl.org/news/secadv/20201208.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2020-11", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10" + ], + "PublishedDate": "2020-12-08T16:15:11.73Z", + "LastModifiedDate": "2024-06-21T19:15:16.17Z" + }, + { + "VulnerabilityID": "CVE-2021-23841", + "PkgID": "libssl1.1@1.1.1d-r3", + "PkgName": "libssl1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "ef32f7c9566b9f8c" + }, + "InstalledVersion": "1.1.1d-r3", + "FixedVersion": "1.1.1j-r0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23841", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "openssl: NULL pointer dereference in X509_issuer_and_serial_hash()", + "Description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 4.3, + "V3Score": 5.9 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "http://seclists.org/fulldisclosure/2021/May/67", + "http://seclists.org/fulldisclosure/2021/May/68", + "http://seclists.org/fulldisclosure/2021/May/70", + "https://access.redhat.com/security/cve/CVE-2021-23841", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "https://github.com/alexcrichton/openssl-src-rs", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://linux.oracle.com/cve/CVE-2021-23841.html", + "https://linux.oracle.com/errata/ELSA-2021-9561.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23841", + "https://rustsec.org/advisories/RUSTSEC-2021-0058", + "https://rustsec.org/advisories/RUSTSEC-2021-0058.html", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210219-0009", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20210513-0002", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://support.apple.com/kb/HT212528", + "https://support.apple.com/kb/HT212529", + "https://support.apple.com/kb/HT212534", + "https://ubuntu.com/security/notices/USN-4738-1", + "https://ubuntu.com/security/notices/USN-4745-1", + "https://www.cve.org/CVERecord?id=CVE-2021-23841", + "https://www.debian.org/security/2021/dsa-4855", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-03", + "https://www.tenable.com/security/tns-2021-09" + ], + "PublishedDate": "2021-02-16T17:15:13.377Z", + "LastModifiedDate": "2024-06-21T19:15:17.377Z" + }, + { + "VulnerabilityID": "CVE-2021-3449", + "PkgID": "libssl1.1@1.1.1d-r3", + "PkgName": "libssl1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "ef32f7c9566b9f8c" + }, + "InstalledVersion": "1.1.1d-r3", + "FixedVersion": "1.1.1k-r0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3449", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "openssl: NULL pointer dereference in signature_algorithms processing", + "Description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "amazon": 3, + "bitnami": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 3, + "photon": 2, + "redhat": 3, + "ubuntu": 3 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 4.3, + "V3Score": 5.9 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://access.redhat.com/security/cve/CVE-2021-3449", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148", + "https://github.com/alexcrichton/openssl-src-rs", + "https://github.com/nodejs/node/pull/38083", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10356", + "https://linux.oracle.com/cve/CVE-2021-3449.html", + "https://linux.oracle.com/errata/ELSA-2021-9151.html", + "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3449", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://rustsec.org/advisories/RUSTSEC-2021-0055", + "https://rustsec.org/advisories/RUSTSEC-2021-0055.html", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006", + "https://security.netapp.com/advisory/ntap-20210326-0006/", + "https://security.netapp.com/advisory/ntap-20210513-0002", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "https://ubuntu.com/security/notices/USN-4891-1", + "https://ubuntu.com/security/notices/USN-5038-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3449", + "https://www.debian.org/security/2021/dsa-4875", + "https://www.openssl.org/news/secadv/20210325.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-05", + "https://www.tenable.com/security/tns-2021-06", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10" + ], + "PublishedDate": "2021-03-25T15:15:13.45Z", + "LastModifiedDate": "2024-06-21T19:15:19.71Z" + }, + { + "VulnerabilityID": "CVE-2021-23839", + "PkgID": "libssl1.1@1.1.1d-r3", + "PkgName": "libssl1.1", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "ef32f7c9566b9f8c" + }, + "InstalledVersion": "1.1.1d-r3", + "FixedVersion": "1.1.1j-r0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23839", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "openssl: incorrect SSLv2 rollback protection", + "Description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", + "Severity": "LOW", + "CweIDs": [ + "CWE-327" + ], + "VendorSeverity": { + "amazon": 2, + "nvd": 1, + "photon": 1, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V2Score": 4.3, + "V3Score": 3.7 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-23839", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30919ab80a478f2d81f2e9acdcca3fa4740cd547", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23839", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-23839", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-02-16T17:15:13.19Z", + "LastModifiedDate": "2024-06-21T19:15:16.83Z" + }, + { + "VulnerabilityID": "CVE-2019-15847", + "PkgID": "libstdc++@9.2.0-r4", + "PkgName": "libstdc++", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/libstdc%2B%2B@9.2.0-r4?arch=x86_64\u0026distro=3.11.5", + "UID": "a7b6f5227303c2f8" + }, + "InstalledVersion": "9.2.0-r4", + "FixedVersion": "9.3.0-r0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15847", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "gcc: POWER9 \"DARN\" RNG intrinsic produces repeated output", + "Description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-331" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", + "https://access.redhat.com/security/cve/CVE-2019-15847", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481", + "https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=457dac402027dd7e14543fbd59a75858422cf6c6", + "https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=e99bfdd2a8db732ea84cf0a6486707e5e821ad7e", + "https://linux.oracle.com/cve/CVE-2019-15847.html", + "https://linux.oracle.com/errata/ELSA-2020-1864.html", + "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + "https://www.cve.org/CVERecord?id=CVE-2019-15847" + ], + "PublishedDate": "2019-09-02T23:15:10.837Z", + "LastModifiedDate": "2020-09-17T13:38:06.51Z" + }, + { + "VulnerabilityID": "CVE-2020-28928", + "PkgID": "musl@1.1.24-r2", + "PkgName": "musl", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/musl@1.1.24-r2?arch=x86_64\u0026distro=3.11.5", + "UID": "b6304b41e8f176d7" + }, + "InstalledVersion": "1.1.24-r2", + "FixedVersion": "1.1.24-r3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28928", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinati ...", + "Description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "nvd": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 2.1, + "V3Score": 5.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2020/11/20/4", + "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", + "https://musl.libc.org/releases.html", + "https://ubuntu.com/security/notices/USN-5990-1", + "https://www.cve.org/CVERecord?id=CVE-2020-28928", + "https://www.openwall.com/lists/oss-security/2020/11/20/4", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2020-11-24T18:15:12.207Z", + "LastModifiedDate": "2023-11-07T03:21:24.597Z" + }, + { + "VulnerabilityID": "CVE-2020-28928", + "PkgID": "musl-utils@1.1.24-r2", + "PkgName": "musl-utils", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/musl-utils@1.1.24-r2?arch=x86_64\u0026distro=3.11.5", + "UID": "5375b09606d1b6cf" + }, + "InstalledVersion": "1.1.24-r2", + "FixedVersion": "1.1.24-r3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28928", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinati ...", + "Description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "nvd": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 2.1, + "V3Score": 5.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2020/11/20/4", + "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", + "https://musl.libc.org/releases.html", + "https://ubuntu.com/security/notices/USN-5990-1", + "https://www.cve.org/CVERecord?id=CVE-2020-28928", + "https://www.openwall.com/lists/oss-security/2020/11/20/4", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2020-11-24T18:15:12.207Z", + "LastModifiedDate": "2023-11-07T03:21:24.597Z" + }, + { + "VulnerabilityID": "CVE-2021-28831", + "PkgID": "ssl_client@1.31.1-r9", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "1ec452d99da3f94b" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r10", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-28831", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: invalid free or segmentation fault via malformed gzip data", + "Description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-755" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-28831", + "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", + "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", + "https://security.gentoo.org/glsa/202105-09", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://ubuntu.com/security/notices/USN-5179-2", + "https://ubuntu.com/security/notices/USN-6335-1", + "https://www.cve.org/CVERecord?id=CVE-2021-28831" + ], + "PublishedDate": "2021-03-19T05:15:13.15Z", + "LastModifiedDate": "2023-11-07T03:32:23.577Z" + }, + { + "VulnerabilityID": "CVE-2021-42378", + "PkgID": "ssl_client@1.31.1-r9", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "1ec452d99da3f94b" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42378", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42378", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42378" + ], + "PublishedDate": "2021-11-15T21:15:07.753Z", + "LastModifiedDate": "2023-11-07T03:39:10.25Z" + }, + { + "VulnerabilityID": "CVE-2021-42379", + "PkgID": "ssl_client@1.31.1-r9", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "1ec452d99da3f94b" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42379", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42379", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42379" + ], + "PublishedDate": "2021-11-15T21:15:07.807Z", + "LastModifiedDate": "2023-11-07T03:39:10.34Z" + }, + { + "VulnerabilityID": "CVE-2021-42380", + "PkgID": "ssl_client@1.31.1-r9", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "1ec452d99da3f94b" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42380", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42380", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42380" + ], + "PublishedDate": "2021-11-15T21:15:07.857Z", + "LastModifiedDate": "2023-11-07T03:39:10.423Z" + }, + { + "VulnerabilityID": "CVE-2021-42381", + "PkgID": "ssl_client@1.31.1-r9", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "1ec452d99da3f94b" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42381", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42381", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42381" + ], + "PublishedDate": "2021-11-15T21:15:07.913Z", + "LastModifiedDate": "2023-11-07T03:39:10.5Z" + }, + { + "VulnerabilityID": "CVE-2021-42382", + "PkgID": "ssl_client@1.31.1-r9", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "1ec452d99da3f94b" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42382", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42382", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42382" + ], + "PublishedDate": "2021-11-15T21:15:07.963Z", + "LastModifiedDate": "2023-11-07T03:39:10.577Z" + }, + { + "VulnerabilityID": "CVE-2021-42383", + "PkgID": "ssl_client@1.31.1-r9", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "1ec452d99da3f94b" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42383", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42383", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-42383" + ], + "PublishedDate": "2021-11-15T21:15:08.017Z", + "LastModifiedDate": "2023-11-07T03:39:10.66Z" + }, + { + "VulnerabilityID": "CVE-2021-42384", + "PkgID": "ssl_client@1.31.1-r9", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "1ec452d99da3f94b" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42384", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42384", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42384" + ], + "PublishedDate": "2021-11-15T21:15:08.07Z", + "LastModifiedDate": "2023-11-07T03:39:10.737Z" + }, + { + "VulnerabilityID": "CVE-2021-42385", + "PkgID": "ssl_client@1.31.1-r9", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "1ec452d99da3f94b" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42385", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42385", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42385" + ], + "PublishedDate": "2021-11-15T21:15:08.123Z", + "LastModifiedDate": "2023-11-07T03:39:10.82Z" + }, + { + "VulnerabilityID": "CVE-2021-42386", + "PkgID": "ssl_client@1.31.1-r9", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "1ec452d99da3f94b" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42386", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42386", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42386" + ], + "PublishedDate": "2021-11-15T21:15:08.173Z", + "LastModifiedDate": "2023-11-07T03:39:10.903Z" + }, + { + "VulnerabilityID": "CVE-2021-42374", + "PkgID": "ssl_client@1.31.1-r9", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=x86_64\u0026distro=3.11.5", + "UID": "1ec452d99da3f94b" + }, + "InstalledVersion": "1.31.1-r9", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42374", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: out-of-bounds read in unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed", + "Description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-125" + ], + "VendorSeverity": { + "azure": 2, + "cbl-mariner": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H", + "V2Score": 3.3, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", + "V3Score": 5.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42374", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42374" + ], + "PublishedDate": "2021-11-15T21:15:07.54Z", + "LastModifiedDate": "2023-11-07T03:39:09.877Z" + }, + { + "VulnerabilityID": "CVE-2022-37434", + "PkgID": "zlib@1.2.11-r3", + "PkgName": "zlib", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/zlib@1.2.11-r3?arch=x86_64\u0026distro=3.11.5", + "UID": "2c256b1c7d58416b" + }, + "InstalledVersion": "1.2.11-r3", + "FixedVersion": "1.2.11-r4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819", + "DiffID": "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-37434", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field", + "Description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "azure": 4, + "cbl-mariner": 4, + "nvd": 4, + "oracle-oval": 2, + "photon": 4, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H", + "V3Score": 7 + } + }, + "References": [ + "http://seclists.org/fulldisclosure/2022/Oct/37", + "http://seclists.org/fulldisclosure/2022/Oct/38", + "http://seclists.org/fulldisclosure/2022/Oct/41", + "http://seclists.org/fulldisclosure/2022/Oct/42", + "http://www.openwall.com/lists/oss-security/2022/08/05/2", + "http://www.openwall.com/lists/oss-security/2022/08/09/1", + "https://access.redhat.com/errata/RHSA-2022:8291", + "https://access.redhat.com/security/cve/CVE-2022-37434", + "https://bugzilla.redhat.com/2116639", + "https://bugzilla.redhat.com/show_bug.cgi?id=2053198", + "https://bugzilla.redhat.com/show_bug.cgi?id=2077431", + "https://bugzilla.redhat.com/show_bug.cgi?id=2081296", + "https://bugzilla.redhat.com/show_bug.cgi?id=2116639", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434", + "https://errata.almalinux.org/9/ALSA-2022-8291.html", + "https://errata.rockylinux.org/RLSA-2022:8291", + "https://github.com/curl/curl/issues/9271", + "https://github.com/ivd38/zlib_overflow", + "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063", + "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1", + "https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764", + "https://linux.oracle.com/cve/CVE-2022-37434.html", + "https://linux.oracle.com/errata/ELSA-2023-1095.html", + "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/", + "https://nvd.nist.gov/vuln/detail/CVE-2022-37434", + "https://security.netapp.com/advisory/ntap-20220901-0005/", + "https://security.netapp.com/advisory/ntap-20230427-0007/", + "https://support.apple.com/kb/HT213488", + "https://support.apple.com/kb/HT213489", + "https://support.apple.com/kb/HT213490", + "https://support.apple.com/kb/HT213491", + "https://support.apple.com/kb/HT213493", + "https://support.apple.com/kb/HT213494", + "https://ubuntu.com/security/notices/USN-5570-1", + "https://ubuntu.com/security/notices/USN-5570-2", + "https://ubuntu.com/security/notices/USN-5573-1", + "https://ubuntu.com/security/notices/USN-6736-1", + "https://ubuntu.com/security/notices/USN-6736-2", + "https://www.cve.org/CVERecord?id=CVE-2022-37434", + "https://www.debian.org/security/2022/dsa-5218" + ], + "PublishedDate": "2022-08-05T07:15:07.24Z", + "LastModifiedDate": "2023-07-19T00:56:46.373Z" + } + ] + }, + { + "Target": "Node.js", + "Class": "lang-pkgs", + "Type": "node-pkg", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2020-15366", + "PkgID": "ajv@5.5.2", + "PkgName": "ajv", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/ajv/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ajv@5.5.2", + "UID": "f5df189eb1bc9951" + }, + "InstalledVersion": "5.5.2", + "FixedVersion": "6.12.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-15366", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function", + "Description": "An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.6 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V2Score": 6.8, + "V3Score": 5.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-15366", + "https://errata.almalinux.org/8/ALSA-2021-0551.html", + "https://github.com/ajv-validator/ajv", + "https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f", + "https://github.com/ajv-validator/ajv/releases/tag/v6.12.3", + "https://github.com/ajv-validator/ajv/tags", + "https://hackerone.com/bugs?subject=user\u0026report_id=894259", + "https://linux.oracle.com/cve/CVE-2020-15366.html", + "https://linux.oracle.com/errata/ELSA-2021-0551.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-15366", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://snyk.io/vuln/SNYK-JS-AJV-584908", + "https://www.cve.org/CVERecord?id=CVE-2020-15366" + ], + "PublishedDate": "2020-07-15T20:15:13.38Z", + "LastModifiedDate": "2024-06-21T19:15:16.02Z" + }, + { + "VulnerabilityID": "CVE-2020-15366", + "PkgID": "ajv@6.12.2", + "PkgName": "ajv", + "PkgPath": "juice-shop/node_modules/ajv/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ajv@6.12.2", + "UID": "7f6ce5fced88c399" + }, + "InstalledVersion": "6.12.2", + "FixedVersion": "6.12.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-15366", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function", + "Description": "An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.6 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V2Score": 6.8, + "V3Score": 5.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-15366", + "https://errata.almalinux.org/8/ALSA-2021-0551.html", + "https://github.com/ajv-validator/ajv", + "https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f", + "https://github.com/ajv-validator/ajv/releases/tag/v6.12.3", + "https://github.com/ajv-validator/ajv/tags", + "https://hackerone.com/bugs?subject=user\u0026report_id=894259", + "https://linux.oracle.com/cve/CVE-2020-15366.html", + "https://linux.oracle.com/errata/ELSA-2021-0551.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-15366", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://snyk.io/vuln/SNYK-JS-AJV-584908", + "https://www.cve.org/CVERecord?id=CVE-2020-15366" + ], + "PublishedDate": "2020-07-15T20:15:13.38Z", + "LastModifiedDate": "2024-06-21T19:15:16.02Z" + }, + { + "VulnerabilityID": "CVE-2021-3807", + "PkgID": "ansi-regex@3.0.0", + "PkgName": "ansi-regex", + "PkgPath": "juice-shop/node_modules/replace/node_modules/ansi-regex/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ansi-regex@3.0.0", + "UID": "64a2028716f97add" + }, + "InstalledVersion": "3.0.0", + "FixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3807", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "Description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 7.8, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html" + ], + "PublishedDate": "2021-09-17T07:15:09.273Z", + "LastModifiedDate": "2023-07-10T19:01:59.323Z" + }, + { + "VulnerabilityID": "CVE-2021-3807", + "PkgID": "ansi-regex@3.0.0", + "PkgName": "ansi-regex", + "PkgPath": "juice-shop/node_modules/wide-align/node_modules/ansi-regex/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ansi-regex@3.0.0", + "UID": "1098103cc12bf9e0" + }, + "InstalledVersion": "3.0.0", + "FixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3807", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "Description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 7.8, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html" + ], + "PublishedDate": "2021-09-17T07:15:09.273Z", + "LastModifiedDate": "2023-07-10T19:01:59.323Z" + }, + { + "VulnerabilityID": "CVE-2021-3807", + "PkgID": "ansi-regex@3.0.0", + "PkgName": "ansi-regex", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/cliui/node_modules/ansi-regex/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ansi-regex@3.0.0", + "UID": "733d6b1c21d655a5" + }, + "InstalledVersion": "3.0.0", + "FixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3807", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "Description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 7.8, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html" + ], + "PublishedDate": "2021-09-17T07:15:09.273Z", + "LastModifiedDate": "2023-07-10T19:01:59.323Z" + }, + { + "VulnerabilityID": "CVE-2021-3807", + "PkgID": "ansi-regex@3.0.0", + "PkgName": "ansi-regex", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ansi-regex@3.0.0", + "UID": "309dab489f487476" + }, + "InstalledVersion": "3.0.0", + "FixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3807", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "Description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 7.8, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html" + ], + "PublishedDate": "2021-09-17T07:15:09.273Z", + "LastModifiedDate": "2023-07-10T19:01:59.323Z" + }, + { + "VulnerabilityID": "CVE-2021-3807", + "PkgID": "ansi-regex@4.1.0", + "PkgName": "ansi-regex", + "PkgPath": "juice-shop/node_modules/ansi-regex/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ansi-regex@4.1.0", + "UID": "495d48f67277b86" + }, + "InstalledVersion": "4.1.0", + "FixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3807", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "Description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 7.8, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html" + ], + "PublishedDate": "2021-09-17T07:15:09.273Z", + "LastModifiedDate": "2023-07-10T19:01:59.323Z" + }, + { + "VulnerabilityID": "CVE-2021-43138", + "PkgID": "async@2.6.3", + "PkgName": "async", + "PkgPath": "juice-shop/node_modules/archiver/node_modules/async/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/async@2.6.3", + "UID": "d832dd7e90709667" + }, + "InstalledVersion": "2.6.3", + "FixedVersion": "3.2.2, 2.6.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-43138", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "async: Prototype Pollution in async", + "Description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 7.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-43138", + "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "https://github.com/caolan/async", + "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + "https://github.com/caolan/async/pull/1828", + "https://jsfiddle.net/oz5twjd9", + "https://jsfiddle.net/oz5twjd9/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-43138" + ], + "PublishedDate": "2022-04-06T17:15:08.65Z", + "LastModifiedDate": "2024-06-21T19:15:20.737Z" + }, + { + "VulnerabilityID": "CVE-2021-43138", + "PkgID": "async@2.6.3", + "PkgName": "async", + "PkgPath": "juice-shop/node_modules/portscanner/node_modules/async/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/async@2.6.3", + "UID": "b39f17aad08c794" + }, + "InstalledVersion": "2.6.3", + "FixedVersion": "3.2.2, 2.6.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-43138", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "async: Prototype Pollution in async", + "Description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 7.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-43138", + "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "https://github.com/caolan/async", + "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + "https://github.com/caolan/async/pull/1828", + "https://jsfiddle.net/oz5twjd9", + "https://jsfiddle.net/oz5twjd9/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-43138" + ], + "PublishedDate": "2022-04-06T17:15:08.65Z", + "LastModifiedDate": "2024-06-21T19:15:20.737Z" + }, + { + "VulnerabilityID": "CVE-2021-43138", + "PkgID": "async@2.6.3", + "PkgName": "async", + "PkgPath": "juice-shop/node_modules/winston/node_modules/async/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/async@2.6.3", + "UID": "9594f3361462b0cd" + }, + "InstalledVersion": "2.6.3", + "FixedVersion": "3.2.2, 2.6.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-43138", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "async: Prototype Pollution in async", + "Description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 7.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-43138", + "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "https://github.com/caolan/async", + "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + "https://github.com/caolan/async/pull/1828", + "https://jsfiddle.net/oz5twjd9", + "https://jsfiddle.net/oz5twjd9/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-43138" + ], + "PublishedDate": "2022-04-06T17:15:08.65Z", + "LastModifiedDate": "2024-06-21T19:15:20.737Z" + }, + { + "VulnerabilityID": "NSWG-ECO-428", + "PkgID": "base64url@0.0.6", + "PkgName": "base64url", + "PkgPath": "juice-shop/node_modules/base64url/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/base64url@0.0.6", + "UID": "37b2d3176f8fdba9" + }, + "InstalledVersion": "0.0.6", + "FixedVersion": "\u003e=3.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://hackerone.com/reports/321687", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "Out-of-bounds Read", + "Description": "`base64url` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below", + "Severity": "HIGH", + "VendorSeverity": { + "nodejs-security-wg": 3 + }, + "References": [ + "https://github.com/brianloveswords/base64url/pull/25", + "https://hackerone.com/reports/321687" + ] + }, + { + "VulnerabilityID": "GHSA-rvg8-pwq2-xj7q", + "PkgID": "base64url@0.0.6", + "PkgName": "base64url", + "PkgPath": "juice-shop/node_modules/base64url/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/base64url@0.0.6", + "UID": "37b2d3176f8fdba9" + }, + "InstalledVersion": "0.0.6", + "FixedVersion": "3.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-rvg8-pwq2-xj7q", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Out-of-bounds Read in base64url", + "Description": "Versions of `base64url` before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.\n\n\n## Recommendation\n\nUpdate to version 3.0.0 or later.", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2 + }, + "References": [ + "https://github.com/brianloveswords/base64url", + "https://github.com/brianloveswords/base64url/commit/4fbd954a0a69e9d898de2146557cc6e893e79542", + "https://github.com/brianloveswords/base64url/pull/25", + "https://hackerone.com/reports/321687" + ] + }, + { + "VulnerabilityID": "CVE-2020-8244", + "PkgID": "bl@1.2.2", + "PkgName": "bl", + "PkgPath": "juice-shop/node_modules/bl/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/bl@1.2.2", + "UID": "d19b94a2a1759038" + }, + "InstalledVersion": "1.2.2", + "FixedVersion": "1.2.3, 2.2.1, 3.0.1, 4.0.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8244", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-bl: buffer over-read vulnerability leads to corrupted BufferList which can result in uninitialized memory being leaked", + "Description": "A buffer over-read vulnerability exists in bl \u003c4.0.3, \u003c3.0.1, \u003c2.2.1, and \u003c1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-125", + "CWE-126" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", + "V3Score": 6.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", + "V2Score": 6.4, + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-8244", + "https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e", + "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190", + "https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466", + "https://hackerone.com/reports/966347", + "https://lists.debian.org/debian-lts-announce/2021/06/msg00028.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", + "https://ubuntu.com/security/notices/USN-5098-1", + "https://ubuntu.com/security/notices/USN-5159-1", + "https://www.cve.org/CVERecord?id=CVE-2020-8244" + ], + "PublishedDate": "2020-08-30T15:15:12.167Z", + "LastModifiedDate": "2022-05-24T17:31:33.843Z" + }, + { + "VulnerabilityID": "CVE-2020-8244", + "PkgID": "bl@4.0.2", + "PkgName": "bl", + "PkgPath": "juice-shop/node_modules/tar-fs/node_modules/bl/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/bl@4.0.2", + "UID": "c82a5a203ec21ff7" + }, + "InstalledVersion": "4.0.2", + "FixedVersion": "1.2.3, 2.2.1, 3.0.1, 4.0.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8244", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-bl: buffer over-read vulnerability leads to corrupted BufferList which can result in uninitialized memory being leaked", + "Description": "A buffer over-read vulnerability exists in bl \u003c4.0.3, \u003c3.0.1, \u003c2.2.1, and \u003c1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-125", + "CWE-126" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", + "V3Score": 6.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", + "V2Score": 6.4, + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-8244", + "https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e", + "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190", + "https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466", + "https://hackerone.com/reports/966347", + "https://lists.debian.org/debian-lts-announce/2021/06/msg00028.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", + "https://ubuntu.com/security/notices/USN-5098-1", + "https://ubuntu.com/security/notices/USN-5159-1", + "https://www.cve.org/CVERecord?id=CVE-2020-8244" + ], + "PublishedDate": "2020-08-30T15:15:12.167Z", + "LastModifiedDate": "2022-05-24T17:31:33.843Z" + }, + { + "VulnerabilityID": "CVE-2024-45590", + "PkgID": "body-parser@1.19.0", + "PkgName": "body-parser", + "PkgPath": "juice-shop/node_modules/body-parser/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/body-parser@1.19.0", + "UID": "d474d796f1d9adc6" + }, + "InstalledVersion": "1.19.0", + "FixedVersion": "1.20.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45590", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "body-parser: Denial of Service Vulnerability in body-parser", + "Description": "body-parser is Node.js body parsing middleware. body-parser \u003c1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-405" + ], + "VendorSeverity": { + "azure": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-45590", + "https://github.com/expressjs/body-parser", + "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", + "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45590", + "https://www.cve.org/CVERecord?id=CVE-2024-45590" + ], + "PublishedDate": "2024-09-10T16:15:21.083Z", + "LastModifiedDate": "2024-09-20T16:26:44.977Z" + }, + { + "VulnerabilityID": "CVE-2024-4068", + "PkgID": "braces@2.3.2", + "PkgName": "braces", + "PkgPath": "juice-shop/node_modules/braces/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/braces@2.3.2", + "UID": "a453a1accd8298fb" + }, + "InstalledVersion": "2.3.2", + "FixedVersion": "3.0.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-4068", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "braces: fails to limit the number of characters it can handle", + "Description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1050", + "CWE-400" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", + "https://github.com/micromatch/braces", + "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", + "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", + "https://github.com/micromatch/braces/issues/35", + "https://github.com/micromatch/braces/pull/37", + "https://github.com/micromatch/braces/pull/40", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "https://www.cve.org/CVERecord?id=CVE-2024-4068" + ], + "PublishedDate": "2024-05-14T15:42:48.66Z", + "LastModifiedDate": "2024-07-03T02:07:03.943Z" + }, + { + "VulnerabilityID": "CVE-2021-29060", + "PkgID": "color-string@1.5.3", + "PkgName": "color-string", + "PkgPath": "juice-shop/node_modules/color-string/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/color-string@1.5.3", + "UID": "888857ad1e74dde0" + }, + "InstalledVersion": "1.5.3", + "FixedVersion": "1.5.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-29060", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-color-string: Regular expression denial of service when the application is provided and checks a crafted invalid HWB string", + "Description": "A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-770" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-29060", + "https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3", + "https://github.com/Qix-/color-string/releases/tag/1.5.5", + "https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md", + "https://github.com/yetingli/SaveResults/blob/main/js/color-string.js", + "https://nvd.nist.gov/vuln/detail/CVE-2021-29060", + "https://snyk.io/vuln/SNYK-JS-COLORSTRING-1082939", + "https://www.cve.org/CVERecord?id=CVE-2021-29060", + "https://www.npmjs.com/package/color-string" + ], + "PublishedDate": "2021-06-21T16:15:08.113Z", + "LastModifiedDate": "2021-07-01T14:57:22.333Z" + }, + { + "VulnerabilityID": "CVE-2024-47764", + "PkgID": "cookie@0.3.1", + "PkgName": "cookie", + "PkgPath": "juice-shop/node_modules/engine.io/node_modules/cookie/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/cookie@0.3.1", + "UID": "7fd2830975071477" + }, + "InstalledVersion": "0.3.1", + "FixedVersion": "0.7.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-47764", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", + "Description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", + "Severity": "LOW", + "CweIDs": [ + "CWE-74" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 1, + "redhat": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-47764", + "https://github.com/jshttp/cookie", + "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", + "https://github.com/jshttp/cookie/pull/167", + "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + "https://www.cve.org/CVERecord?id=CVE-2024-47764" + ], + "PublishedDate": "2024-10-04T20:15:07.31Z", + "LastModifiedDate": "2024-10-07T17:48:28.117Z" + }, + { + "VulnerabilityID": "CVE-2024-47764", + "PkgID": "cookie@0.4.0", + "PkgName": "cookie", + "PkgPath": "juice-shop/node_modules/cookie/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/cookie@0.4.0", + "UID": "8b051932f229d69e" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "0.7.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-47764", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", + "Description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", + "Severity": "LOW", + "CweIDs": [ + "CWE-74" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 1, + "redhat": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-47764", + "https://github.com/jshttp/cookie", + "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", + "https://github.com/jshttp/cookie/pull/167", + "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + "https://www.cve.org/CVERecord?id=CVE-2024-47764" + ], + "PublishedDate": "2024-10-04T20:15:07.31Z", + "LastModifiedDate": "2024-10-07T17:48:28.117Z" + }, + { + "VulnerabilityID": "CVE-2023-46233", + "PkgID": "crypto-js@3.3.0", + "PkgName": "crypto-js", + "PkgPath": "juice-shop/node_modules/crypto-js/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/crypto-js@3.3.0", + "UID": "968c6884db7b658" + }, + "InstalledVersion": "3.3.0", + "FixedVersion": "4.2.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-46233", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard", + "Description": "crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-327", + "CWE-328", + "CWE-916" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 9.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 9.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 9.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-46233", + "https://github.com/brix/crypto-js", + "https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a", + "https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-46233", + "https://ubuntu.com/security/notices/USN-6753-1", + "https://www.cve.org/CVERecord?id=CVE-2023-46233" + ], + "PublishedDate": "2023-10-25T21:15:10.307Z", + "LastModifiedDate": "2023-11-27T20:15:06.88Z" + }, + { + "VulnerabilityID": "CVE-2017-16137", + "PkgID": "debug@3.2.6", + "PkgName": "debug", + "PkgPath": "juice-shop/node_modules/needle/node_modules/debug/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/debug@3.2.6", + "UID": "1745f6a45a45604c" + }, + "InstalledVersion": "3.2.6", + "FixedVersion": "2.6.9, 3.1.0, 3.2.7, 4.3.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16137", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-debug: Regular expression Denial of Service", + "Description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2017-16137", + "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + "https://github.com/debug-js/debug/issues/797", + "https://github.com/visionmedia/debug", + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + "https://nodesecurity.io/advisories/534", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + "https://www.cve.org/CVERecord?id=CVE-2017-16137" + ], + "PublishedDate": "2018-06-07T02:29:03.817Z", + "LastModifiedDate": "2023-11-07T02:40:28.13Z" + }, + { + "VulnerabilityID": "CVE-2017-16137", + "PkgID": "debug@4.1.1", + "PkgName": "debug", + "PkgPath": "juice-shop/node_modules/engine.io-client/node_modules/debug/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/debug@4.1.1", + "UID": "4f4d8af7173c994a" + }, + "InstalledVersion": "4.1.1", + "FixedVersion": "2.6.9, 3.1.0, 3.2.7, 4.3.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16137", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-debug: Regular expression Denial of Service", + "Description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2017-16137", + "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + "https://github.com/debug-js/debug/issues/797", + "https://github.com/visionmedia/debug", + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + "https://nodesecurity.io/advisories/534", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + "https://www.cve.org/CVERecord?id=CVE-2017-16137" + ], + "PublishedDate": "2018-06-07T02:29:03.817Z", + "LastModifiedDate": "2023-11-07T02:40:28.13Z" + }, + { + "VulnerabilityID": "CVE-2017-16137", + "PkgID": "debug@4.1.1", + "PkgName": "debug", + "PkgPath": "juice-shop/node_modules/engine.io/node_modules/debug/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/debug@4.1.1", + "UID": "3069be5fa3e84406" + }, + "InstalledVersion": "4.1.1", + "FixedVersion": "2.6.9, 3.1.0, 3.2.7, 4.3.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16137", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-debug: Regular expression Denial of Service", + "Description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2017-16137", + "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + "https://github.com/debug-js/debug/issues/797", + "https://github.com/visionmedia/debug", + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + "https://nodesecurity.io/advisories/534", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + "https://www.cve.org/CVERecord?id=CVE-2017-16137" + ], + "PublishedDate": "2018-06-07T02:29:03.817Z", + "LastModifiedDate": "2023-11-07T02:40:28.13Z" + }, + { + "VulnerabilityID": "CVE-2017-16137", + "PkgID": "debug@4.1.1", + "PkgName": "debug", + "PkgPath": "juice-shop/node_modules/sequelize/node_modules/debug/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/debug@4.1.1", + "UID": "4bc7e7de3f9d19a0" + }, + "InstalledVersion": "4.1.1", + "FixedVersion": "2.6.9, 3.1.0, 3.2.7, 4.3.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16137", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-debug: Regular expression Denial of Service", + "Description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2017-16137", + "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + "https://github.com/debug-js/debug/issues/797", + "https://github.com/visionmedia/debug", + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + "https://nodesecurity.io/advisories/534", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + "https://www.cve.org/CVERecord?id=CVE-2017-16137" + ], + "PublishedDate": "2018-06-07T02:29:03.817Z", + "LastModifiedDate": "2023-11-07T02:40:28.13Z" + }, + { + "VulnerabilityID": "CVE-2017-16137", + "PkgID": "debug@4.1.1", + "PkgName": "debug", + "PkgPath": "juice-shop/node_modules/socket.io-client/node_modules/debug/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/debug@4.1.1", + "UID": "a37f29d1121cbcb8" + }, + "InstalledVersion": "4.1.1", + "FixedVersion": "2.6.9, 3.1.0, 3.2.7, 4.3.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16137", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-debug: Regular expression Denial of Service", + "Description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2017-16137", + "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + "https://github.com/debug-js/debug/issues/797", + "https://github.com/visionmedia/debug", + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + "https://nodesecurity.io/advisories/534", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + "https://www.cve.org/CVERecord?id=CVE-2017-16137" + ], + "PublishedDate": "2018-06-07T02:29:03.817Z", + "LastModifiedDate": "2023-11-07T02:40:28.13Z" + }, + { + "VulnerabilityID": "CVE-2017-16137", + "PkgID": "debug@4.1.1", + "PkgName": "debug", + "PkgPath": "juice-shop/node_modules/socket.io-parser/node_modules/debug/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/debug@4.1.1", + "UID": "f41cda859df3a881" + }, + "InstalledVersion": "4.1.1", + "FixedVersion": "2.6.9, 3.1.0, 3.2.7, 4.3.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16137", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-debug: Regular expression Denial of Service", + "Description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2017-16137", + "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + "https://github.com/debug-js/debug/issues/797", + "https://github.com/visionmedia/debug", + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + "https://nodesecurity.io/advisories/534", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + "https://www.cve.org/CVERecord?id=CVE-2017-16137" + ], + "PublishedDate": "2018-06-07T02:29:03.817Z", + "LastModifiedDate": "2023-11-07T02:40:28.13Z" + }, + { + "VulnerabilityID": "CVE-2017-16137", + "PkgID": "debug@4.1.1", + "PkgName": "debug", + "PkgPath": "juice-shop/node_modules/socket.io/node_modules/debug/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/debug@4.1.1", + "UID": "15a5543c82cd5007" + }, + "InstalledVersion": "4.1.1", + "FixedVersion": "2.6.9, 3.1.0, 3.2.7, 4.3.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16137", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-debug: Regular expression Denial of Service", + "Description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2017-16137", + "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + "https://github.com/debug-js/debug/issues/797", + "https://github.com/visionmedia/debug", + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + "https://nodesecurity.io/advisories/534", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", + "https://www.cve.org/CVERecord?id=CVE-2017-16137" + ], + "PublishedDate": "2018-06-07T02:29:03.817Z", + "LastModifiedDate": "2023-11-07T02:40:28.13Z" + }, + { + "VulnerabilityID": "CVE-2022-38900", + "PkgID": "decode-uri-component@0.2.0", + "PkgName": "decode-uri-component", + "PkgPath": "juice-shop/node_modules/decode-uri-component/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/decode-uri-component@0.2.0", + "UID": "aea0df6eccbfc92f" + }, + "InstalledVersion": "0.2.0", + "FixedVersion": "0.2.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-38900", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "decode-uri-component: improper input validation resulting in DoS", + "Description": "decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-20" + ], + "VendorSeverity": { + "alma": 1, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 1, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:6316", + "https://access.redhat.com/security/cve/CVE-2022-38900", + "https://bugzilla.redhat.com/2170644", + "https://errata.almalinux.org/9/ALSA-2023-6316.html", + "https://github.com/SamVerschueren/decode-uri-component", + "https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9", + "https://github.com/SamVerschueren/decode-uri-component/issues/5", + "https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1", + "https://github.com/advisories/GHSA-w573-4hg7-7wgq", + "https://github.com/sindresorhus/query-string/issues/345", + "https://linux.oracle.com/cve/CVE-2022-38900.html", + "https://linux.oracle.com/errata/ELSA-2023-6316.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU", + "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + "https://www.cve.org/CVERecord?id=CVE-2022-38900" + ], + "PublishedDate": "2022-11-28T13:15:10.033Z", + "LastModifiedDate": "2023-11-07T03:50:17.22Z" + }, + { + "VulnerabilityID": "CVE-2022-38900", + "PkgID": "decode-uri-component@0.2.0", + "PkgName": "decode-uri-component", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/decode-uri-component/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/decode-uri-component@0.2.0", + "UID": "4316f5bc05c5a057" + }, + "InstalledVersion": "0.2.0", + "FixedVersion": "0.2.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-38900", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "decode-uri-component: improper input validation resulting in DoS", + "Description": "decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-20" + ], + "VendorSeverity": { + "alma": 1, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 1, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:6316", + "https://access.redhat.com/security/cve/CVE-2022-38900", + "https://bugzilla.redhat.com/2170644", + "https://errata.almalinux.org/9/ALSA-2023-6316.html", + "https://github.com/SamVerschueren/decode-uri-component", + "https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9", + "https://github.com/SamVerschueren/decode-uri-component/issues/5", + "https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1", + "https://github.com/advisories/GHSA-w573-4hg7-7wgq", + "https://github.com/sindresorhus/query-string/issues/345", + "https://linux.oracle.com/cve/CVE-2022-38900.html", + "https://linux.oracle.com/errata/ELSA-2023-6316.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU", + "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + "https://www.cve.org/CVERecord?id=CVE-2022-38900" + ], + "PublishedDate": "2022-11-28T13:15:10.033Z", + "LastModifiedDate": "2023-11-07T03:50:17.22Z" + }, + { + "VulnerabilityID": "CVE-2022-24434", + "PkgID": "dicer@0.2.5", + "PkgName": "dicer", + "PkgPath": "juice-shop/node_modules/dicer/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/dicer@0.2.5", + "UID": "bbdbe521b8454f46" + }, + "InstalledVersion": "0.2.5", + "Status": "affected", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24434", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "dicer: nodejs service crash by sending a crafted payload", + "Description": "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-24434", + "https://github.com/advisories/GHSA-wm7h-9275-46v2", + "https://github.com/mscdex/busboy/issues/250", + "https://github.com/mscdex/dicer", + "https://github.com/mscdex/dicer/commit/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac", + "https://github.com/mscdex/dicer/pull/22", + "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24434", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865", + "https://snyk.io/vuln/SNYK-JS-DICER-2311764", + "https://www.cve.org/CVERecord?id=CVE-2022-24434" + ], + "PublishedDate": "2022-05-20T20:15:09.993Z", + "LastModifiedDate": "2022-06-07T02:04:44.75Z" + }, + { + "VulnerabilityID": "GHSA-h6ch-v84p-w6p9", + "PkgID": "diff@1.0.2", + "PkgName": "diff", + "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/diff/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/diff@1.0.2", + "UID": "8090d53cd9ceb81c" + }, + "InstalledVersion": "1.0.2", + "FixedVersion": "3.5.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-h6ch-v84p-w6p9", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Regular Expression Denial of Service (ReDoS)", + "Description": "A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3 + }, + "References": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1552148", + "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0", + "https://snyk.io/vuln/npm:diff:20180305", + "https://www.npmjs.com/advisories/1631", + "https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0590" + ] + }, + { + "VulnerabilityID": "CVE-2020-8116", + "PkgID": "dot-prop@4.2.0", + "PkgName": "dot-prop", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/dot-prop/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/dot-prop@4.2.0", + "UID": "c8359f7be9152080" + }, + "InstalledVersion": "4.2.0", + "FixedVersion": "4.2.1, 5.1.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8116", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-dot-prop: prototype pollution", + "Description": "Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321", + "CWE-471" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V2Score": 7.5, + "V3Score": 7.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-8116", + "https://errata.almalinux.org/8/ALSA-2021-0548.html", + "https://github.com/advisories/GHSA-ff7x-qrg7-qggm", + "https://github.com/sindresorhus/dot-prop", + "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2", + "https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587", + "https://github.com/sindresorhus/dot-prop/issues/63", + "https://github.com/sindresorhus/dot-prop/tree/v4", + "https://hackerone.com/reports/719856", + "https://linux.oracle.com/cve/CVE-2020-8116.html", + "https://linux.oracle.com/errata/ELSA-2021-0548.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8116", + "https://www.cve.org/CVERecord?id=CVE-2020-8116" + ], + "PublishedDate": "2020-02-04T20:15:13.353Z", + "LastModifiedDate": "2022-08-05T19:32:41.867Z" + }, + { + "VulnerabilityID": "CVE-2023-26132", + "PkgID": "dottie@2.0.2", + "PkgName": "dottie", + "PkgPath": "juice-shop/node_modules/dottie/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/dottie@2.0.2", + "UID": "2238c2bce359423f" + }, + "InstalledVersion": "2.0.2", + "FixedVersion": "2.0.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26132", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Versions of the package dottie before 2.0.4 are vulnerable to Prototyp ...", + "Description": "Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "ubuntu": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/mickhansen/dottie.js", + "https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js#L107", + "https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js%23L107", + "https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26132", + "https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763", + "https://www.cve.org/CVERecord?id=CVE-2023-26132" + ], + "PublishedDate": "2023-06-10T05:15:08.97Z", + "LastModifiedDate": "2023-11-07T04:09:25.51Z" + }, + { + "VulnerabilityID": "CVE-2020-36048", + "PkgID": "engine.io@3.4.1", + "PkgName": "engine.io", + "PkgPath": "juice-shop/node_modules/engine.io/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/engine.io@3.4.1", + "UID": "28bd810086b6863f" + }, + "InstalledVersion": "3.4.1", + "FixedVersion": "3.6.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-36048", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "yarnpkg-socket.io/engine.io: allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport", + "Description": "Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-36048", + "https://blog.caller.xyz/socketio-engineio-dos", + "https://blog.caller.xyz/socketio-engineio-dos/", + "https://github.com/bcaller/kill-engine-io", + "https://github.com/socketio/engine.io", + "https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b", + "https://nvd.nist.gov/vuln/detail/CVE-2020-36048", + "https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749", + "https://www.cve.org/CVERecord?id=CVE-2020-36048" + ], + "PublishedDate": "2021-01-08T00:15:11.093Z", + "LastModifiedDate": "2021-01-12T03:55:58.96Z" + }, + { + "VulnerabilityID": "CVE-2022-41940", + "PkgID": "engine.io@3.4.1", + "PkgName": "engine.io", + "PkgPath": "juice-shop/node_modules/engine.io/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/engine.io@3.4.1", + "UID": "28bd810086b6863f" + }, + "InstalledVersion": "3.4.1", + "FixedVersion": "3.6.1, 6.2.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-41940", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "engine.io: Specially crafted HTTP request can trigger an uncaught exception", + "Description": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-248" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-41940", + "https://github.com/socketio/engine.io", + "https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6", + "https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085", + "https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w", + "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", + "https://www.cve.org/CVERecord?id=CVE-2022-41940" + ], + "PublishedDate": "2022-11-22T01:15:37.847Z", + "LastModifiedDate": "2022-11-26T03:26:25.847Z" + }, + { + "VulnerabilityID": "CVE-2024-27088", + "PkgID": "es5-ext@0.10.53", + "PkgName": "es5-ext", + "PkgPath": "juice-shop/node_modules/es5-ext/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/es5-ext@0.10.53", + "UID": "d43eb34bf4a97503" + }, + "InstalledVersion": "0.10.53", + "FixedVersion": "0.10.63", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-27088", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "es5-ext contains ECMAScript 5 extensions. Passing functions with very ...", + "Description": "es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into `function#copy` or `function#toStringTokens` may cause the script to stall. The vulnerability is patched in v0.10.63.", + "Severity": "LOW", + "CweIDs": [ + "CWE-1333", + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 1 + }, + "References": [ + "https://github.com/medikoo/es5-ext", + "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2", + "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602", + "https://github.com/medikoo/es5-ext/issues/201", + "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h", + "https://nvd.nist.gov/vuln/detail/CVE-2024-27088" + ], + "PublishedDate": "2024-02-26T17:15:11Z", + "LastModifiedDate": "2024-02-26T22:10:40.463Z" + }, + { + "VulnerabilityID": "CVE-2024-29041", + "PkgID": "express@4.17.1", + "PkgName": "express", + "PkgPath": "juice-shop/node_modules/express/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/express@4.17.1", + "UID": "abb859d9a01cee0d" + }, + "InstalledVersion": "4.17.1", + "FixedVersion": "4.19.2, 5.0.0-beta.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-29041", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "express: cause malformed URLs to be evaluated", + "Description": "Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1286", + "CWE-601" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-29041", + "https://expressjs.com/en/4x/api.html#res.location", + "https://github.com/expressjs/express", + "https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd", + "https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94", + "https://github.com/expressjs/express/pull/5539", + "https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc", + "https://github.com/koajs/koa/issues/1800", + "https://nvd.nist.gov/vuln/detail/CVE-2024-29041", + "https://www.cve.org/CVERecord?id=CVE-2024-29041" + ], + "PublishedDate": "2024-03-25T21:15:46.847Z", + "LastModifiedDate": "2024-03-26T12:55:05.01Z" + }, + { + "VulnerabilityID": "CVE-2024-43796", + "PkgID": "express@4.17.1", + "PkgName": "express", + "PkgPath": "juice-shop/node_modules/express/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/express@4.17.1", + "UID": "abb859d9a01cee0d" + }, + "InstalledVersion": "4.17.1", + "FixedVersion": "4.20.0, 5.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-43796", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "express: Improper Input Handling in Express Redirects", + "Description": "Express.js minimalist web framework for node. In express \u003c 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 4.7 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-43796", + "https://github.com/expressjs/express", + "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", + "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", + "https://www.cve.org/CVERecord?id=CVE-2024-43796" + ], + "PublishedDate": "2024-09-10T15:15:17.51Z", + "LastModifiedDate": "2024-09-20T16:07:47.997Z" + }, + { + "VulnerabilityID": "CVE-2020-15084", + "PkgID": "express-jwt@0.1.3", + "PkgName": "express-jwt", + "PkgPath": "juice-shop/node_modules/express-jwt/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/express-jwt@0.1.3", + "UID": "ff43a00952d1fea" + }, + "InstalledVersion": "0.1.3", + "FixedVersion": "6.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-15084", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Authorization bypass in express-jwt", + "Description": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-863", + "CWE-285" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 7.7 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V2Score": 4.3, + "V3Score": 9.1 + } + }, + "References": [ + "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", + "https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf", + "https://nvd.nist.gov/vuln/detail/CVE-2020-15084" + ], + "PublishedDate": "2020-06-30T16:15:15.22Z", + "LastModifiedDate": "2022-10-21T18:00:47.803Z" + }, + { + "VulnerabilityID": "CVE-2020-28282", + "PkgID": "getobject@0.1.0", + "PkgName": "getobject", + "PkgPath": "juice-shop/node_modules/getobject/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/getobject@0.1.0", + "UID": "7a13ea0c972253a9" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "1.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28282", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-getobject: Prototype pollution could result in DoS and RCE", + "Description": "Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.", + "Severity": "CRITICAL", + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-28282", + "https://github.com/cowboy/node-getobject", + "https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48", + "https://github.com/cowboy/node-getobject/commit/84071748fa407caa8f824e0d0b9c1cde9ec56633 (v1.0.0)", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28282", + "https://www.cve.org/CVERecord?id=CVE-2020-28282", + "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282" + ], + "PublishedDate": "2020-12-29T18:15:12.87Z", + "LastModifiedDate": "2020-12-30T21:59:01.787Z" + }, + { + "VulnerabilityID": "CVE-2022-33987", + "PkgID": "got@6.7.1", + "PkgName": "got", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/got/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/got@6.7.1", + "UID": "3ee46f2ea1ebedf" + }, + "InstalledVersion": "6.7.1", + "FixedVersion": "12.1.0, 11.8.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-33987", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets", + "Description": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2022-33987", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/sindresorhus/got", + "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc", + "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + "https://github.com/sindresorhus/got/pull/2047", + "https://github.com/sindresorhus/got/releases/tag/v11.8.5", + "https://github.com/sindresorhus/got/releases/tag/v12.1.0", + "https://linux.oracle.com/cve/CVE-2022-33987.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + "https://www.cve.org/CVERecord?id=CVE-2022-33987" + ], + "PublishedDate": "2022-06-18T21:15:07.933Z", + "LastModifiedDate": "2022-06-28T16:15:31.27Z" + }, + { + "VulnerabilityID": "CVE-2022-33987", + "PkgID": "got@8.3.2", + "PkgName": "got", + "PkgPath": "juice-shop/node_modules/got/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/got@8.3.2", + "UID": "565e22ebc733911a" + }, + "InstalledVersion": "8.3.2", + "FixedVersion": "12.1.0, 11.8.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-33987", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets", + "Description": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2022-33987", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/sindresorhus/got", + "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc", + "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + "https://github.com/sindresorhus/got/pull/2047", + "https://github.com/sindresorhus/got/releases/tag/v11.8.5", + "https://github.com/sindresorhus/got/releases/tag/v12.1.0", + "https://linux.oracle.com/cve/CVE-2022-33987.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + "https://www.cve.org/CVERecord?id=CVE-2022-33987" + ], + "PublishedDate": "2022-06-18T21:15:07.933Z", + "LastModifiedDate": "2022-06-28T16:15:31.27Z" + }, + { + "VulnerabilityID": "CVE-2017-16042", + "PkgID": "growl@1.5.1", + "PkgName": "growl", + "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/growl/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/growl@1.5.1", + "UID": "67dc34a94a791bee" + }, + "InstalledVersion": "1.5.1", + "FixedVersion": "1.10.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16042", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-growl: Does not properly sanitize input before passing it to exec", + "Description": "Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-78", + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2017-16042", + "https://github.com/tj/node-growl", + "https://github.com/tj/node-growl/commit/d71177d5331c9de4658aca62e0ac921f178b0669", + "https://github.com/tj/node-growl/issues/60", + "https://github.com/tj/node-growl/pull/61", + "https://github.com/tj/node-growl/pull/62", + "https://nodesecurity.io/advisories/146", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16042", + "https://www.cve.org/CVERecord?id=CVE-2017-16042", + "https://www.npmjs.com/advisories/146" + ], + "PublishedDate": "2018-06-04T19:29:02.1Z", + "LastModifiedDate": "2019-10-09T23:24:38.987Z" + }, + { + "VulnerabilityID": "CVE-2020-7729", + "PkgID": "grunt@1.1.0", + "PkgName": "grunt", + "PkgPath": "juice-shop/node_modules/grunt/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/grunt@1.1.0", + "UID": "7cf1e2791364a2ec" + }, + "InstalledVersion": "1.1.0", + "FixedVersion": "1.3.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-7729", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execut ...", + "Description": "The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1188" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.1 + }, + "nvd": { + "V2Vector": "AV:N/AC:H/Au:S/C:P/I:P/A:P", + "V2Score": 4.6 + } + }, + "References": [ + "https://github.com/gruntjs/grunt/blob/master/lib/grunt/file.js%23L249", + "https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7", + "https://lists.debian.org/debian-lts-announce/2020/09/msg00008.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7729", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-607922", + "https://snyk.io/vuln/SNYK-JS-GRUNT-597546", + "https://ubuntu.com/security/notices/USN-4595-1", + "https://ubuntu.com/security/notices/USN-5847-1", + "https://usn.ubuntu.com/4595-1", + "https://usn.ubuntu.com/4595-1/", + "https://www.cve.org/CVERecord?id=CVE-2020-7729" + ], + "PublishedDate": "2020-09-03T09:15:10.36Z", + "LastModifiedDate": "2022-11-16T14:05:18.333Z" + }, + { + "VulnerabilityID": "CVE-2022-1537", + "PkgID": "grunt@1.1.0", + "PkgName": "grunt", + "PkgPath": "juice-shop/node_modules/grunt/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/grunt@1.1.0", + "UID": "7cf1e2791364a2ec" + }, + "InstalledVersion": "1.1.0", + "FixedVersion": "1.5.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-1537", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "gruntjs: race condition leading to arbitrary file write", + "Description": "file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-367" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7 + }, + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C", + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.9, + "V3Score": 7 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-1537", + "https://github.com/gruntjs/grunt", + "https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae", + "https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d", + "https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-1537", + "https://ubuntu.com/security/notices/USN-5847-1", + "https://www.cve.org/CVERecord?id=CVE-2022-1537" + ], + "PublishedDate": "2022-05-10T14:15:08.403Z", + "LastModifiedDate": "2023-04-05T22:15:07.09Z" + }, + { + "VulnerabilityID": "CVE-2022-0436", + "PkgID": "grunt@1.1.0", + "PkgName": "grunt", + "PkgPath": "juice-shop/node_modules/grunt/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/grunt@1.1.0", + "UID": "7cf1e2791364a2ec" + }, + "InstalledVersion": "1.1.0", + "FixedVersion": "1.5.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0436", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.", + "Description": "Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-22" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "ubuntu": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.5 + }, + "nvd": { + "V2Vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V2Score": 2.1, + "V3Score": 5.5 + } + }, + "References": [ + "https://github.com/gruntjs/grunt", + "https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665", + "https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665 (v1.5.0)", + "https://github.com/gruntjs/grunt/commit/b0ec6e12426fc8d5720dee1702f6a67455c5986c", + "https://github.com/gruntjs/grunt/pull/1740", + "https://github.com/gruntjs/grunt/pull/1743", + "https://huntr.dev/bounties/f55315e9-9f6d-4dbb-8c40-bae50c1ae92b", + "https://lists.debian.org/debian-lts-announce/2023/04/msg00008.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0436", + "https://ubuntu.com/security/notices/USN-5847-1", + "https://www.cve.org/CVERecord?id=CVE-2022-0436" + ], + "PublishedDate": "2022-04-12T21:15:07.643Z", + "LastModifiedDate": "2023-04-06T15:15:08.727Z" + }, + { + "VulnerabilityID": "CVE-2021-23362", + "PkgID": "hosted-git-info@2.8.8", + "PkgName": "hosted-git-info", + "PkgPath": "juice-shop/node_modules/hosted-git-info/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/hosted-git-info@2.8.8", + "UID": "79cc7123067c5444" + }, + "InstalledVersion": "2.8.8", + "FixedVersion": "2.8.9, 3.0.8", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23362", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()", + "Description": "The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-23362", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-3074.html", + "https://github.com/npm/hosted-git-info", + "https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7", + "https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01", + "https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3", + "https://github.com/npm/hosted-git-info/commits/v2", + "https://github.com/npm/hosted-git-info/pull/76", + "https://linux.oracle.com/cve/CVE-2021-23362.html", + "https://linux.oracle.com/errata/ELSA-2021-3074.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23362", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356", + "https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355", + "https://www.cve.org/CVERecord?id=CVE-2021-23362" + ], + "PublishedDate": "2021-03-23T17:15:14.027Z", + "LastModifiedDate": "2023-08-08T14:22:24.967Z" + }, + { + "VulnerabilityID": "CVE-2021-23362", + "PkgID": "hosted-git-info@2.8.8", + "PkgName": "hosted-git-info", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/hosted-git-info/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/hosted-git-info@2.8.8", + "UID": "a679b1f7169f97c2" + }, + "InstalledVersion": "2.8.8", + "FixedVersion": "2.8.9, 3.0.8", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23362", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()", + "Description": "The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-23362", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-3074.html", + "https://github.com/npm/hosted-git-info", + "https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7", + "https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01", + "https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3", + "https://github.com/npm/hosted-git-info/commits/v2", + "https://github.com/npm/hosted-git-info/pull/76", + "https://linux.oracle.com/cve/CVE-2021-23362.html", + "https://linux.oracle.com/errata/ELSA-2021-3074.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23362", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356", + "https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355", + "https://www.cve.org/CVERecord?id=CVE-2021-23362" + ], + "PublishedDate": "2021-03-23T17:15:14.027Z", + "LastModifiedDate": "2023-08-08T14:22:24.967Z" + }, + { + "VulnerabilityID": "CVE-2022-25881", + "PkgID": "http-cache-semantics@3.8.1", + "PkgName": "http-cache-semantics", + "PkgPath": "juice-shop/node_modules/http-cache-semantics/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/http-cache-semantics@3.8.1", + "UID": "868c747b9b0d5ddb" + }, + "InstalledVersion": "3.8.1", + "FixedVersion": "4.1.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25881", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability", + "Description": "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.\r\r", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:2655", + "https://access.redhat.com/security/cve/CVE-2022-25881", + "https://bugzilla.redhat.com/2165824", + "https://bugzilla.redhat.com/2168631", + "https://bugzilla.redhat.com/2171935", + "https://bugzilla.redhat.com/2172190", + "https://bugzilla.redhat.com/2172204", + "https://bugzilla.redhat.com/2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2165824", + "https://bugzilla.redhat.com/show_bug.cgi?id=2168631", + "https://bugzilla.redhat.com/show_bug.cgi?id=2171935", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172190", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172204", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2178076", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25881", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807", + "https://errata.almalinux.org/9/ALSA-2023-2655.html", + "https://errata.rockylinux.org/RLSA-2023:2655", + "https://github.com/kornelski/http-cache-semantics", + "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83", + "https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74", + "https://linux.oracle.com/cve/CVE-2022-25881.html", + "https://linux.oracle.com/errata/ELSA-2023-2655.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + "https://security.netapp.com/advisory/ntap-20230622-0008", + "https://security.netapp.com/advisory/ntap-20230622-0008/", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332", + "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783", + "https://www.cve.org/CVERecord?id=CVE-2022-25881" + ], + "PublishedDate": "2023-01-31T05:15:11.81Z", + "LastModifiedDate": "2023-11-07T03:44:51.8Z" + }, + { + "VulnerabilityID": "CVE-2022-25881", + "PkgID": "http-cache-semantics@3.8.1", + "PkgName": "http-cache-semantics", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/http-cache-semantics/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/http-cache-semantics@3.8.1", + "UID": "e38c4ff794b1dfac" + }, + "InstalledVersion": "3.8.1", + "FixedVersion": "4.1.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25881", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability", + "Description": "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.\r\r", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:2655", + "https://access.redhat.com/security/cve/CVE-2022-25881", + "https://bugzilla.redhat.com/2165824", + "https://bugzilla.redhat.com/2168631", + "https://bugzilla.redhat.com/2171935", + "https://bugzilla.redhat.com/2172190", + "https://bugzilla.redhat.com/2172204", + "https://bugzilla.redhat.com/2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2165824", + "https://bugzilla.redhat.com/show_bug.cgi?id=2168631", + "https://bugzilla.redhat.com/show_bug.cgi?id=2171935", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172190", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172204", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2178076", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25881", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807", + "https://errata.almalinux.org/9/ALSA-2023-2655.html", + "https://errata.rockylinux.org/RLSA-2023:2655", + "https://github.com/kornelski/http-cache-semantics", + "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83", + "https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74", + "https://linux.oracle.com/cve/CVE-2022-25881.html", + "https://linux.oracle.com/errata/ELSA-2023-2655.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + "https://security.netapp.com/advisory/ntap-20230622-0008", + "https://security.netapp.com/advisory/ntap-20230622-0008/", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332", + "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783", + "https://www.cve.org/CVERecord?id=CVE-2022-25881" + ], + "PublishedDate": "2023-01-31T05:15:11.81Z", + "LastModifiedDate": "2023-11-07T03:44:51.8Z" + }, + { + "VulnerabilityID": "CVE-2020-7788", + "PkgID": "ini@1.3.5", + "PkgName": "ini", + "PkgPath": "juice-shop/node_modules/ini/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ini@1.3.5", + "UID": "acd35b677b88880" + }, + "InstalledVersion": "1.3.5", + "FixedVersion": "1.3.6", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-7788", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ini: Prototype pollution via malicious INI file", + "Description": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 4, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2020-7788", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/npm/ini", + "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1", + "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1 (v1.3.6)", + "https://linux.oracle.com/cve/CVE-2020-7788.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", + "https://snyk.io/vuln/SNYK-JS-INI-1048974", + "https://www.cve.org/CVERecord?id=CVE-2020-7788", + "https://www.npmjs.com/advisories/1589" + ], + "PublishedDate": "2020-12-11T11:15:11.447Z", + "LastModifiedDate": "2022-12-02T19:40:15.55Z" + }, + { + "VulnerabilityID": "CVE-2020-7788", + "PkgID": "ini@1.3.5", + "PkgName": "ini", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/ini/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ini@1.3.5", + "UID": "b9d8eb81a1f94186" + }, + "InstalledVersion": "1.3.5", + "FixedVersion": "1.3.6", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-7788", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ini: Prototype pollution via malicious INI file", + "Description": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 4, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2020-7788", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/npm/ini", + "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1", + "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1 (v1.3.6)", + "https://linux.oracle.com/cve/CVE-2020-7788.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", + "https://snyk.io/vuln/SNYK-JS-INI-1048974", + "https://www.cve.org/CVERecord?id=CVE-2020-7788", + "https://www.npmjs.com/advisories/1589" + ], + "PublishedDate": "2020-12-11T11:15:11.447Z", + "LastModifiedDate": "2022-12-02T19:40:15.55Z" + }, + { + "VulnerabilityID": "CVE-2024-29415", + "PkgID": "ip@1.1.5", + "PkgName": "ip", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/ip/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ip@1.1.5", + "UID": "c205c9c968b8c15c" + }, + "InstalledVersion": "1.1.5", + "Status": "affected", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-29415", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "node-ip: Incomplete fix for CVE-2023-42282", + "Description": "The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-918", + "CWE-941" + ], + "VendorSeverity": { + "ghsa": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-29415", + "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", + "https://github.com/indutny/node-ip", + "https://github.com/indutny/node-ip/issues/150", + "https://github.com/indutny/node-ip/pull/143", + "https://github.com/indutny/node-ip/pull/144", + "https://nvd.nist.gov/vuln/detail/CVE-2024-29415", + "https://www.cve.org/CVERecord?id=CVE-2024-29415" + ], + "PublishedDate": "2024-05-27T20:15:08.97Z", + "LastModifiedDate": "2024-08-16T14:35:01.26Z" + }, + { + "VulnerabilityID": "CVE-2023-42282", + "PkgID": "ip@1.1.5", + "PkgName": "ip", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/ip/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ip@1.1.5", + "UID": "c205c9c968b8c15c" + }, + "InstalledVersion": "1.1.5", + "FixedVersion": "2.0.1, 1.1.9", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-42282", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ip: arbitrary code execution via the isPublic() function", + "Description": "The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", + "Severity": "LOW", + "CweIDs": [ + "CWE-918" + ], + "VendorSeverity": { + "azure": 4, + "cbl-mariner": 4, + "ghsa": 1, + "nvd": 4, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-42282", + "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", + "https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447", + "https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999", + "https://github.com/indutny/node-ip", + "https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa", + "https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894", + "https://github.com/indutny/node-ip/pull/138", + "https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-42282", + "https://security.netapp.com/advisory/ntap-20240315-0008/", + "https://ubuntu.com/security/notices/USN-6643-1", + "https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/", + "https://www.cve.org/CVERecord?id=CVE-2023-42282" + ], + "PublishedDate": "2024-02-08T17:15:10.84Z", + "LastModifiedDate": "2024-10-09T15:14:21.817Z" + }, + { + "VulnerabilityID": "CVE-2021-3918", + "PkgID": "json-schema@0.2.3", + "PkgName": "json-schema", + "PkgPath": "juice-shop/node_modules/json-schema/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/json-schema@0.2.3", + "UID": "a95b849c2e02b2a2" + }, + "InstalledVersion": "0.2.3", + "FixedVersion": "0.4.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3918", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-json-schema: Prototype pollution vulnerability", + "Description": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 4, + "nvd": 4, + "oracle-oval": 2, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-3918", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/kriszyp/json-schema", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0)", + "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a", + "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa", + "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9", + "https://linux.oracle.com/cve/CVE-2021-3918.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + "https://ubuntu.com/security/notices/USN-6103-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3918" + ], + "PublishedDate": "2021-11-13T09:15:06.737Z", + "LastModifiedDate": "2023-02-03T19:15:59.437Z" + }, + { + "VulnerabilityID": "CVE-2021-3918", + "PkgID": "json-schema@0.2.3", + "PkgName": "json-schema", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/json-schema/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/json-schema@0.2.3", + "UID": "e6e8892303068e66" + }, + "InstalledVersion": "0.2.3", + "FixedVersion": "0.4.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3918", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-json-schema: Prototype pollution vulnerability", + "Description": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 4, + "nvd": 4, + "oracle-oval": 2, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-3918", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/kriszyp/json-schema", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0)", + "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a", + "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa", + "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9", + "https://linux.oracle.com/cve/CVE-2021-3918.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + "https://ubuntu.com/security/notices/USN-6103-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3918" + ], + "PublishedDate": "2021-11-13T09:15:06.737Z", + "LastModifiedDate": "2023-02-03T19:15:59.437Z" + }, + { + "VulnerabilityID": "CVE-2022-46175", + "PkgID": "json5@2.1.3", + "PkgName": "json5", + "PkgPath": "juice-shop/node_modules/json5/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/json5@2.1.3", + "UID": "43bdf1ed8d0f6229" + }, + "InstalledVersion": "2.1.3", + "FixedVersion": "2.2.2, 1.0.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-46175", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "json5: Prototype Pollution in JSON5 via Parse Method", + "Description": "JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "azure": 3, + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H", + "V3Score": 7.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-46175", + "https://github.com/json5/json5", + "https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972", + "https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8", + "https://github.com/json5/json5/issues/199", + "https://github.com/json5/json5/issues/295", + "https://github.com/json5/json5/pull/298", + "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE", + "https://nvd.nist.gov/vuln/detail/CVE-2022-46175", + "https://ubuntu.com/security/notices/USN-6758-1", + "https://www.cve.org/CVERecord?id=CVE-2022-46175" + ], + "PublishedDate": "2022-12-24T04:15:08.787Z", + "LastModifiedDate": "2023-11-26T01:15:07.177Z" + }, + { + "VulnerabilityID": "CVE-2015-9235", + "PkgID": "jsonwebtoken@0.1.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "324977895803c3d7" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "4.2.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2015-9235", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-jsonwebtoken: verification step bypass with an altered token", + "Description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-327", + "CWE-20" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2015-9235", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://nodesecurity.io/advisories/17", + "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "https://www.cve.org/CVERecord?id=CVE-2015-9235", + "https://www.npmjs.com/advisories/17", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" + ], + "PublishedDate": "2018-05-29T20:29:00.33Z", + "LastModifiedDate": "2019-10-09T23:15:57.76Z" + }, + { + "VulnerabilityID": "CVE-2022-23539", + "PkgID": "jsonwebtoken@0.1.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "324977895803c3d7" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23539", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen", + "Description": "Versions `\u003c=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-327" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23539", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23539" + ], + "PublishedDate": "2022-12-23T00:15:12.347Z", + "LastModifiedDate": "2024-06-21T19:15:22.683Z" + }, + { + "VulnerabilityID": "NSWG-ECO-17", + "PkgID": "jsonwebtoken@0.1.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "324977895803c3d7" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "\u003e=4.2.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "nodejs-security-wg", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "Verification Bypass", + "Description": "It is possible for an attacker to bypass verification when \"a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)\" [1]", + "Severity": "HIGH", + "VendorSeverity": { + "nodejs-security-wg": 3 + }, + "References": [ + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" + ] + }, + { + "VulnerabilityID": "CVE-2022-23540", + "PkgID": "jsonwebtoken@0.1.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "324977895803c3d7" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23540", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass", + "Description": "In versions `\u003c=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-347", + "CWE-287" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 6.4 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 7.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 6.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23540", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23540" + ], + "PublishedDate": "2022-12-22T19:15:08.967Z", + "LastModifiedDate": "2024-06-21T19:15:22.84Z" + }, + { + "VulnerabilityID": "CVE-2022-23541", + "PkgID": "jsonwebtoken@0.1.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "324977895803c3d7" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23541", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", + "Description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions `\u003c= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1259", + "CWE-287" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 6.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23541", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23541" + ], + "PublishedDate": "2022-12-22T18:15:09.39Z", + "LastModifiedDate": "2024-06-21T19:15:22.97Z" + }, + { + "VulnerabilityID": "CVE-2015-9235", + "PkgID": "jsonwebtoken@0.4.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "b220953c826bca0" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "4.2.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2015-9235", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-jsonwebtoken: verification step bypass with an altered token", + "Description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-327", + "CWE-20" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2015-9235", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://nodesecurity.io/advisories/17", + "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "https://www.cve.org/CVERecord?id=CVE-2015-9235", + "https://www.npmjs.com/advisories/17", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" + ], + "PublishedDate": "2018-05-29T20:29:00.33Z", + "LastModifiedDate": "2019-10-09T23:15:57.76Z" + }, + { + "VulnerabilityID": "CVE-2022-23539", + "PkgID": "jsonwebtoken@0.4.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "b220953c826bca0" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23539", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen", + "Description": "Versions `\u003c=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-327" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23539", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23539" + ], + "PublishedDate": "2022-12-23T00:15:12.347Z", + "LastModifiedDate": "2024-06-21T19:15:22.683Z" + }, + { + "VulnerabilityID": "NSWG-ECO-17", + "PkgID": "jsonwebtoken@0.4.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "b220953c826bca0" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "\u003e=4.2.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "nodejs-security-wg", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "Verification Bypass", + "Description": "It is possible for an attacker to bypass verification when \"a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)\" [1]", + "Severity": "HIGH", + "VendorSeverity": { + "nodejs-security-wg": 3 + }, + "References": [ + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" + ] + }, + { + "VulnerabilityID": "CVE-2022-23540", + "PkgID": "jsonwebtoken@0.4.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "b220953c826bca0" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23540", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass", + "Description": "In versions `\u003c=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-347", + "CWE-287" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 6.4 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 7.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 6.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23540", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23540" + ], + "PublishedDate": "2022-12-22T19:15:08.967Z", + "LastModifiedDate": "2024-06-21T19:15:22.84Z" + }, + { + "VulnerabilityID": "CVE-2022-23541", + "PkgID": "jsonwebtoken@0.4.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "b220953c826bca0" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23541", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", + "Description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions `\u003c= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1259", + "CWE-287" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 6.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23541", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23541" + ], + "PublishedDate": "2022-12-22T18:15:09.39Z", + "LastModifiedDate": "2024-06-21T19:15:22.97Z" + }, + { + "VulnerabilityID": "CVE-2016-1000223", + "PkgID": "jws@0.2.6", + "PkgName": "jws", + "PkgPath": "juice-shop/node_modules/jws/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jws@0.2.6", + "UID": "da4a6fd70bb8e740" + }, + "InstalledVersion": "0.2.6", + "FixedVersion": "\u003e=3.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-1000223", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "Forgeable Public/Private Tokens", + "Description": "Since \"algorithm\" isn't enforced in `jws.verify()`, a malicious user could choose what algorithm is sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.\n\nIn addition, there is the `none` algorithm to be concerned about. In versions prior to 3.0.0, verification of the token could be bypassed when the `alg` field is set to `none`.\n\n*Edit ( 7/29/16 ): A previous version of this advisory incorrectly stated that the vulnerability was patched in version 2.0.0 instead of 3.0.0. The advisory has been updated to reflect this new information. Thanks to Fabien Catteau for reporting the error.*", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3, + "nodejs-security-wg": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "V3Score": 8.7 + } + }, + "References": [ + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/brianloveswords/node-jws", + "https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e", + "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223", + "https://snyk.io/vuln/npm:jws:20160726", + "https://www.npmjs.com/advisories/88" + ] + }, + { + "VulnerabilityID": "CVE-2024-34393", + "PkgID": "libxmljs2@0.22.0", + "PkgName": "libxmljs2", + "PkgPath": "juice-shop/node_modules/libxmljs2/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/libxmljs2@0.22.0", + "UID": "df8b8c029e70dea1" + }, + "InstalledVersion": "0.22.0", + "Status": "affected", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34393", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "libxmljs2 type confusion vulnerability when parsing specially crafted XML", + "Description": "libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of attrs() that was called on a parsed node. This vulnerability might lead to denial of service (on both 32-bit systems and 64-bit systems), data leak, infinite loop and remote code execution (on 32-bit systems with the XML_PARSE_HUGE flag enabled).", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + } + }, + "References": [ + "https://github.com/marudor/libxmljs2", + "https://github.com/marudor/libxmljs2/issues/204", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34393", + "https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097", + "https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097/" + ], + "PublishedDate": "2024-05-02T19:15:06.48Z", + "LastModifiedDate": "2024-05-03T12:50:34.25Z" + }, + { + "VulnerabilityID": "CVE-2024-34394", + "PkgID": "libxmljs2@0.22.0", + "PkgName": "libxmljs2", + "PkgPath": "juice-shop/node_modules/libxmljs2/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/libxmljs2@0.22.0", + "UID": "df8b8c029e70dea1" + }, + "InstalledVersion": "0.22.0", + "Status": "affected", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34394", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "libxmljs2 vulnerable to type confusion when parsing specially crafted XML", + "Description": "libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the namespaces() function (which invokes XmlNode::get_local_namespaces()) on a grand-child of a node that refers to an entity. This vulnerability can lead to denial of service and remote code execution.", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + } + }, + "References": [ + "https://github.com/marudor/libxmljs2", + "https://github.com/marudor/libxmljs2/issues/205", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34394", + "https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098", + "https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098/" + ], + "PublishedDate": "2024-05-02T19:15:06.63Z", + "LastModifiedDate": "2024-05-03T12:50:34.25Z" + }, + { + "VulnerabilityID": "CVE-2019-10744", + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "2055fc9d42487aec" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "4.17.12", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", + "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 9.1 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V2Score": 6.4, + "V3Score": 9.1 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 9.1 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2019:3024", + "https://access.redhat.com/security/cve/CVE-2019-10744", + "https://github.com/lodash/lodash/pull/4336", + "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "https://security.netapp.com/advisory/ntap-20191004-0005", + "https://security.netapp.com/advisory/ntap-20191004-0005/", + "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2019-10744", + "https://www.npmjs.com/advisories/1065", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html" + ], + "PublishedDate": "2019-07-26T00:15:11.217Z", + "LastModifiedDate": "2024-01-21T02:45:24.433Z" + }, + { + "VulnerabilityID": "CVE-2018-16487", + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "2055fc9d42487aec" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "\u003e=4.17.11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "lodash: Prototype pollution in utilities function", + "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 3, + "nodejs-security-wg": 3, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V2Score": 6.8, + "V3Score": 5.6 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2018-16487", + "https://github.com/advisories/GHSA-4xc9-xhrj-v574", + "https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad", + "https://hackerone.com/reports/380873", + "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", + "https://security.netapp.com/advisory/ntap-20190919-0004", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://www.cve.org/CVERecord?id=CVE-2018-16487", + "https://www.npmjs.com/advisories/782" + ], + "PublishedDate": "2019-02-01T18:29:00.943Z", + "LastModifiedDate": "2020-09-18T16:38:27.95Z" + }, + { + "VulnerabilityID": "CVE-2021-23337", + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "2055fc9d42487aec" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "4.17.21", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23337", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: command injection via template", + "Description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.2 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.2 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-23337", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "https://www.cve.org/CVERecord?id=CVE-2021-23337", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-02-15T13:15:12.56Z", + "LastModifiedDate": "2022-09-13T21:25:02.093Z" + }, + { + "VulnerabilityID": "CVE-2019-1010266", + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "2055fc9d42487aec" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "4.17.11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010266", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "lodash: uncontrolled resource consumption in Data handler causing denial of service", + "Description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-770", + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 4, + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 4.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-1010266", + "https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347", + "https://github.com/lodash/lodash/issues/3359", + "https://github.com/lodash/lodash/wiki/Changelog", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", + "https://security.netapp.com/advisory/ntap-20190919-0004", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://snyk.io/vuln/SNYK-JS-LODASH-73639", + "https://www.cve.org/CVERecord?id=CVE-2019-1010266" + ], + "PublishedDate": "2019-07-17T21:15:10.873Z", + "LastModifiedDate": "2020-09-30T13:40:43.663Z" + }, + { + "VulnerabilityID": "CVE-2020-28500", + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "2055fc9d42487aec" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "4.17.21", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28500", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", + "Description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-28500", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + "https://github.com/lodash/lodash/pull/5065", + "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + "https://www.cve.org/CVERecord?id=CVE-2020-28500", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-02-15T11:15:12.397Z", + "LastModifiedDate": "2022-09-13T21:18:50.543Z" + }, + { + "VulnerabilityID": "CVE-2018-3721", + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "2055fc9d42487aec" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "\u003e=4.17.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "lodash: Prototype pollution in utilities function", + "Description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", + "Severity": "LOW", + "CweIDs": [ + "CWE-1321", + "CWE-471" + ], + "VendorSeverity": { + "ghsa": 2, + "nodejs-security-wg": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 6.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 4, + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 2.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2018-3721", + "https://github.com/advisories/GHSA-fvqr-27wr-82fm", + "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", + "https://hackerone.com/reports/310443", + "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", + "https://security.netapp.com/advisory/ntap-20190919-0004", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://www.cve.org/CVERecord?id=CVE-2018-3721", + "https://www.npmjs.com/advisories/577" + ], + "PublishedDate": "2018-06-07T02:29:08.317Z", + "LastModifiedDate": "2024-02-16T16:54:46.91Z" + }, + { + "VulnerabilityID": "CVE-2019-10744", + "PkgID": "lodash@4.17.11", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@4.17.11", + "UID": "22cbf4c65c5d1e98" + }, + "InstalledVersion": "4.17.11", + "FixedVersion": "4.17.12", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", + "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 9.1 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V2Score": 6.4, + "V3Score": 9.1 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 9.1 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2019:3024", + "https://access.redhat.com/security/cve/CVE-2019-10744", + "https://github.com/lodash/lodash/pull/4336", + "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "https://security.netapp.com/advisory/ntap-20191004-0005", + "https://security.netapp.com/advisory/ntap-20191004-0005/", + "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2019-10744", + "https://www.npmjs.com/advisories/1065", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html" + ], + "PublishedDate": "2019-07-26T00:15:11.217Z", + "LastModifiedDate": "2024-01-21T02:45:24.433Z" + }, + { + "VulnerabilityID": "CVE-2020-8203", + "PkgID": "lodash@4.17.11", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@4.17.11", + "UID": "22cbf4c65c5d1e98" + }, + "InstalledVersion": "4.17.11", + "FixedVersion": "4.17.19", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8203", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "Description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321", + "CWE-770" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 7.4 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V2Score": 5.8, + "V3Score": 7.4 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 7.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-8203", + "https://github.com/github/advisory-database/pull/2884", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + "https://github.com/lodash/lodash/issues/4744", + "https://github.com/lodash/lodash/issues/4874", + "https://github.com/lodash/lodash/wiki/Changelog#v41719", + "https://hackerone.com/reports/712065", + "https://hackerone.com/reports/864701", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "https://security.netapp.com/advisory/ntap-20200724-0006", + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + "https://www.cve.org/CVERecord?id=CVE-2020-8203", + "https://www.npmjs.com/advisories/1523", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2020-07-15T17:15:11.797Z", + "LastModifiedDate": "2024-01-21T02:37:13.193Z" + }, + { + "VulnerabilityID": "CVE-2021-23337", + "PkgID": "lodash@4.17.11", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@4.17.11", + "UID": "22cbf4c65c5d1e98" + }, + "InstalledVersion": "4.17.11", + "FixedVersion": "4.17.21", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23337", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: command injection via template", + "Description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.2 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.2 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-23337", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "https://www.cve.org/CVERecord?id=CVE-2021-23337", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-02-15T13:15:12.56Z", + "LastModifiedDate": "2022-09-13T21:25:02.093Z" + }, + { + "VulnerabilityID": "CVE-2020-28500", + "PkgID": "lodash@4.17.11", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@4.17.11", + "UID": "22cbf4c65c5d1e98" + }, + "InstalledVersion": "4.17.11", + "FixedVersion": "4.17.21", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28500", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", + "Description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-28500", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + "https://github.com/lodash/lodash/pull/5065", + "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + "https://www.cve.org/CVERecord?id=CVE-2020-28500", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-02-15T11:15:12.397Z", + "LastModifiedDate": "2022-09-13T21:18:50.543Z" + }, + { + "VulnerabilityID": "CVE-2020-8203", + "PkgID": "lodash@4.17.15", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@4.17.15", + "UID": "48b8e13d54fb22e3" + }, + "InstalledVersion": "4.17.15", + "FixedVersion": "4.17.19", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8203", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "Description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321", + "CWE-770" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 7.4 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V2Score": 5.8, + "V3Score": 7.4 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 7.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-8203", + "https://github.com/github/advisory-database/pull/2884", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + "https://github.com/lodash/lodash/issues/4744", + "https://github.com/lodash/lodash/issues/4874", + "https://github.com/lodash/lodash/wiki/Changelog#v41719", + "https://hackerone.com/reports/712065", + "https://hackerone.com/reports/864701", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "https://security.netapp.com/advisory/ntap-20200724-0006", + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + "https://www.cve.org/CVERecord?id=CVE-2020-8203", + "https://www.npmjs.com/advisories/1523", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2020-07-15T17:15:11.797Z", + "LastModifiedDate": "2024-01-21T02:37:13.193Z" + }, + { + "VulnerabilityID": "CVE-2021-23337", + "PkgID": "lodash@4.17.15", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@4.17.15", + "UID": "48b8e13d54fb22e3" + }, + "InstalledVersion": "4.17.15", + "FixedVersion": "4.17.21", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23337", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: command injection via template", + "Description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.2 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.2 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-23337", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "https://www.cve.org/CVERecord?id=CVE-2021-23337", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-02-15T13:15:12.56Z", + "LastModifiedDate": "2022-09-13T21:25:02.093Z" + }, + { + "VulnerabilityID": "NSWG-ECO-516", + "PkgID": "lodash@4.17.15", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@4.17.15", + "UID": "48b8e13d54fb22e3" + }, + "InstalledVersion": "4.17.15", + "FixedVersion": "\u003e=4.17.19", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://www.npmjs.com/advisories/1523", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "Allocation of Resources Without Limits or Throttling", + "Description": "Prototype pollution attack (lodash)", + "Severity": "HIGH", + "VendorSeverity": { + "nodejs-security-wg": 3 + }, + "References": [ + "https://github.com/lodash/lodash/pull/4759", + "https://hackerone.com/reports/712065", + "https://www.npmjs.com/advisories/1523" + ] + }, + { + "VulnerabilityID": "CVE-2020-28500", + "PkgID": "lodash@4.17.15", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@4.17.15", + "UID": "48b8e13d54fb22e3" + }, + "InstalledVersion": "4.17.15", + "FixedVersion": "4.17.21", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28500", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", + "Description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-28500", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + "https://github.com/lodash/lodash/pull/5065", + "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + "https://www.cve.org/CVERecord?id=CVE-2020-28500", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-02-15T11:15:12.397Z", + "LastModifiedDate": "2022-09-13T21:18:50.543Z" + }, + { + "VulnerabilityID": "CVE-2020-8203", + "PkgID": "lodash.set@4.3.2", + "PkgName": "lodash.set", + "PkgPath": "juice-shop/node_modules/lodash.set/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash.set@4.3.2", + "UID": "91ab835ab813b84b" + }, + "InstalledVersion": "4.3.2", + "Status": "affected", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8203", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "Description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321", + "CWE-770" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 7.4 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V2Score": 5.8, + "V3Score": 7.4 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 7.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-8203", + "https://github.com/github/advisory-database/pull/2884", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + "https://github.com/lodash/lodash/issues/4744", + "https://github.com/lodash/lodash/issues/4874", + "https://github.com/lodash/lodash/wiki/Changelog#v41719", + "https://hackerone.com/reports/712065", + "https://hackerone.com/reports/864701", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "https://security.netapp.com/advisory/ntap-20200724-0006", + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + "https://www.cve.org/CVERecord?id=CVE-2020-8203", + "https://www.npmjs.com/advisories/1523", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2020-07-15T17:15:11.797Z", + "LastModifiedDate": "2024-01-21T02:37:13.193Z" + }, + { + "VulnerabilityID": "GHSA-5mrr-rgp6-x4gr", + "PkgID": "marsdb@0.6.11", + "PkgName": "marsdb", + "PkgPath": "juice-shop/node_modules/marsdb/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/marsdb@0.6.11", + "UID": "54edd9a172aae6f9" + }, + "InstalledVersion": "0.6.11", + "Status": "affected", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-5mrr-rgp6-x4gr", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Command Injection in marsdb", + "Description": "All versions of `marsdb` are vulnerable to Command Injection. In the `DocumentMatcher` class, selectors on `$where` clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed.\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.", + "Severity": "CRITICAL", + "VendorSeverity": { + "ghsa": 4 + }, + "References": [ + "https://github.com/bkimminich/juice-shop/issues/1173", + "https://www.npmjs.com/advisories/1122" + ] + }, + { + "VulnerabilityID": "CVE-2024-4067", + "PkgID": "micromatch@3.1.10", + "PkgName": "micromatch", + "PkgPath": "juice-shop/node_modules/micromatch/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/micromatch@3.1.10", + "UID": "dff9b87c3884f86c" + }, + "InstalledVersion": "3.1.10", + "FixedVersion": "4.0.8", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-4067", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "micromatch: vulnerable to Regular Expression Denial of Service", + "Description": "The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067/", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/", + "https://github.com/micromatch/micromatch", + "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", + "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", + "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", + "https://github.com/micromatch/micromatch/issues/243", + "https://github.com/micromatch/micromatch/pull/247", + "https://github.com/micromatch/micromatch/pull/266", + "https://github.com/micromatch/micromatch/releases/tag/4.0.8", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + "https://www.cve.org/CVERecord?id=CVE-2024-4067" + ], + "PublishedDate": "2024-05-14T15:42:47.947Z", + "LastModifiedDate": "2024-08-28T00:15:04.13Z" + }, + { + "VulnerabilityID": "CVE-2022-3517", + "PkgID": "minimatch@3.0.4", + "PkgName": "minimatch", + "PkgPath": "juice-shop/node_modules/minimatch/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimatch@3.0.4", + "UID": "354b39c8aaf5287c" + }, + "InstalledVersion": "3.0.4", + "FixedVersion": "3.0.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3517", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-minimatch: ReDoS via the braceExpand function", + "Description": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333", + "CWE-400" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2022-3517", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/grafana/grafana-image-renderer/issues/329", + "https://github.com/isaacs/minimatch", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6 (v3.0.5)", + "https://github.com/nodejs/node/issues/42510", + "https://linux.oracle.com/cve/CVE-2022-3517.html", + "https://linux.oracle.com/errata/ELSA-2023-1743.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + "https://ubuntu.com/security/notices/USN-6086-1", + "https://www.cve.org/CVERecord?id=CVE-2022-3517" + ], + "PublishedDate": "2022-10-17T20:15:09.937Z", + "LastModifiedDate": "2023-11-07T03:51:21.323Z" + }, + { + "VulnerabilityID": "CVE-2022-3517", + "PkgID": "minimatch@3.0.4", + "PkgName": "minimatch", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/minimatch/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimatch@3.0.4", + "UID": "fb8fa8096a378141" + }, + "InstalledVersion": "3.0.4", + "FixedVersion": "3.0.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3517", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-minimatch: ReDoS via the braceExpand function", + "Description": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333", + "CWE-400" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2022-3517", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/grafana/grafana-image-renderer/issues/329", + "https://github.com/isaacs/minimatch", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6 (v3.0.5)", + "https://github.com/nodejs/node/issues/42510", + "https://linux.oracle.com/cve/CVE-2022-3517.html", + "https://linux.oracle.com/errata/ELSA-2023-1743.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + "https://ubuntu.com/security/notices/USN-6086-1", + "https://www.cve.org/CVERecord?id=CVE-2022-3517" + ], + "PublishedDate": "2022-10-17T20:15:09.937Z", + "LastModifiedDate": "2023-11-07T03:51:21.323Z" + }, + { + "VulnerabilityID": "CVE-2021-44906", + "PkgID": "minimist@0.0.10", + "PkgName": "minimist", + "PkgPath": "juice-shop/node_modules/optimist/node_modules/minimist/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimist@0.0.10", + "UID": "8fe664de015a5a79" + }, + "InstalledVersion": "0.0.10", + "FixedVersion": "1.2.6, 0.2.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-44906", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "minimist: prototype pollution", + "Description": "Minimist \u003c=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 4, + "nvd": 4, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906" + ], + "PublishedDate": "2022-03-17T16:15:07.51Z", + "LastModifiedDate": "2024-06-21T19:15:20.917Z" + }, + { + "VulnerabilityID": "CVE-2020-7598", + "PkgID": "minimist@0.0.10", + "PkgName": "minimist", + "PkgPath": "juice-shop/node_modules/optimist/node_modules/minimist/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimist@0.0.10", + "UID": "8fe664de015a5a79" + }, + "InstalledVersion": "0.0.10", + "FixedVersion": "0.2.1, 1.2.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-7598", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload", + "Description": "minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a \"constructor\" or \"__proto__\" payload.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 3, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.6 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V2Score": 6.8, + "V3Score": 5.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.6 + } + }, + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html", + "https://access.redhat.com/security/cve/CVE-2020-7598", + "https://errata.almalinux.org/8/ALSA-2020-2852.html", + "https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68", + "https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab", + "https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95", + "https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94", + "https://github.com/substack/minimist", + "https://linux.oracle.com/cve/CVE-2020-7598.html", + "https://linux.oracle.com/errata/ELSA-2020-2852.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7598", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://www.cve.org/CVERecord?id=CVE-2020-7598", + "https://www.npmjs.com/advisories/1179" + ], + "PublishedDate": "2020-03-11T23:15:11.917Z", + "LastModifiedDate": "2022-04-22T19:02:41.177Z" + }, + { + "VulnerabilityID": "CVE-2021-44906", + "PkgID": "minimist@1.2.5", + "PkgName": "minimist", + "PkgPath": "juice-shop/node_modules/minimist/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimist@1.2.5", + "UID": "15a810922ec9b334" + }, + "InstalledVersion": "1.2.5", + "FixedVersion": "1.2.6, 0.2.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-44906", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "minimist: prototype pollution", + "Description": "Minimist \u003c=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 4, + "nvd": 4, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906" + ], + "PublishedDate": "2022-03-17T16:15:07.51Z", + "LastModifiedDate": "2024-06-21T19:15:20.917Z" + }, + { + "VulnerabilityID": "CVE-2021-44906", + "PkgID": "minimist@1.2.5", + "PkgName": "minimist", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/mkdirp/node_modules/minimist/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimist@1.2.5", + "UID": "7ae7eb3ea86cd85e" + }, + "InstalledVersion": "1.2.5", + "FixedVersion": "1.2.6, 0.2.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-44906", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "minimist: prototype pollution", + "Description": "Minimist \u003c=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 4, + "nvd": 4, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906" + ], + "PublishedDate": "2022-03-17T16:15:07.51Z", + "LastModifiedDate": "2024-06-21T19:15:20.917Z" + }, + { + "VulnerabilityID": "CVE-2021-44906", + "PkgID": "minimist@1.2.5", + "PkgName": "minimist", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/rc/node_modules/minimist/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimist@1.2.5", + "UID": "6bd2c769eba9ba9e" + }, + "InstalledVersion": "1.2.5", + "FixedVersion": "1.2.6, 0.2.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-44906", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "minimist: prototype pollution", + "Description": "Minimist \u003c=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 4, + "nvd": 4, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906" + ], + "PublishedDate": "2022-03-17T16:15:07.51Z", + "LastModifiedDate": "2024-06-21T19:15:20.917Z" + }, + { + "VulnerabilityID": "CVE-2017-18214", + "PkgID": "moment@2.0.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.0.0", + "UID": "379ec1daf3fac294" + }, + "InstalledVersion": "2.0.0", + "FixedVersion": "2.19.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-18214", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-moment: Regular expression denial of service", + "Description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "azure": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2017-18214", + "https://github.com/advisories/GHSA-446m-mv8f-q348", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb", + "https://github.com/moment/moment/issues/4163", + "https://github.com/moment/moment/pull/4326", + "https://nodesecurity.io/advisories/532", + "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", + "https://www.cve.org/CVERecord?id=CVE-2017-18214", + "https://www.npmjs.com/advisories/532", + "https://www.tenable.com/security/tns-2019-02" + ], + "PublishedDate": "2018-03-04T21:29:00.23Z", + "LastModifiedDate": "2022-02-14T18:03:21.767Z" + }, + { + "VulnerabilityID": "CVE-2022-24785", + "PkgID": "moment@2.0.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.0.0", + "UID": "379ec1daf3fac294" + }, + "InstalledVersion": "2.0.0", + "FixedVersion": "2.29.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24785", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Moment.js: Path traversal in moment.locale", + "Description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-27" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09" + ], + "PublishedDate": "2022-04-04T17:15:07.583Z", + "LastModifiedDate": "2023-11-07T03:44:37.003Z" + }, + { + "VulnerabilityID": "CVE-2016-4055", + "PkgID": "moment@2.0.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.0.0", + "UID": "379ec1daf3fac294" + }, + "InstalledVersion": "2.0.0", + "FixedVersion": "\u003e=2.11.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-4055", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "moment.js: regular expression denial of service", + "Description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a \"regular expression Denial of Service (ReDoS).\"", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 2, + "nodejs-security-wg": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 7.8, + "V3Score": 6.5 + }, + "redhat": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V2Score": 4.3 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2016/04/20/11", + "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "http://www.securityfocus.com/bid/95849", + "https://access.redhat.com/security/cve/CVE-2016-4055", + "https://github.com/advisories/GHSA-87vv-r9j6-g5qv", + "https://github.com/moment/moment", + "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3Cdev.flink.apache.org%3E", + "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E", + "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E", + "https://nodesecurity.io/advisories/55", + "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", + "https://www.cve.org/CVERecord?id=CVE-2016-4055", + "https://www.npmjs.com/advisories/55", + "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS", + "https://www.tenable.com/security/tns-2019-02" + ], + "PublishedDate": "2017-01-23T21:59:01.33Z", + "LastModifiedDate": "2023-11-07T02:32:33.253Z" + }, + { + "VulnerabilityID": "CVE-2022-24785", + "PkgID": "moment@2.24.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/file-stream-rotator/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.24.0", + "UID": "e81345b954fd4782" + }, + "InstalledVersion": "2.24.0", + "FixedVersion": "2.29.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24785", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Moment.js: Path traversal in moment.locale", + "Description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-27" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09" + ], + "PublishedDate": "2022-04-04T17:15:07.583Z", + "LastModifiedDate": "2023-11-07T03:44:37.003Z" + }, + { + "VulnerabilityID": "CVE-2022-24785", + "PkgID": "moment@2.24.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/finale-rest/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.24.0", + "UID": "635037c174eddb3c" + }, + "InstalledVersion": "2.24.0", + "FixedVersion": "2.29.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24785", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Moment.js: Path traversal in moment.locale", + "Description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-27" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09" + ], + "PublishedDate": "2022-04-04T17:15:07.583Z", + "LastModifiedDate": "2023-11-07T03:44:37.003Z" + }, + { + "VulnerabilityID": "CVE-2022-24785", + "PkgID": "moment@2.24.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/moment-timezone/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.24.0", + "UID": "676e190b8f937926" + }, + "InstalledVersion": "2.24.0", + "FixedVersion": "2.29.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24785", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Moment.js: Path traversal in moment.locale", + "Description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-27" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09" + ], + "PublishedDate": "2022-04-04T17:15:07.583Z", + "LastModifiedDate": "2023-11-07T03:44:37.003Z" + }, + { + "VulnerabilityID": "CVE-2022-24785", + "PkgID": "moment@2.24.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/sequelize/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.24.0", + "UID": "e56448d7ae52878b" + }, + "InstalledVersion": "2.24.0", + "FixedVersion": "2.29.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24785", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Moment.js: Path traversal in moment.locale", + "Description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-27" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09" + ], + "PublishedDate": "2022-04-04T17:15:07.583Z", + "LastModifiedDate": "2023-11-07T03:44:37.003Z" + }, + { + "VulnerabilityID": "CVE-2022-31129", + "PkgID": "moment@2.24.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/file-stream-rotator/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.24.0", + "UID": "e81345b954fd4782" + }, + "InstalledVersion": "2.24.0", + "FixedVersion": "2.29.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-31129", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "moment: inefficient parsing algorithm resulting in DoS", + "Description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333", + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129" + ], + "PublishedDate": "2022-07-06T18:15:19.57Z", + "LastModifiedDate": "2023-11-07T03:47:32.993Z" + }, + { + "VulnerabilityID": "CVE-2022-31129", + "PkgID": "moment@2.24.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/finale-rest/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.24.0", + "UID": "635037c174eddb3c" + }, + "InstalledVersion": "2.24.0", + "FixedVersion": "2.29.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-31129", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "moment: inefficient parsing algorithm resulting in DoS", + "Description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333", + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } }, "References": [ - "https://github.com/advisories/GHSA-93q8-gq69-wqmw", - "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", - "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3807" + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129" + ], + "PublishedDate": "2022-07-06T18:15:19.57Z", + "LastModifiedDate": "2023-11-07T03:47:32.993Z" + }, + { + "VulnerabilityID": "CVE-2022-31129", + "PkgID": "moment@2.24.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/moment-timezone/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.24.0", + "UID": "676e190b8f937926" + }, + "InstalledVersion": "2.24.0", + "FixedVersion": "2.29.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-31129", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "moment: inefficient parsing algorithm resulting in DoS", + "Description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333", + "CWE-400" ], - "PublishedDate": "2021-09-17T07:15:00Z", - "LastModifiedDate": "2021-10-19T13:11:00Z" + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129" + ], + "PublishedDate": "2022-07-06T18:15:19.57Z", + "LastModifiedDate": "2023-11-07T03:47:32.993Z" }, { - "VulnerabilityID": "NSWG-ECO-428", - "PkgName": "base64url", - "PkgPath": "juice-shop/node_modules/base64url/package.json", - "InstalledVersion": "0.0.6", - "FixedVersion": "\u003e=3.0.0", + "VulnerabilityID": "CVE-2022-31129", + "PkgID": "moment@2.24.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/sequelize/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.24.0", + "UID": "e56448d7ae52878b" + }, + "InstalledVersion": "2.24.0", + "FixedVersion": "2.29.4", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "Title": "Out-of-bounds Read", - "Description": "`base64url` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-31129", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "moment: inefficient parsing algorithm resulting in DoS", + "Description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", "Severity": "HIGH", + "CweIDs": [ + "CWE-1333", + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, "References": [ - "https://github.com/brianloveswords/base64url/pull/25", - "https://hackerone.com/reports/321687" - ] + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129" + ], + "PublishedDate": "2022-07-06T18:15:19.57Z", + "LastModifiedDate": "2023-11-07T03:47:32.993Z" }, { - "VulnerabilityID": "GHSA-rvg8-pwq2-xj7q", - "PkgName": "base64url", - "PkgPath": "juice-shop/node_modules/base64url/package.json", - "InstalledVersion": "0.0.6", - "FixedVersion": "3.0.0", + "VulnerabilityID": "GHSA-v78c-4p63-2j6c", + "PkgID": "moment-timezone@0.5.28", + "PkgName": "moment-timezone", + "PkgPath": "juice-shop/node_modules/moment-timezone/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment-timezone@0.5.28", + "UID": "e24ee0a7f11f6f05" + }, + "InstalledVersion": "0.5.28", + "FixedVersion": "0.5.35", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "PrimaryURL": "https://github.com/advisories/GHSA-rvg8-pwq2-xj7q", - "Title": "Out-of-bounds Read in base64url", - "Description": "Versions of `base64url` before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.\n\n\n## Recommendation\n\nUpdate to version 3.0.0 or later.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-v78c-4p63-2j6c", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Cleartext Transmission of Sensitive Information in moment-timezone", + "Description": "### Impact\n\n* if Alice uses `grunt data` (or `grunt release`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website\n* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)\n\n### Patches\nProblem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.\n\n### Workarounds\nSpecify the exact version of tzdata (like `2014d`, full command being `grunt data:2014d`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.\n", "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2 + }, "References": [ - "https://github.com/advisories/GHSA-rvg8-pwq2-xj7q", - "https://github.com/brianloveswords/base64url/pull/25" + "https://github.com/moment/moment-timezone", + "https://github.com/moment/moment-timezone/commit/7915ac567ab19700e44ad6b5d8ef0b85e48a9e75", + "https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c" ] }, { - "VulnerabilityID": "CVE-2020-8244", - "PkgName": "bl", - "PkgPath": "juice-shop/node_modules/bl/package.json", + "VulnerabilityID": "GHSA-56x4-j7p9-fcf9", + "PkgID": "moment-timezone@0.5.28", + "PkgName": "moment-timezone", + "PkgPath": "juice-shop/node_modules/moment-timezone/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment-timezone@0.5.28", + "UID": "e24ee0a7f11f6f05" + }, + "InstalledVersion": "0.5.28", + "FixedVersion": "0.5.35", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-56x4-j7p9-fcf9", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Command Injection in moment-timezone", + "Description": "### Impact\n\nAll versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection.\n\n* if Alice uses tzdata pipeline to package moment-timezone on her own (for example via `grunt data:2014d`, where `2014d` stands for the version of the tzdata to be used from IANA's website),\n* and Alice let's Mallory select the version (`2014d` in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task\n\n#### Am I affected?\n\n##### Do you build custom versions of moment-timezone with grunt?\n\nIf no, you're not affected.\n\n##### Do you allow a third party to specify which particular version you want build?\n\nIf yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task.\n\n### Description\n\n#### Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint\n\nThe `tasks/data-download.js` script takes in a parameter from grunt and uses it to form a command line which is then executed:\n\n```\n6 module.exports = function (grunt) {\n7 grunt.registerTask('data-download', '1. Download data from iana.org/time-zones.', function (version) {\n8 version = version || 'latest';\n\n10 var done = this.async(),\n11 src = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz',\n12 curl = path.resolve('temp/curl', version, 'data.tar.gz'),\n13 dest = path.resolve('temp/download', version);\n...\n24 exec('curl ' + src + ' -o ' + curl + ' \u0026\u0026 cd ' + dest + ' \u0026\u0026 gzip -dc ' + curl + ' | tar -xf -', function (err) {\n```\n\nOrdinarily, one one run this script using something like `grunt data-download:2014d`, in which case version would have the value `2014d`. However, if an attacker were to provide additional content on the command line, they would be able to execute arbitrary code\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-download:2014d ; echo flag\u003e/tmp/foo #'\n\\Running \"data-download:2014d ; echo flag\u003e/tmp/foo #\" (data-download) task\n\u003e\u003e Downloading https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag\u003e/tmp/foo #.tar.gz\n\u003e\u003e Downloaded https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag\u003e/tmp/foo #.tar.gz\n\nDone.\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/foo\nflag\n```\n\n#### Command Injection via data-zdump.js\n\nThe `tasks/data-zdump.js` script reads a list of files present in a temporary directory (created by previous tasks), and for each one, assembles and executes a command line without sanitization. As a result, an attacker able to influence the contents of that directory could gain code execution. This attack is exacerbated by timezone data being downloaded via cleartext FTP (described above), but beyond that, an attacker at iana.org able to modify the timezone files could disrupt any systems that build moment-timezone.\n\n```\n15 files = grunt.file.expand({ filter : 'isFile', cwd : 'temp/zic/' + version }, '**/*');\n...\n27 function next () {\n...\n33 var file = files.pop(),\n34 src = path.join(zicBase, file),\n35 dest = path.join(zdumpBase, file);\n36 exec('zdump -v ' + src, { maxBuffer: 20*1024*1024 }, function (err, stdout) {\n```\n\nIn this case, an attacker able to add a file to `temp/zic/2014d` (for example) with a filename like `Z; curl www.example.com` would influence the called to exec on line 36 and run arbitrary code. There are a few minor challenges in exploiting this, since the string needs to be a valid filename.\n\n#### Command Injection via data-zic.js\n\nSimilar to the vulnerability in /tasks/data-download.js, the /tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization.\n\n```\n10 var done = this.async(),\n11 dest = path.resolve('temp/zic', version),\n...\n22 var file = files.shift(),\n23 src = path.resolve('temp/download', version, file);\n24\n25 exec('zic -d ' + dest + ' ' + src, function (err) {\n```\n\nAs a result, an attacker able to influence that string can run arbitrary commands. Of course, it requires an attacker able to influence the command passed to grunt, so may be unlikely in practice.\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-zic:2014d; echo hi \u003e /tmp/evil; echo '\nRunning \"data-zic:2014d; echo hi \u003e /tmp/evil; echo \" (data-zic) task\nexec: zid -d /usr/src/app/moment-timezone/temp/zic/2014d; echo hi \u003e /tmp/evil; echo /usr/src/app/moment-timezone/temp/download/2014d; echo hi \u003e /tmp/evil; echo /africa\n...\n\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/evil\nhi\n```\n\n### Patches\n\nThe supplied patch on top of 0.5.34 is applicable with minor tweaks to all affected versions. It switches `exec` to `execFile` so arbitrary bash fragments won't be executed any more.\n\n### References\n\n* https://knowledge-base.secureflag.com/vulnerabilities/code_injection/os_command_injection_nodejs.html\n* https://auth0.com/blog/preventing-command-injection-attacks-in-node-js-apps/", + "Severity": "LOW", + "VendorSeverity": { + "ghsa": 1 + }, + "References": [ + "https://github.com/moment/moment-timezone", + "https://github.com/moment/moment-timezone/commit/ce955a301ff372e8e9fb3a5b516620c60e7a082a", + "https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9" + ] + }, + { + "VulnerabilityID": "CVE-2020-7792", + "PkgID": "mout@1.2.2", + "PkgName": "mout", + "PkgPath": "juice-shop/node_modules/mout/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/mout@1.2.2", + "UID": "a022b4adae2f1283" + }, "InstalledVersion": "1.2.2", - "FixedVersion": "2.2.1, 1.2.3, 4.0.3, 3.0.1", + "FixedVersion": "1.2.3", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8244", - "Title": "nodejs-bl: buffer over-read vulnerability leads to corrupted BufferList which can result in uninitialized memory being leaked", - "Description": "A buffer over-read vulnerability exists in bl \u003c4.0.3, \u003c3.0.1, \u003c2.2.1, and \u003c1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", - "Severity": "MEDIUM", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-7792", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Prototype Pollution in mout", + "Description": "This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.", + "Severity": "HIGH", "CweIDs": [ - "CWE-125" + "CWE-1321" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", - "V2Score": 6.4, - "V3Score": 6.5 + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", - "V3Score": 6.5 + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V2Score": 7.5 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8244", - "https://github.com/advisories/GHSA-pp7h-53gx-mx7r", - "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190", - "https://hackerone.com/reports/966347", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", - "https://ubuntu.com/security/notices/USN-5098-1" + "https://github.com/mout/mout/blob/master/src/object/deepFillIn.js", + "https://github.com/mout/mout/blob/master/src/object/deepMixIn.js", + "https://github.com/mout/mout/commit/3fecf1333e6d71ae72edf48c71dc665e40df7605", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7792", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1050374", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050373", + "https://snyk.io/vuln/SNYK-JS-MOUT-1014544" + ], + "PublishedDate": "2020-12-11T11:15:11.633Z", + "LastModifiedDate": "2022-06-28T14:11:45.273Z" + }, + { + "VulnerabilityID": "CVE-2022-21213", + "PkgID": "mout@1.2.2", + "PkgName": "mout", + "PkgPath": "juice-shop/node_modules/mout/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/mout@1.2.2", + "UID": "a022b4adae2f1283" + }, + "InstalledVersion": "1.2.2", + "FixedVersion": "1.2.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-21213", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Prototype Pollution in mout", + "Description": "This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7792](https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544).", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" ], - "PublishedDate": "2020-08-30T15:15:00Z", - "LastModifiedDate": "2021-07-01T03:15:00Z" + "VendorSeverity": { + "ghsa": 3, + "nvd": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/mout/mout", + "https://github.com/mout/mout/blob/master/src/object/deepFillIn.js", + "https://github.com/mout/mout/blob/master/src/object/deepMixIn.js", + "https://github.com/mout/mout/commit/17ffdc2a96417a63a0147156dc045e90d0d14c64", + "https://github.com/mout/mout/pull/279", + "https://nvd.nist.gov/vuln/detail/CVE-2022-21213", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2870623", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2870622", + "https://snyk.io/vuln/SNYK-JS-MOUT-2342654" + ], + "PublishedDate": "2022-06-17T20:15:10.363Z", + "LastModifiedDate": "2022-06-28T14:43:48.983Z" }, { - "VulnerabilityID": "CVE-2020-8244", - "PkgName": "bl", - "PkgPath": "juice-shop/node_modules/tar-fs/node_modules/bl/package.json", - "InstalledVersion": "4.0.2", - "FixedVersion": "2.2.1, 1.2.3, 4.0.3, 3.0.1", + "VulnerabilityID": "CVE-2021-23771", + "PkgID": "notevil@1.3.3", + "PkgName": "notevil", + "PkgPath": "juice-shop/node_modules/notevil/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/notevil@1.3.3", + "UID": "3e66e3cc17ffdfc2" + }, + "InstalledVersion": "1.3.3", + "Status": "affected", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8244", - "Title": "nodejs-bl: buffer over-read vulnerability leads to corrupted BufferList which can result in uninitialized memory being leaked", - "Description": "A buffer over-read vulnerability exists in bl \u003c4.0.3, \u003c3.0.1, \u003c2.2.1, and \u003c1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23771", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Sandbox escape in notevil and argencoders-notevil", + "Description": "This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).", "Severity": "MEDIUM", "CweIDs": [ - "CWE-125" + "CWE-1321" ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", - "V2Score": 6.4, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "V3Score": 6.5 }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V2Score": 6.4, "V3Score": 6.5 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8244", - "https://github.com/advisories/GHSA-pp7h-53gx-mx7r", - "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190", - "https://hackerone.com/reports/966347", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", - "https://ubuntu.com/security/notices/USN-5098-1" + "https://github.com/mmckegg/notevil", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23771", + "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587", + "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946" ], - "PublishedDate": "2020-08-30T15:15:00Z", - "LastModifiedDate": "2021-07-01T03:15:00Z" + "PublishedDate": "2022-03-17T12:15:07.74Z", + "LastModifiedDate": "2022-03-24T01:46:38.647Z" }, { - "VulnerabilityID": "CVE-2021-29060", - "PkgName": "color-string", - "PkgPath": "juice-shop/node_modules/color-string/package.json", - "InstalledVersion": "1.5.3", - "FixedVersion": "1.5.5", + "VulnerabilityID": "CVE-2020-15095", + "PkgID": "npm@6.14.4", + "PkgName": "npm", + "PkgPath": "usr/local/lib/node_modules/npm/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/npm@6.14.4", + "UID": "8fc1aa25fb4f5be0" + }, + "InstalledVersion": "6.14.4", + "FixedVersion": "6.14.6", + "Status": "fixed", "Layer": { - "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", - "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-29060", - "Title": "nodejs-color-string: Regular expression denial of service when the application is provided and checks a crafted invalid HWB string", - "Description": "A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-15095", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "npm: sensitive information exposure through logs", + "Description": "Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like \"\u003cprotocol\u003e://[\u003cuser\u003e[:\u003cpassword\u003e]@]\u003chostname\u003e[:\u003cport\u003e][:][/]\u003cpath\u003e\". The password value is not redacted and is printed to stdout and also to any generated log files.", "Severity": "MEDIUM", "CweIDs": [ - "CWE-770" + "CWE-532" ], + "VendorSeverity": { + "alma": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", + "V3Score": 4.4 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V2Score": 5, - "V3Score": 5.3 + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", + "V2Score": 1.9, + "V3Score": 4.4 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 5.3 + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", + "V3Score": 4.4 } }, "References": [ - "https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3", - "https://github.com/advisories/GHSA-257v-vj4p-3w2h", - "https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md", - "https://github.com/yetingli/SaveResults/blob/main/js/color-string.js", - "https://nvd.nist.gov/vuln/detail/CVE-2021-29060", - "https://snyk.io/vuln/SNYK-JS-COLORSTRING-1082939", - "https://www.npmjs.com/package/color-string" + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html", + "https://access.redhat.com/security/cve/CVE-2020-15095", + "https://errata.almalinux.org/8/ALSA-2021-0548.html", + "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07", + "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc", + "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp", + "https://linux.oracle.com/cve/CVE-2020-15095.html", + "https://linux.oracle.com/errata/ELSA-2021-0548.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6", + "https://nvd.nist.gov/vuln/detail/CVE-2020-15095", + "https://security.gentoo.org/glsa/202101-07", + "https://www.cve.org/CVERecord?id=CVE-2020-15095" ], - "PublishedDate": "2021-06-21T16:15:00Z", - "LastModifiedDate": "2021-07-01T14:57:00Z" + "PublishedDate": "2020-07-07T19:15:10.833Z", + "LastModifiedDate": "2023-11-07T03:17:24.663Z" }, { - "VulnerabilityID": "GHSA-h6ch-v84p-w6p9", - "PkgName": "diff", - "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/diff/package.json", - "InstalledVersion": "1.0.2", - "FixedVersion": "3.5.0", + "VulnerabilityID": "GHSA-jmqm-f2gx-4fjv", + "PkgID": "npm-registry-fetch@4.0.3", + "PkgName": "npm-registry-fetch", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/npm-registry-fetch/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/npm-registry-fetch@4.0.3", + "UID": "23b33eb4ffd016aa" + }, + "InstalledVersion": "4.0.3", + "FixedVersion": "4.0.5, 8.1.1", + "Status": "fixed", "Layer": { - "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", - "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-jmqm-f2gx-4fjv", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Sensitive information exposure through logs in npm-registry-fetch", + "Description": "Affected versions of `npm-registry-fetch` are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like `\u003cprotocol\u003e://[\u003cuser\u003e[:\u003cpassword\u003e]@]\u003chostname\u003e[:\u003cport\u003e][:][/]\u003cpath\u003e`. The password value is not redacted and is printed to stdout and also to any generated log files.", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 + } }, - "PrimaryURL": "https://github.com/advisories/GHSA-h6ch-v84p-w6p9", - "Title": "Regular Expression Denial of Service (ReDoS)", - "Description": "A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", - "Severity": "HIGH", "References": [ - "https://github.com/advisories/GHSA-h6ch-v84p-w6p9", - "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0" + "https://github.com/npm/npm-registry-fetch", + "https://github.com/npm/npm-registry-fetch/commit/18bf9b97fb1deecdba01ffb05580370846255c88", + "https://github.com/npm/npm-registry-fetch/pull/29", + "https://github.com/npm/npm-registry-fetch/security/advisories/GHSA-jmqm-f2gx-4fjv", + "https://snyk.io/vuln/SNYK-JS-NPMREGISTRYFETCH-575432" ] }, { - "VulnerabilityID": "CVE-2020-8116", - "PkgName": "dot-prop", - "PkgPath": "usr/local/lib/node_modules/npm/node_modules/dot-prop/package.json", - "InstalledVersion": "4.2.0", - "FixedVersion": "5.1.1, 4.2.1", + "VulnerabilityID": "CVE-2020-7754", + "PkgID": "npm-user-validate@1.0.0", + "PkgName": "npm-user-validate", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/npm-user-validate/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/npm-user-validate@1.0.0", + "UID": "df63ff229a85646" + }, + "InstalledVersion": "1.0.0", + "FixedVersion": "1.0.1", + "Status": "fixed", "Layer": { "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8116", - "Title": "nodejs-dot-prop: prototype pollution", - "Description": "Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-7754", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS", + "Description": "This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.", "Severity": "HIGH", - "CweIDs": [ - "CWE-425" - ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "V2Score": 7.5, - "V3Score": 7.3 + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V2Score": 5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "V3Score": 7.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } }, "References": [ - "https://github.com/advisories/GHSA-ff7x-qrg7-qggm", - "https://github.com/sindresorhus/dot-prop/issues/63", - "https://github.com/sindresorhus/dot-prop/tree/v4", - "https://hackerone.com/reports/719856", - "https://linux.oracle.com/cve/CVE-2020-8116.html", - "https://linux.oracle.com/errata/ELSA-2021-0548.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8116" + "https://access.redhat.com/security/cve/CVE-2020-7754", + "https://errata.almalinux.org/8/ALSA-2021-0551.html", + "https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e", + "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p", + "https://linux.oracle.com/cve/CVE-2020-7754.html", + "https://linux.oracle.com/errata/ELSA-2021-0551.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7754", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353", + "https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352", + "https://www.cve.org/CVERecord?id=CVE-2020-7754" ], - "PublishedDate": "2020-02-04T20:15:00Z", - "LastModifiedDate": "2020-09-10T15:16:00Z" + "PublishedDate": "2020-10-27T15:15:13.123Z", + "LastModifiedDate": "2020-10-27T17:31:05.71Z" }, { - "VulnerabilityID": "CVE-2020-15084", - "PkgName": "express-jwt", - "PkgPath": "juice-shop/node_modules/express-jwt/package.json", - "InstalledVersion": "0.1.3", - "FixedVersion": "6.0.0", + "VulnerabilityID": "GHSA-xgh6-85xh-479p", + "PkgID": "npm-user-validate@1.0.0", + "PkgName": "npm-user-validate", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/npm-user-validate/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/npm-user-validate@1.0.0", + "UID": "df63ff229a85646" + }, + "InstalledVersion": "1.0.0", + "FixedVersion": "1.0.1", + "Status": "fixed", "Layer": { - "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", - "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-15084", - "Title": "Authorization bypass in express-jwt", - "Description": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.", - "Severity": "CRITICAL", - "CweIDs": [ - "CWE-285" - ], - "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", - "V2Score": 4.3, - "V3Score": 9.1 - } + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-xgh6-85xh-479p", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Regular Expression Denial of Service in npm-user-validate", + "Description": "`npm-user-validate` before version `1.0.1` is vulnerable to a Regular Expression Denial of Service (REDos). The regex that validates user emails took exponentially longer to process long input strings beginning with `@` characters.\n\n### Impact\nThe issue affects the `email` function. If you use this function to process arbitrary user input with no character limit the application may be susceptible to Denial of Service.\n\n### Patches\nThe issue is patched in version 1.0.1 by improving the regular expression used and also enforcing a 254 character limit.\n\n### Workarounds\nRestrict the character length to a reasonable degree before passing a value to `.emal()`; Also, consider doing a more rigorous sanitizing/validation beforehand.", + "Severity": "LOW", + "VendorSeverity": { + "ghsa": 1 }, "References": [ - "https://github.com/advisories/GHSA-6g6m-m6h5-w9gf", - "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", - "https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf", - "https://nvd.nist.gov/vuln/detail/CVE-2020-15084" - ], - "PublishedDate": "2020-06-30T16:15:00Z", - "LastModifiedDate": "2020-07-08T16:29:00Z" + "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p" + ] }, { - "VulnerabilityID": "CVE-2020-28282", - "PkgName": "getobject", - "PkgPath": "juice-shop/node_modules/getobject/package.json", - "InstalledVersion": "0.1.0", - "FixedVersion": "1.0.0", + "VulnerabilityID": "CVE-2021-23343", + "PkgID": "path-parse@1.0.6", + "PkgName": "path-parse", + "PkgPath": "juice-shop/node_modules/path-parse/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/path-parse@1.0.6", + "UID": "f36060f137c802ad" + }, + "InstalledVersion": "1.0.6", + "FixedVersion": "1.0.7", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28282", - "Title": "nodejs-getobject: Prototype pollution could result in DoS and RCE", - "Description": "Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.", - "Severity": "CRITICAL", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23343", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe", + "Description": "All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "ghsa": 2, + "nvd": 3, + "oracle-oval": 3, + "redhat": 1, + "rocky": 3 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 7.5, - "V3Score": 9.8 + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 9.8 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 } }, "References": [ - "https://github.com/advisories/GHSA-957j-59c2-j692", - "https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48", - "https://nvd.nist.gov/vuln/detail/CVE-2020-28282", - "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282" + "https://access.redhat.com/security/cve/CVE-2021-23343", + "https://bugzilla.redhat.com/show_bug.cgi?id=1956818", + "https://bugzilla.redhat.com/show_bug.cgi?id=1988342", + "https://bugzilla.redhat.com/show_bug.cgi?id=1988394", + "https://bugzilla.redhat.com/show_bug.cgi?id=1990409", + "https://bugzilla.redhat.com/show_bug.cgi?id=1990415", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993019", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993029", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993039", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993924", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22931", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22939", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22940", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23343", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32803", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32804", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3672", + "https://errata.almalinux.org/8/ALSA-2021-3666.html", + "https://errata.rockylinux.org/RLSA-2021:3666", + "https://github.com/jbgutierrez/path-parse", + "https://github.com/jbgutierrez/path-parse/commit/eca63a7b9a473bf6978a2f5b7b3343662d1506f7", + "https://github.com/jbgutierrez/path-parse/issues/8", + "https://github.com/jbgutierrez/path-parse/pull/10", + "https://linux.oracle.com/cve/CVE-2021-23343.html", + "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85%40%3Cdev.myfaces.apache.org%3E", + "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23343", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028", + "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067", + "https://www.cve.org/CVERecord?id=CVE-2021-23343" ], - "PublishedDate": "2020-12-29T18:15:00Z", - "LastModifiedDate": "2020-12-30T21:59:00Z" + "PublishedDate": "2021-05-04T09:15:07.703Z", + "LastModifiedDate": "2023-11-07T03:30:52.217Z" }, { - "VulnerabilityID": "CVE-2017-16042", - "PkgName": "growl", - "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/growl/package.json", - "InstalledVersion": "1.5.1", - "FixedVersion": "1.10.0", + "VulnerabilityID": "CVE-2021-23343", + "PkgID": "path-parse@1.0.6", + "PkgName": "path-parse", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/path-parse/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/path-parse@1.0.6", + "UID": "db5a1138148d63a9" + }, + "InstalledVersion": "1.0.6", + "FixedVersion": "1.0.7", + "Status": "fixed", "Layer": { - "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", - "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23343", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe", + "Description": "All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "ghsa": 2, + "nvd": 3, + "oracle-oval": 3, + "redhat": 1, + "rocky": 3 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16042", - "Title": "nodejs-growl: Does not properly sanitize input before passing it to exec", - "Description": "Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.", - "Severity": "CRITICAL", - "CweIDs": [ - "CWE-78" - ], "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 7.5, - "V3Score": 9.8 + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 8.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16042", - "https://github.com/advisories/GHSA-qh2h-chj9-jffq", - "https://github.com/tj/node-growl/issues/60", - "https://github.com/tj/node-growl/pull/61", - "https://nodesecurity.io/advisories/146", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16042" + "https://access.redhat.com/security/cve/CVE-2021-23343", + "https://bugzilla.redhat.com/show_bug.cgi?id=1956818", + "https://bugzilla.redhat.com/show_bug.cgi?id=1988342", + "https://bugzilla.redhat.com/show_bug.cgi?id=1988394", + "https://bugzilla.redhat.com/show_bug.cgi?id=1990409", + "https://bugzilla.redhat.com/show_bug.cgi?id=1990415", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993019", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993029", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993039", + "https://bugzilla.redhat.com/show_bug.cgi?id=1993924", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22931", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22939", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22940", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23343", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32803", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32804", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3672", + "https://errata.almalinux.org/8/ALSA-2021-3666.html", + "https://errata.rockylinux.org/RLSA-2021:3666", + "https://github.com/jbgutierrez/path-parse", + "https://github.com/jbgutierrez/path-parse/commit/eca63a7b9a473bf6978a2f5b7b3343662d1506f7", + "https://github.com/jbgutierrez/path-parse/issues/8", + "https://github.com/jbgutierrez/path-parse/pull/10", + "https://linux.oracle.com/cve/CVE-2021-23343.html", + "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85%40%3Cdev.myfaces.apache.org%3E", + "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23343", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028", + "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067", + "https://www.cve.org/CVERecord?id=CVE-2021-23343" ], - "PublishedDate": "2018-06-04T19:29:00Z", - "LastModifiedDate": "2019-10-09T23:24:00Z" + "PublishedDate": "2021-05-04T09:15:07.703Z", + "LastModifiedDate": "2023-11-07T03:30:52.217Z" }, { - "VulnerabilityID": "CVE-2020-7729", - "PkgName": "grunt", - "PkgPath": "juice-shop/node_modules/grunt/package.json", - "InstalledVersion": "1.1.0", - "FixedVersion": "1.3.0", + "VulnerabilityID": "CVE-2024-45296", + "PkgID": "path-to-regexp@0.1.7", + "PkgName": "path-to-regexp", + "PkgPath": "juice-shop/node_modules/path-to-regexp/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/path-to-regexp@0.1.7", + "UID": "e423dc94410f6cb2" + }, + "InstalledVersion": "0.1.7", + "FixedVersion": "1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-7729", - "Title": "Arbitrary Code Execution in grunt", - "Description": "The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45296", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "path-to-regexp: Backtracking regular expressions cause ReDoS", + "Description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.", "Severity": "HIGH", "CweIDs": [ - "CWE-1188" + "CWE-1333" ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:H/Au:S/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", - "V2Score": 4.6, - "V3Score": 7.1 + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7729", - "https://github.com/advisories/GHSA-m5pj-vjjf-4m3h", - "https://github.com/gruntjs/grunt/blob/master/lib/grunt/file.js%23L249", - "https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7", - "https://lists.debian.org/debian-lts-announce/2020/09/msg00008.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7729", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-607922", - "https://snyk.io/vuln/SNYK-JS-GRUNT-597546", - "https://ubuntu.com/security/notices/USN-4595-1", - "https://usn.ubuntu.com/4595-1/" - ], - "PublishedDate": "2020-09-03T09:15:00Z", - "LastModifiedDate": "2020-10-27T00:15:00Z" + "https://access.redhat.com/security/cve/CVE-2024-45296", + "https://github.com/pillarjs/path-to-regexp", + "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", + "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", + "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", + "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", + "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", + "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", + "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", + "https://www.cve.org/CVERecord?id=CVE-2024-45296" + ], + "PublishedDate": "2024-09-09T19:15:13.33Z", + "LastModifiedDate": "2024-09-10T12:09:50.377Z" }, { - "VulnerabilityID": "CVE-2021-23362", - "PkgName": "hosted-git-info", - "PkgPath": "usr/local/lib/node_modules/npm/node_modules/hosted-git-info/package.json", - "InstalledVersion": "2.8.8", - "FixedVersion": "2.8.9, 3.0.8", + "VulnerabilityID": "CVE-2021-21353", + "PkgID": "pug@2.0.4", + "PkgName": "pug", + "PkgPath": "juice-shop/node_modules/pug/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/pug@2.0.4", + "UID": "b62044aaba5b1038" + }, + "InstalledVersion": "2.0.4", + "FixedVersion": "3.0.1", + "Status": "fixed", "Layer": { - "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", - "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-21353", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "pug: user provided objects as input to pug templates can achieve remote code execution", + "Description": "Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including \"pug\", \"pug-code-gen\". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-74" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 4, + "redhat": 2 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23362", - "Title": "nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()", - "Description": "The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.", - "Severity": "MEDIUM", "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", + "V3Score": 6.8 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V2Score": 5, - "V3Score": 5.3 + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 9 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 5.3 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 9 } }, "References": [ - "https://github.com/advisories/GHSA-43f8-2h32-f4cj", - "https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7", - "https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01", - "https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3", - "https://github.com/npm/hosted-git-info/commits/v2", - "https://linux.oracle.com/cve/CVE-2021-23362.html", - "https://linux.oracle.com/errata/ELSA-2021-3074.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23362", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356", - "https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355" + "https://access.redhat.com/security/cve/CVE-2021-21353", + "https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0", + "https://github.com/pugjs/pug/issues/3312", + "https://github.com/pugjs/pug/pull/3314", + "https://github.com/pugjs/pug/releases/tag/pug%403.0.1", + "https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr", + "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", + "https://www.cve.org/CVERecord?id=CVE-2021-21353", + "https://www.npmjs.com/package/pug", + "https://www.npmjs.com/package/pug-code-gen" ], - "PublishedDate": "2021-03-23T17:15:00Z", - "LastModifiedDate": "2021-06-08T19:30:00Z" + "PublishedDate": "2021-03-03T02:15:13.143Z", + "LastModifiedDate": "2021-03-09T15:35:21.997Z" }, { - "VulnerabilityID": "CVE-2020-7788", - "PkgName": "ini", - "PkgPath": "usr/local/lib/node_modules/npm/node_modules/ini/package.json", - "InstalledVersion": "1.3.5", - "FixedVersion": "1.3.6", + "VulnerabilityID": "CVE-2024-36361", + "PkgID": "pug@2.0.4", + "PkgName": "pug", + "PkgPath": "juice-shop/node_modules/pug/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/pug@2.0.4", + "UID": "b62044aaba5b1038" + }, + "InstalledVersion": "2.0.4", + "FixedVersion": "3.0.3", + "Status": "fixed", "Layer": { - "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", - "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-7788", - "Title": "nodejs-ini: Prototype pollution via malicious INI file", - "Description": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.", - "Severity": "HIGH", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-36361", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Pug allows JavaScript code execution if an application accepts untrusted input", + "Description": "Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.", + "Severity": "MEDIUM", "CweIDs": [ - "CWE-400" + "CWE-94" ], + "VendorSeverity": { + "ghsa": 2 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "V2Score": 7.5, - "V3Score": 7.3 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "V3Score": 7.3 + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", + "V3Score": 6.8 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788", - "https://github.com/advisories/GHSA-qqgx-2p2h-9c37", - "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1", - "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1 (v1.3.6)", - "https://linux.oracle.com/cve/CVE-2020-7788.html", - "https://linux.oracle.com/errata/ELSA-2021-0551.html", - "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", - "https://snyk.io/vuln/SNYK-JS-INI-1048974" + "https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug", + "https://github.com/pugjs/pug", + "https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328", + "https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb", + "https://github.com/pugjs/pug/pull/3428", + "https://github.com/pugjs/pug/pull/3438", + "https://github.com/pugjs/pug/releases/tag/pug%403.0.3", + "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + "https://pugjs.org/api/reference.html", + "https://www.npmjs.com/package/pug-code-gen" ], - "PublishedDate": "2020-12-11T11:15:00Z", - "LastModifiedDate": "2021-07-21T11:39:00Z" + "PublishedDate": "2024-05-24T06:15:08.947Z", + "LastModifiedDate": "2024-08-02T04:17:00.323Z" }, { - "VulnerabilityID": "CVE-2015-9235", - "PkgName": "jsonwebtoken", - "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", - "InstalledVersion": "0.1.0", - "FixedVersion": "4.2.2", + "VulnerabilityID": "CVE-2021-21353", + "PkgID": "pug-code-gen@2.0.2", + "PkgName": "pug-code-gen", + "PkgPath": "juice-shop/node_modules/pug-code-gen/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/pug-code-gen@2.0.2", + "UID": "da20706f0066ff6b" + }, + "InstalledVersion": "2.0.2", + "FixedVersion": "2.0.3, 3.0.2", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2015-9235", - "Title": "nodejs-jsonwebtoken: verification step bypass with an altered token", - "Description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", - "Severity": "CRITICAL", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-21353", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "pug: user provided objects as input to pug templates can achieve remote code execution", + "Description": "Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including \"pug\", \"pug-code-gen\". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.", + "Severity": "HIGH", "CweIDs": [ - "CWE-327" + "CWE-74" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 4, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", + "V3Score": 6.8 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 7.5, - "V3Score": 9.8 + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 9 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "V3Score": 7.3 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 9 } }, "References": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", - "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", - "https://nodesecurity.io/advisories/17", - "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", - "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" + "https://access.redhat.com/security/cve/CVE-2021-21353", + "https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0", + "https://github.com/pugjs/pug/issues/3312", + "https://github.com/pugjs/pug/pull/3314", + "https://github.com/pugjs/pug/releases/tag/pug%403.0.1", + "https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr", + "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", + "https://www.cve.org/CVERecord?id=CVE-2021-21353", + "https://www.npmjs.com/package/pug", + "https://www.npmjs.com/package/pug-code-gen" ], - "PublishedDate": "2018-05-29T20:29:00Z", - "LastModifiedDate": "2019-10-09T23:15:00Z" + "PublishedDate": "2021-03-03T02:15:13.143Z", + "LastModifiedDate": "2021-03-09T15:35:21.997Z" }, { - "VulnerabilityID": "NSWG-ECO-17", - "PkgName": "jsonwebtoken", - "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", - "InstalledVersion": "0.1.0", - "FixedVersion": "\u003e=4.2.2", + "VulnerabilityID": "CVE-2024-36361", + "PkgID": "pug-code-gen@2.0.2", + "PkgName": "pug-code-gen", + "PkgPath": "juice-shop/node_modules/pug-code-gen/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/pug-code-gen@2.0.2", + "UID": "da20706f0066ff6b" + }, + "InstalledVersion": "2.0.2", + "FixedVersion": "3.0.3", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "Title": "Verification Bypass", - "Description": "It is possible for an attacker to bypass verification when \"a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)\" [1]", - "Severity": "HIGH", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-36361", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Pug allows JavaScript code execution if an application accepts untrusted input", + "Description": "Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", + "V3Score": 6.8 + } + }, "References": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", - "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" - ] + "https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug", + "https://github.com/pugjs/pug", + "https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328", + "https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb", + "https://github.com/pugjs/pug/pull/3428", + "https://github.com/pugjs/pug/pull/3438", + "https://github.com/pugjs/pug/releases/tag/pug%403.0.3", + "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + "https://pugjs.org/api/reference.html", + "https://www.npmjs.com/package/pug-code-gen" + ], + "PublishedDate": "2024-05-24T06:15:08.947Z", + "LastModifiedDate": "2024-08-02T04:17:00.323Z" }, { - "VulnerabilityID": "CVE-2015-9235", - "PkgName": "jsonwebtoken", - "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", - "InstalledVersion": "0.4.0", - "FixedVersion": "4.2.2", + "VulnerabilityID": "CVE-2022-24999", + "PkgID": "qs@6.5.2", + "PkgName": "qs", + "PkgPath": "juice-shop/node_modules/request/node_modules/qs/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/qs@6.5.2", + "UID": "e549cd19af95a943" + }, + "InstalledVersion": "6.5.2", + "FixedVersion": "6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2015-9235", - "Title": "nodejs-jsonwebtoken: verification step bypass with an altered token", - "Description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", - "Severity": "CRITICAL", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24999", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "express: \"qs\" prototype poisoning causes the hang of the node process", + "Description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b\u0026a[__proto__]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).", + "Severity": "HIGH", "CweIDs": [ - "CWE-327" + "CWE-1321" ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 7.5, - "V3Score": 9.8 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "V3Score": 7.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } }, "References": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", - "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", - "https://nodesecurity.io/advisories/17", - "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", - "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" - ], - "PublishedDate": "2018-05-29T20:29:00Z", - "LastModifiedDate": "2019-10-09T23:15:00Z" + "https://access.redhat.com/errata/RHSA-2023:0050", + "https://access.redhat.com/security/cve/CVE-2022-24999", + "https://bugzilla.redhat.com/2044591", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/2150323", + "https://errata.almalinux.org/8/ALSA-2023-0050.html", + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs", + "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999", + "https://linux.oracle.com/cve/CVE-2022-24999.html", + "https://linux.oracle.com/errata/ELSA-2023-0050.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + "https://security.netapp.com/advisory/ntap-20230908-0005/", + "https://www.cve.org/CVERecord?id=CVE-2022-24999" + ], + "PublishedDate": "2022-11-26T22:15:10.153Z", + "LastModifiedDate": "2023-09-08T17:15:15.687Z" }, { - "VulnerabilityID": "NSWG-ECO-17", - "PkgName": "jsonwebtoken", - "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", - "InstalledVersion": "0.4.0", - "FixedVersion": "\u003e=4.2.2", + "VulnerabilityID": "CVE-2022-24999", + "PkgID": "qs@6.5.2", + "PkgName": "qs", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/qs/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/qs@6.5.2", + "UID": "7988bc6857cc9b8f" + }, + "InstalledVersion": "6.5.2", + "FixedVersion": "6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4", + "Status": "fixed", "Layer": { - "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", - "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" }, - "Title": "Verification Bypass", - "Description": "It is possible for an attacker to bypass verification when \"a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)\" [1]", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24999", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "express: \"qs\" prototype poisoning causes the hang of the node process", + "Description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b\u0026a[__proto__]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).", "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, "References": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", - "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" - ] + "https://access.redhat.com/errata/RHSA-2023:0050", + "https://access.redhat.com/security/cve/CVE-2022-24999", + "https://bugzilla.redhat.com/2044591", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/2150323", + "https://errata.almalinux.org/8/ALSA-2023-0050.html", + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs", + "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999", + "https://linux.oracle.com/cve/CVE-2022-24999.html", + "https://linux.oracle.com/errata/ELSA-2023-0050.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + "https://security.netapp.com/advisory/ntap-20230908-0005/", + "https://www.cve.org/CVERecord?id=CVE-2022-24999" + ], + "PublishedDate": "2022-11-26T22:15:10.153Z", + "LastModifiedDate": "2023-09-08T17:15:15.687Z" }, { - "VulnerabilityID": "CVE-2016-1000223", - "PkgName": "jws", - "PkgPath": "juice-shop/node_modules/jws/package.json", - "InstalledVersion": "0.2.6", - "FixedVersion": "3.0.0", + "VulnerabilityID": "CVE-2022-24999", + "PkgID": "qs@6.7.0", + "PkgName": "qs", + "PkgPath": "juice-shop/node_modules/qs/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/qs@6.7.0", + "UID": "a8707c07a27fb373" + }, + "InstalledVersion": "6.7.0", + "FixedVersion": "6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-1000223", - "Title": "Forgeable Public/Private Tokens", - "Description": "Since \"algorithm\" isn't enforced in `jws.verify()`, a malicious user could choose what algorithm is sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.\n\nIn addition, there is the `none` algorithm to be concerned about. In versions prior to 3.0.0, verification of the token could be bypassed when the `alg` field is set to `none`.\n\n*Edit ( 7/29/16 ): A previous version of this advisory incorrectly stated that the vulnerability was patched in version 2.0.0 instead of 3.0.0. The advisory has been updated to reflect this new information. Thanks to Fabien Catteau for reporting the error.*", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24999", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "express: \"qs\" prototype poisoning causes the hang of the node process", + "Description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b\u0026a[__proto__]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).", "Severity": "HIGH", - "References": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/advisories/GHSA-gjcw-v447-2w7q", - "https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e", - "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223" - ] - }, - { - "VulnerabilityID": "CVE-2019-10744", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", - "InstalledVersion": "2.4.2", - "FixedVersion": "4.17.12", - "Layer": { - "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", - "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744", - "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", - "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", - "Severity": "CRITICAL", "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V2Score": 6.4, - "V3Score": 9.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V3Score": 9.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } }, "References": [ - "https://access.redhat.com/errata/RHSA-2019:3024", - "https://github.com/advisories/GHSA-jf85-cpcp-j695", - "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", - "https://security.netapp.com/advisory/ntap-20191004-0005/", - "https://snyk.io/vuln/SNYK-JS-LODASH-450202", - "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html" + "https://access.redhat.com/errata/RHSA-2023:0050", + "https://access.redhat.com/security/cve/CVE-2022-24999", + "https://bugzilla.redhat.com/2044591", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/2150323", + "https://errata.almalinux.org/8/ALSA-2023-0050.html", + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs", + "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999", + "https://linux.oracle.com/cve/CVE-2022-24999.html", + "https://linux.oracle.com/errata/ELSA-2023-0050.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + "https://security.netapp.com/advisory/ntap-20230908-0005/", + "https://www.cve.org/CVERecord?id=CVE-2022-24999" + ], + "PublishedDate": "2022-11-26T22:15:10.153Z", + "LastModifiedDate": "2023-09-08T17:15:15.687Z" + }, + { + "VulnerabilityID": "CVE-2023-28155", + "PkgID": "request@2.88.0", + "PkgName": "request", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/request/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/request@2.88.0", + "UID": "35acc5474af90254" + }, + "InstalledVersion": "2.88.0", + "Status": "affected", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-28155", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", + "Description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-918" ], - "PublishedDate": "2019-07-26T00:15:00Z", - "LastModifiedDate": "2021-03-16T13:57:00Z" + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/" + ], + "PublishedDate": "2023-03-16T15:15:11.107Z", + "LastModifiedDate": "2024-08-02T13:15:37.183Z" }, { - "VulnerabilityID": "CVE-2020-8203", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", - "InstalledVersion": "2.4.2", - "FixedVersion": "4.17.19", + "VulnerabilityID": "CVE-2023-28155", + "PkgID": "request@2.88.2", + "PkgName": "request", + "PkgPath": "juice-shop/node_modules/request/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/request@2.88.2", + "UID": "406f85740981fc77" + }, + "InstalledVersion": "2.88.2", + "Status": "affected", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8203", - "Title": "nodejs-lodash: prototype pollution in zipObjectDeep function", - "Description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", - "Severity": "HIGH", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-28155", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", + "Description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "Severity": "MEDIUM", "CweIDs": [ - "CWE-770" + "CWE-918" ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V2Score": 5.8, - "V3Score": 7.4 + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V3Score": 7.4 + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 } }, "References": [ - "https://github.com/advisories/GHSA-p6mc-m468-83gw", - "https://github.com/lodash/lodash/issues/4874", - "https://hackerone.com/reports/712065", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", - "https://security.netapp.com/advisory/ntap-20200724-0006/", - "https://www.npmjs.com/advisories/1523", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2020-07-15T17:15:00Z", - "LastModifiedDate": "2021-10-20T11:15:00Z" + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/" + ], + "PublishedDate": "2023-03-16T15:15:11.107Z", + "LastModifiedDate": "2024-08-02T13:15:37.183Z" }, { - "VulnerabilityID": "CVE-2021-23337", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", - "InstalledVersion": "2.4.2", - "FixedVersion": "4.17.21", + "VulnerabilityID": "CVE-2022-25887", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "dba6e401aaa6d720" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "2.7.1", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23337", - "Title": "nodejs-lodash: command injection via template", - "Description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25887", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "sanitize-html: insecure global regular expression replacement logic may lead to ReDoS", + "Description": "The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.", "Severity": "HIGH", "CweIDs": [ - "CWE-77" + "CWE-1333" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 1 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 6.5, - "V3Score": 7.2 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 7.2 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337", - "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", - "https://security.netapp.com/advisory/ntap-20210312-0006/", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", - "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2021-02-15T13:15:00Z", - "LastModifiedDate": "2021-10-20T11:16:00Z" + "https://access.redhat.com/security/cve/CVE-2022-25887", + "https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c", + "https://github.com/apostrophecms/sanitize-html/pull/557", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25887", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102", + "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526", + "https://www.cve.org/CVERecord?id=CVE-2022-25887" + ], + "PublishedDate": "2022-08-30T05:15:07.727Z", + "LastModifiedDate": "2023-08-08T14:22:24.967Z" }, { - "VulnerabilityID": "CVE-2018-16487", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", - "InstalledVersion": "2.4.2", - "FixedVersion": "4.17.11", + "VulnerabilityID": "CVE-2016-1000237", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "dba6e401aaa6d720" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "\u003e=1.4.3", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487", - "Title": "lodash: Prototype pollution in utilities function", - "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-1000237", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "XSS - Sanitization not applied recursively", + "Description": "sanitize-html before 1.4.3 has XSS.", "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "ghsa": 2, + "nodejs-security-wg": 2, + "nvd": 2 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "V2Score": 6.8, - "V3Score": 5.6 + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 }, - "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "V3Score": 5.6 + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V2Score": 4.3, + "V3Score": 6.1 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487", - "https://github.com/advisories/GHSA-4xc9-xhrj-v574", - "https://hackerone.com/reports/380873", - "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", - "https://security.netapp.com/advisory/ntap-20190919-0004/" + "https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf", + "https://github.com/apostrophecms/sanitize-html/issues/29", + "https://github.com/punkave/sanitize-html/issues/29", + "https://nodesecurity.io/advisories/135", + "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", + "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json", + "https://www.npmjs.com/advisories/135" ], - "PublishedDate": "2019-02-01T18:29:00Z", - "LastModifiedDate": "2020-09-18T16:38:00Z" + "PublishedDate": "2020-01-23T15:15:13.16Z", + "LastModifiedDate": "2020-01-24T19:44:22.967Z" }, { - "VulnerabilityID": "CVE-2018-3721", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", - "InstalledVersion": "2.4.2", - "FixedVersion": "4.17.5", + "VulnerabilityID": "CVE-2017-16016", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "dba6e401aaa6d720" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "1.11.4", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721", - "Title": "lodash: Prototype pollution in utilities function", - "Description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16016", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Cross-Site Scripting in sanitize-html", + "Description": "Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.", "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2 + }, "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N", - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", - "V2Score": 4, - "V3Score": 6.5 - }, - "redhat": { - "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 2.9 + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V2Score": 4.3, + "V3Score": 6.1 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721", - "https://github.com/advisories/GHSA-fvqr-27wr-82fm", - "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", - "https://hackerone.com/reports/310443", - "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", - "https://security.netapp.com/advisory/ntap-20190919-0004/", - "https://snyk.io/vuln/npm:lodash:20180130", - "https://www.npmjs.com/advisories/577" + "https://github.com/advisories/GHSA-xc6g-ggrc-qq4r", + "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))", + "https://github.com/punkave/sanitize-html/issues/100", + "https://nodesecurity.io/advisories/154", + "https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", + "https://www.npmjs.com/advisories/154" ], - "PublishedDate": "2018-06-07T02:29:00Z", - "LastModifiedDate": "2019-10-03T00:03:00Z" + "PublishedDate": "2018-06-04T19:29:01.023Z", + "LastModifiedDate": "2019-10-09T23:24:36.61Z" }, { - "VulnerabilityID": "CVE-2019-1010266", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", - "InstalledVersion": "2.4.2", - "FixedVersion": "4.17.11", + "VulnerabilityID": "CVE-2021-26539", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "dba6e401aaa6d720" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "2.3.1", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010266", - "Title": "lodash: uncontrolled resource consumption in Data handler causing denial of service", - "Description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-26539", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation", + "Description": "Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the \"allowedIframeHostnames\" option.", "Severity": "MEDIUM", - "CweIDs": [ - "CWE-770" - ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 4, - "V3Score": 6.5 + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V2Score": 5, + "V3Score": 5.3 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 4.4 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266", - "https://github.com/advisories/GHSA-x5rq-j2xg-h7qm", - "https://github.com/lodash/lodash/issues/3359", - "https://github.com/lodash/lodash/wiki/Changelog", - "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", - "https://security.netapp.com/advisory/ntap-20190919-0004/", - "https://snyk.io/vuln/SNYK-JS-LODASH-73639" + "https://access.redhat.com/security/cve/CVE-2021-26539", + "https://advisory.checkmarx.net/advisory/CX-2021-4308", + "https://github.com/apostrophecms/sanitize-html", + "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22", + "https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da", + "https://github.com/apostrophecms/sanitize-html/pull/458", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", + "https://www.cve.org/CVERecord?id=CVE-2021-26539" ], - "PublishedDate": "2019-07-17T21:15:00Z", - "LastModifiedDate": "2020-09-30T13:40:00Z" + "PublishedDate": "2021-02-08T17:15:13.673Z", + "LastModifiedDate": "2022-04-26T15:24:43.517Z" }, { - "VulnerabilityID": "CVE-2019-10744", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/lodash/package.json", - "InstalledVersion": "4.17.11", - "FixedVersion": "4.17.12", + "VulnerabilityID": "CVE-2021-26540", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "dba6e401aaa6d720" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "2.3.2", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744", - "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", - "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", - "Severity": "CRITICAL", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-26540", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "sanitize-html: improper validation of hostnames set by the \"allowedIframeHostnames\" option can lead to bypass hostname whitelist for iframe element", + "Description": "Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the \"allowedIframeHostnames\" option when the \"allowIframeRelativeUrls\" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with \"/\\\\example.com\".", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V2Score": 6.4, - "V3Score": 9.1 + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V2Score": 5, + "V3Score": 5.3 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V3Score": 9.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 } }, "References": [ - "https://access.redhat.com/errata/RHSA-2019:3024", - "https://github.com/advisories/GHSA-jf85-cpcp-j695", - "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", - "https://security.netapp.com/advisory/ntap-20191004-0005/", - "https://snyk.io/vuln/SNYK-JS-LODASH-450202", - "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html" + "https://access.redhat.com/security/cve/CVE-2021-26540", + "https://advisory.checkmarx.net/advisory/CX-2021-4309", + "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26", + "https://github.com/apostrophecms/sanitize-html/pull/460", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", + "https://www.cve.org/CVERecord?id=CVE-2021-26540" ], - "PublishedDate": "2019-07-26T00:15:00Z", - "LastModifiedDate": "2021-03-16T13:57:00Z" + "PublishedDate": "2021-02-08T17:15:13.737Z", + "LastModifiedDate": "2021-04-01T15:02:12.757Z" }, { - "VulnerabilityID": "CVE-2020-8203", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/lodash/package.json", - "InstalledVersion": "4.17.11", - "FixedVersion": "4.17.19", + "VulnerabilityID": "CVE-2024-21501", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "dba6e401aaa6d720" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "2.12.1", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8203", - "Title": "nodejs-lodash: prototype pollution in zipObjectDeep function", - "Description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", - "Severity": "HIGH", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-21501", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "sanitize-html: Information Exposure when used on the backend", + "Description": "Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.", + "Severity": "MEDIUM", "CweIDs": [ - "CWE-770" + "CWE-200", + "CWE-538" ], + "VendorSeverity": { + "ghsa": 2, + "redhat": 2 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V2Score": 5.8, - "V3Score": 7.4 + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V3Score": 7.4 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 } }, "References": [ - "https://github.com/advisories/GHSA-p6mc-m468-83gw", - "https://github.com/lodash/lodash/issues/4874", - "https://hackerone.com/reports/712065", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", - "https://security.netapp.com/advisory/ntap-20200724-0006/", - "https://www.npmjs.com/advisories/1523", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2020-07-15T17:15:00Z", - "LastModifiedDate": "2021-10-20T11:15:00Z" + "https://access.redhat.com/security/cve/CVE-2024-21501", + "https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf", + "https://github.com/apostrophecms/apostrophe/discussions/4436", + "https://github.com/apostrophecms/sanitize-html", + "https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4", + "https://github.com/apostrophecms/sanitize-html/pull/650", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21501", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557", + "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334", + "https://www.cve.org/CVERecord?id=CVE-2024-21501" + ], + "PublishedDate": "2024-02-24T05:15:44.31Z", + "LastModifiedDate": "2024-08-28T18:35:07.823Z" }, { - "VulnerabilityID": "CVE-2021-23337", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/lodash/package.json", - "InstalledVersion": "4.17.11", - "FixedVersion": "4.17.21", + "VulnerabilityID": "NSWG-ECO-154", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "dba6e401aaa6d720" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "\u003e=1.11.4", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23337", - "Title": "nodejs-lodash: command injection via template", - "Description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-77" - ], - "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 6.5, - "V3Score": 7.2 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 7.2 - } + "SeveritySource": "nodejs-security-wg", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "Cross Site Scripting", + "Description": "Sanitize-html is a library for scrubbing html input of malicious values.\n\nVersions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios:\n\nIf allowed at least one nonTextTags, the result is a potential XSS vulnerability.\nPoC:\n\n```\nvar sanitizeHtml = require('sanitize-html');\n\nvar dirty = '!\u003ctextarea\u003e\u0026lt;/textarea\u0026gt;\u003csvg/onload=prompt`xs`\u0026gt;\u003c/textarea\u003e!';\nvar clean = sanitizeHtml(dirty, {\n allowedTags: [ 'textarea' ]\n});\n\nconsole.log(clean);\n\n// !\u003ctextarea\u003e\u003c/textarea\u003e\u003csvg/onload=prompt`xs`\u003e\u003c/textarea\u003e!\n```", + "Severity": "MEDIUM", + "VendorSeverity": { + "nodejs-security-wg": 2 }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337", - "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", - "https://security.netapp.com/advisory/ntap-20210312-0006/", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", - "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2021-02-15T13:15:00Z", - "LastModifiedDate": "2021-10-20T11:16:00Z" + "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "https://github.com/punkave/sanitize-html/issues/100" + ] }, { - "VulnerabilityID": "CVE-2020-8203", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/lodash/package.json", - "InstalledVersion": "4.17.15", - "FixedVersion": "4.17.19", + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@5.7.1", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/check-dependencies/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@5.7.1", + "UID": "755cb6611ac8b8e4" + }, + "InstalledVersion": "5.7.1", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8203", - "Title": "nodejs-lodash: prototype pollution in zipObjectDeep function", - "Description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", "Severity": "HIGH", "CweIDs": [ - "CWE-770" + "CWE-1333" ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V2Score": 5.8, - "V3Score": 7.4 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V3Score": 7.4 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } }, "References": [ - "https://github.com/advisories/GHSA-p6mc-m468-83gw", - "https://github.com/lodash/lodash/issues/4874", - "https://hackerone.com/reports/712065", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", - "https://security.netapp.com/advisory/ntap-20200724-0006/", - "https://www.npmjs.com/advisories/1523", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2020-07-15T17:15:00Z", - "LastModifiedDate": "2021-10-20T11:15:00Z" + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" }, { - "VulnerabilityID": "CVE-2021-23337", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/lodash/package.json", - "InstalledVersion": "4.17.15", - "FixedVersion": "4.17.21", + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@5.7.1", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/execa/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@5.7.1", + "UID": "5f20cc46f893f608" + }, + "InstalledVersion": "5.7.1", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23337", - "Title": "nodejs-lodash: command injection via template", - "Description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", "Severity": "HIGH", "CweIDs": [ - "CWE-77" + "CWE-1333" ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 6.5, - "V3Score": 7.2 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 7.2 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337", - "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", - "https://security.netapp.com/advisory/ntap-20210312-0006/", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", - "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2021-02-15T13:15:00Z", - "LastModifiedDate": "2021-10-20T11:16:00Z" + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" }, { - "VulnerabilityID": "NSWG-ECO-516", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/lodash/package.json", - "InstalledVersion": "4.17.15", - "FixedVersion": "\u003e=4.17.19", + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@5.7.1", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/node-abi/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@5.7.1", + "UID": "791fdca13ab40676" + }, + "InstalledVersion": "5.7.1", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "Title": "Allocation of Resources Without Limits or Throttling", - "Description": "Prototype pollution attack (lodash)", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", "Severity": "HIGH", - "References": [ - "https://github.com/lodash/lodash/pull/4759", - "https://hackerone.com/reports/712065", - "https://www.npmjs.com/advisories/1523" - ] - }, - { - "VulnerabilityID": "GHSA-5mrr-rgp6-x4gr", - "PkgName": "marsdb", - "PkgPath": "juice-shop/node_modules/marsdb/package.json", - "InstalledVersion": "0.6.11", - "Layer": { - "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", - "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } }, - "PrimaryURL": "https://github.com/advisories/GHSA-5mrr-rgp6-x4gr", - "Title": "Command Injection in marsdb", - "Description": "All versions of `marsdb` are vulnerable to Command Injection. In the `DocumentMatcher` class, selectors on `$where` clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed.\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.", - "Severity": "CRITICAL", "References": [ - "https://github.com/advisories/GHSA-5mrr-rgp6-x4gr", - "https://github.com/bkimminich/juice-shop/issues/1173" - ] + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" }, { - "VulnerabilityID": "CVE-2020-7598", - "PkgName": "minimist", - "PkgPath": "juice-shop/node_modules/optimist/node_modules/minimist/package.json", - "InstalledVersion": "0.0.10", - "FixedVersion": "1.2.3, 0.2.1", + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@5.7.1", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/node-pre-gyp/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@5.7.1", + "UID": "b9293965c5dfdb21" + }, + "InstalledVersion": "5.7.1", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-7598", - "Title": "nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload", - "Description": "minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a \"constructor\" or \"__proto__\" payload.", - "Severity": "MEDIUM", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", + "Severity": "HIGH", "CweIDs": [ - "CWE-20" + "CWE-1333" ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "V2Score": 6.8, - "V3Score": 5.6 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "V3Score": 5.6 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } }, "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html", - "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", - "https://linux.oracle.com/cve/CVE-2020-7598.html", - "https://linux.oracle.com/errata/ELSA-2020-2852.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7598", - "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764" - ], - "PublishedDate": "2020-03-11T23:15:00Z", - "LastModifiedDate": "2021-07-21T11:39:00Z" + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" }, { - "VulnerabilityID": "CVE-2017-18214", - "PkgName": "moment", - "PkgPath": "juice-shop/node_modules/moment/package.json", - "InstalledVersion": "2.0.0", - "FixedVersion": "2.19.3", + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@5.7.1", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/normalize-package-data/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@5.7.1", + "UID": "80c242f72b0892c" + }, + "InstalledVersion": "5.7.1", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-18214", - "Title": "nodejs-moment: Regular expression denial of service", - "Description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", "Severity": "HIGH", "CweIDs": [ - "CWE-400" + "CWE-1333" ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 5, "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 5.3 - } - }, - "References": [ - "https://github.com/advisories/GHSA-446m-mv8f-q348", - "https://github.com/moment/moment/issues/4163", - "https://nodesecurity.io/advisories/532", - "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", - "https://www.tenable.com/security/tns-2019-02" - ], - "PublishedDate": "2018-03-04T21:29:00Z", - "LastModifiedDate": "2020-11-16T20:23:00Z" + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" }, { - "VulnerabilityID": "CVE-2016-4055", - "PkgName": "moment", - "PkgPath": "juice-shop/node_modules/moment/package.json", - "InstalledVersion": "2.0.0", - "FixedVersion": "2.11.2", + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@5.7.1", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/sqlite3/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@5.7.1", + "UID": "46cd6acbe6b27172" + }, + "InstalledVersion": "5.7.1", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-4055", - "Title": "moment.js: regular expression denial of service", - "Description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a \"regular expression Denial of Service (ReDoS).\"", - "Severity": "MEDIUM", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", + "Severity": "HIGH", "CweIDs": [ - "CWE-399" + "CWE-1333" ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 7.8, - "V3Score": 6.5 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, "redhat": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", - "V2Score": 4.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } }, "References": [ - "http://www.openwall.com/lists/oss-security/2016/04/20/11", - "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "http://www.securityfocus.com/bid/95849", - "https://github.com/advisories/GHSA-87vv-r9j6-g5qv", - "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E", - "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E", - "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E", - "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E", - "https://nodesecurity.io/advisories/55", - "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", - "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS", - "https://www.tenable.com/security/tns-2019-02" - ], - "PublishedDate": "2017-01-23T21:59:00Z", - "LastModifiedDate": "2019-08-11T18:15:00Z" + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" }, { - "VulnerabilityID": "CVE-2020-15095", - "PkgName": "npm", - "PkgPath": "usr/local/lib/node_modules/npm/package.json", - "InstalledVersion": "6.14.4", - "FixedVersion": "6.14.6", + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@5.7.1", + "PkgName": "semver", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@5.7.1", + "UID": "498c93d70350dfd5" + }, + "InstalledVersion": "5.7.1", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", "Layer": { "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-15095", - "Title": "npm: sensitive information exposure through logs", - "Description": "Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like \"\u003cprotocol\u003e://[\u003cuser\u003e[:\u003cpassword\u003e]@]\u003chostname\u003e[:\u003cport\u003e][:][/]\u003cpath\u003e\". The password value is not redacted and is printed to stdout and also to any generated log files.", - "Severity": "MEDIUM", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", + "Severity": "HIGH", "CweIDs": [ - "CWE-532", - "CWE-532" + "CWE-1333" ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { - "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", - "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", - "V2Score": 1.9, - "V3Score": 4.4 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", - "V3Score": 4.4 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } }, "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html", - "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html", - "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html", - "https://github.com/advisories/GHSA-93f3-23rq-pjfp", - "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07", - "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc", - "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp", - "https://linux.oracle.com/cve/CVE-2020-15095.html", - "https://linux.oracle.com/errata/ELSA-2021-0548.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/", - "https://nvd.nist.gov/vuln/detail/CVE-2020-15095", - "https://security.gentoo.org/glsa/202101-07" - ], - "PublishedDate": "2020-07-07T19:15:00Z", - "LastModifiedDate": "2021-01-11T11:15:00Z" + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" }, { - "VulnerabilityID": "GHSA-jmqm-f2gx-4fjv", - "PkgName": "npm-registry-fetch", - "PkgPath": "usr/local/lib/node_modules/npm/node_modules/npm-registry-fetch/package.json", - "InstalledVersion": "4.0.3", - "FixedVersion": "8.1.1, 4.0.5", + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@6.3.0", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/sequelize/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@6.3.0", + "UID": "f3ee146e35b6dc2c" + }, + "InstalledVersion": "6.3.0", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", "Layer": { - "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", - "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "PrimaryURL": "https://github.com/advisories/GHSA-jmqm-f2gx-4fjv", - "Title": "Sensitive information exposure through logs in npm-registry-fetch", - "Description": "Affected versions of `npm-registry-fetch` are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like `\u003cprotocol\u003e://[\u003cuser\u003e[:\u003cpassword\u003e]@]\u003chostname\u003e[:\u003cport\u003e][:][/]\u003cpath\u003e`. The password value is not redacted and is printed to stdout and also to any generated log files.", - "Severity": "MEDIUM", - "References": [ - "https://github.com/advisories/GHSA-jmqm-f2gx-4fjv", - "https://github.com/npm/npm-registry-fetch/security/advisories/GHSA-jmqm-f2gx-4fjv" - ] - }, - { - "VulnerabilityID": "CVE-2020-7754", - "PkgName": "npm-user-validate", - "PkgPath": "usr/local/lib/node_modules/npm/node_modules/npm-user-validate/package.json", - "InstalledVersion": "1.0.0", - "FixedVersion": "1.0.1", - "Layer": { - "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", - "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-7754", - "Title": "nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS", - "Description": "This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.", + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 5, "V3Score": 7.5 }, "redhat": { @@ -2906,419 +13130,924 @@ } }, "References": [ - "https://github.com/advisories/GHSA-pw54-mh39-w3hc", - "https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e", - "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p", - "https://linux.oracle.com/cve/CVE-2020-7754.html", - "https://linux.oracle.com/errata/ELSA-2021-0551.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7754", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353", - "https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352" - ], - "PublishedDate": "2020-10-27T15:15:00Z", - "LastModifiedDate": "2020-10-27T17:31:00Z" + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" }, { - "VulnerabilityID": "GHSA-xgh6-85xh-479p", - "PkgName": "npm-user-validate", - "PkgPath": "usr/local/lib/node_modules/npm/node_modules/npm-user-validate/package.json", - "InstalledVersion": "1.0.0", - "FixedVersion": "1.0.1", + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@7.3.2", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@7.3.2", + "UID": "838f1077792212cb" + }, + "InstalledVersion": "7.3.2", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", "Layer": { - "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", - "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "PrimaryURL": "https://github.com/advisories/GHSA-xgh6-85xh-479p", - "Title": "Regular Expression Denial of Service in npm-user-validate", - "Description": "`npm-user-validate` before version `1.0.1` is vulnerable to a Regular Expression Denial of Service (REDos). The regex that validates user emails took exponentially longer to process long input strings beginning with `@` characters.\n\n### Impact\nThe issue affects the `email` function. If you use this function to process arbitrary user input with no character limit the application may be susceptible to Denial of Service.\n\n### Patches\nThe issue is patched in version 1.0.1 by improving the regular expression used and also enforcing a 254 character limit.\n\n### Workarounds\nRestrict the character length to a reasonable degree before passing a value to `.emal()`; Also, consider doing a more rigorous sanitizing/validation beforehand.", - "Severity": "LOW", - "References": [ - "https://github.com/advisories/GHSA-xgh6-85xh-479p", - "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p" - ] - }, - { - "VulnerabilityID": "CVE-2021-23343", - "PkgName": "path-parse", - "PkgPath": "usr/local/lib/node_modules/npm/node_modules/path-parse/package.json", - "InstalledVersion": "1.0.6", - "FixedVersion": "1.0.7", - "Layer": { - "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", - "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23343", - "Title": "nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe", - "Description": "All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.", + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 5, "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 5.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } }, "References": [ - "https://github.com/advisories/GHSA-hj48-42vr-x3v9", - "https://github.com/jbgutierrez/path-parse/issues/8", - "https://linux.oracle.com/cve/CVE-2021-23343.html", - "https://linux.oracle.com/errata/ELSA-2021-3666.html", - "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23343", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028", - "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067" + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" + }, + { + "VulnerabilityID": "CVE-2024-43799", + "PkgID": "send@0.17.1", + "PkgName": "send", + "PkgPath": "juice-shop/node_modules/send/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/send@0.17.1", + "UID": "12e49f5658967055" + }, + "InstalledVersion": "0.17.1", + "FixedVersion": "0.19.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-43799", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "send: Code Execution Vulnerability in Send Library", + "Description": "Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" ], - "PublishedDate": "2021-05-04T09:15:00Z", - "LastModifiedDate": "2021-05-31T06:15:00Z" + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 4.7 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-43799", + "https://github.com/pillarjs/send", + "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", + "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", + "https://www.cve.org/CVERecord?id=CVE-2024-43799" + ], + "PublishedDate": "2024-09-10T15:15:17.727Z", + "LastModifiedDate": "2024-09-20T16:57:14.687Z" }, { - "VulnerabilityID": "CVE-2021-21353", - "PkgName": "pug", - "PkgPath": "juice-shop/node_modules/pug/package.json", - "InstalledVersion": "2.0.4", - "FixedVersion": "3.0.1", + "VulnerabilityID": "CVE-2023-22578", + "PkgID": "sequelize@5.21.6", + "PkgName": "sequelize", + "PkgPath": "juice-shop/node_modules/sequelize/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sequelize@5.21.6", + "UID": "2f142e453dc6f0cf" + }, + "InstalledVersion": "5.21.6", + "FixedVersion": "6.29.0", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-21353", - "Title": "Remote code execution via the `pretty` option.", - "Description": "Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including \"pug\", \"pug-code-gen\". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-22578", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Sequelize - Default support for “raw attributes” when using parentheses", + "Description": "Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.", "Severity": "CRITICAL", "CweIDs": [ - "CWE-74" + "CWE-790" ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 10 + }, "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", - "V2Score": 6.8, - "V3Score": 9 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 } }, "References": [ - "https://github.com/advisories/GHSA-p493-635q-r6gr", - "https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0", - "https://github.com/pugjs/pug/issues/3312", - "https://github.com/pugjs/pug/pull/3314", - "https://github.com/pugjs/pug/releases/tag/pug%403.0.1", - "https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr", - "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", - "https://www.npmjs.com/package/pug", - "https://www.npmjs.com/package/pug-code-gen" - ], - "PublishedDate": "2021-03-03T02:15:00Z", - "LastModifiedDate": "2021-03-09T15:35:00Z" + "https://csirt.divd.nl/CVE-2023-22578", + "https://csirt.divd.nl/DIVD-2022-00020", + "https://csirt.divd.nl/DIVD-2022-00020/", + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/discussions/15694", + "https://github.com/sequelize/sequelize/pull/15710", + "https://github.com/sequelize/sequelize/releases/tag/v6.29.0", + "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + "https://github.com/sequelize/sequelize/security/advisories/GHSA-f598-mfpv-gmfx", + "https://nvd.nist.gov/vuln/detail/CVE-2023-22578" + ], + "PublishedDate": "2023-02-16T15:15:18.16Z", + "LastModifiedDate": "2023-03-03T19:23:56.89Z" }, { - "VulnerabilityID": "CVE-2021-21353", - "PkgName": "pug-code-gen", - "PkgPath": "juice-shop/node_modules/pug-code-gen/package.json", - "InstalledVersion": "2.0.2", - "FixedVersion": "3.0.2, 2.0.3", + "VulnerabilityID": "CVE-2023-22579", + "PkgID": "sequelize@5.21.6", + "PkgName": "sequelize", + "PkgPath": "juice-shop/node_modules/sequelize/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sequelize@5.21.6", + "UID": "2f142e453dc6f0cf" + }, + "InstalledVersion": "5.21.6", + "FixedVersion": "6.28.1", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-21353", - "Title": "Remote code execution via the `pretty` option.", - "Description": "Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including \"pug\", \"pug-code-gen\". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-22579", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Unsafe fall-through in getWhereConditions", + "Description": "Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.", "Severity": "CRITICAL", "CweIDs": [ - "CWE-74" + "CWE-843" ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 3 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 10 + }, "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", - "V2Score": 6.8, - "V3Score": 9 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.8 } }, "References": [ - "https://github.com/advisories/GHSA-p493-635q-r6gr", - "https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0", - "https://github.com/pugjs/pug/issues/3312", - "https://github.com/pugjs/pug/pull/3314", - "https://github.com/pugjs/pug/releases/tag/pug%403.0.1", - "https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr", - "https://nvd.nist.gov/vuln/detail/CVE-2021-21353", - "https://www.npmjs.com/package/pug", - "https://www.npmjs.com/package/pug-code-gen" + "https://csirt.divd.nl/CVE-2023-22579", + "https://csirt.divd.nl/DIVD-2022-00020", + "https://csirt.divd.nl/DIVD-2022-00020/", + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/discussions/15698", + "https://github.com/sequelize/sequelize/pull/15375", + "https://github.com/sequelize/sequelize/pull/15699", + "https://github.com/sequelize/sequelize/releases/tag/v6.28.1", + "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + "https://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95", + "https://nvd.nist.gov/vuln/detail/CVE-2023-22579" + ], + "PublishedDate": "2023-02-16T15:15:18.46Z", + "LastModifiedDate": "2023-04-28T18:50:21Z" + }, + { + "VulnerabilityID": "CVE-2023-25813", + "PkgID": "sequelize@5.21.6", + "PkgName": "sequelize", + "PkgPath": "juice-shop/node_modules/sequelize/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sequelize@5.21.6", + "UID": "2f142e453dc6f0cf" + }, + "InstalledVersion": "5.21.6", + "FixedVersion": "6.19.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-25813", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Sequelize vulnerable to SQL Injection via replacements", + "Description": "Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-89" ], - "PublishedDate": "2021-03-03T02:15:00Z", - "LastModifiedDate": "2021-03-09T15:35:00Z" + "VendorSeverity": { + "ghsa": 4, + "nvd": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 10 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b", + "https://github.com/sequelize/sequelize/issues/14519", + "https://github.com/sequelize/sequelize/releases/tag/v6.19.1", + "https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw", + "https://nvd.nist.gov/vuln/detail/CVE-2023-25813", + "https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027" + ], + "PublishedDate": "2023-02-22T19:15:11.777Z", + "LastModifiedDate": "2023-03-03T02:04:19.6Z" }, { - "VulnerabilityID": "CVE-2016-1000237", - "PkgName": "sanitize-html", - "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", - "InstalledVersion": "1.4.2", - "FixedVersion": "1.4.3", + "VulnerabilityID": "CVE-2023-22580", + "PkgID": "sequelize@5.21.6", + "PkgName": "sequelize", + "PkgPath": "juice-shop/node_modules/sequelize/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sequelize@5.21.6", + "UID": "2f142e453dc6f0cf" + }, + "InstalledVersion": "5.21.6", + "FixedVersion": "6.28.1", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-1000237", - "Title": "XSS - Sanitization not applied recursively", - "Description": "sanitize-html before 1.4.3 has XSS.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-22580", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Sequelize information disclosure vulnerability", + "Description": "Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.", "Severity": "MEDIUM", "CweIDs": [ - "CWE-79" + "CWE-200" ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 3 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 + }, "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "V2Score": 4.3, - "V3Score": 6.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 } }, "References": [ - "https://github.com/advisories/GHSA-3j7m-hmh3-9jmp", - "https://github.com/punkave/sanitize-html/issues/29", - "https://nodesecurity.io/advisories/135", - "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", - "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json" - ], - "PublishedDate": "2020-01-23T15:15:00Z", - "LastModifiedDate": "2020-01-24T19:44:00Z" + "https://csirt.divd.nl/CVE-2023-22580", + "https://csirt.divd.nl/DIVD-2022-00020", + "https://csirt.divd.nl/DIVD-2022-00020/", + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/pull/15375", + "https://github.com/sequelize/sequelize/pull/15699", + "https://github.com/sequelize/sequelize/releases/tag/v6.28.1", + "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + "https://nvd.nist.gov/vuln/detail/CVE-2023-22580" + ], + "PublishedDate": "2023-02-16T15:15:18.727Z", + "LastModifiedDate": "2023-04-28T18:52:21.847Z" }, { - "VulnerabilityID": "CVE-2017-16016", - "PkgName": "sanitize-html", - "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", - "InstalledVersion": "1.4.2", - "FixedVersion": "1.11.4", + "VulnerabilityID": "CVE-2024-43800", + "PkgID": "serve-static@1.14.1", + "PkgName": "serve-static", + "PkgPath": "juice-shop/node_modules/serve-static/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/serve-static@1.14.1", + "UID": "64ee99b4a44131f2" + }, + "InstalledVersion": "1.14.1", + "FixedVersion": "1.16.0, 2.1.0", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16016", - "Title": "Cross-Site Scripting in sanitize-html", - "Description": "Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-43800", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "serve-static: Improper Sanitization in serve-static", + "Description": "serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.", "Severity": "MEDIUM", "CweIDs": [ "CWE-79" ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 + }, "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "V2Score": 4.3, - "V3Score": 6.1 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 4.7 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 } }, "References": [ - "https://github.com/advisories/GHSA-xc6g-ggrc-qq4r", - "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", - "https://github.com/punkave/sanitize-html/issues/100", - "https://nodesecurity.io/advisories/154", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16016" - ], - "PublishedDate": "2018-06-04T19:29:00Z", - "LastModifiedDate": "2019-10-09T23:24:00Z" + "https://access.redhat.com/security/cve/CVE-2024-43800", + "https://github.com/expressjs/serve-static", + "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", + "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", + "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", + "https://www.cve.org/CVERecord?id=CVE-2024-43800" + ], + "PublishedDate": "2024-09-10T15:15:17.937Z", + "LastModifiedDate": "2024-09-20T17:36:30.313Z" }, { - "VulnerabilityID": "CVE-2021-26539", - "PkgName": "sanitize-html", - "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", - "InstalledVersion": "1.4.2", - "FixedVersion": "2.3.1", + "VulnerabilityID": "CVE-2022-0355", + "PkgID": "simple-get@3.1.0", + "PkgName": "simple-get", + "PkgPath": "juice-shop/node_modules/simple-get/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/simple-get@3.1.0", + "UID": "c18cc4cf6edbcc91" + }, + "InstalledVersion": "3.1.0", + "FixedVersion": "4.0.1, 3.1.1, 2.8.2", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-26539", - "Title": "sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation", - "Description": "Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the \"allowedIframeHostnames\" option.", - "Severity": "MEDIUM", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0355", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "simple-get: exposure of sensitive information to an unauthorized actor", + "Description": "Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.\n\n", + "Severity": "HIGH", + "CweIDs": [ + "CWE-212" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V2Score": 5, - "V3Score": 5.3 + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V3Score": 5.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 } }, "References": [ - "https://advisory.checkmarx.net/advisory/CX-2021-4308", - "https://github.com/advisories/GHSA-rjqq-98f6-6j3r", - "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22", - "https://github.com/apostrophecms/sanitize-html/pull/458", - "https://nvd.nist.gov/vuln/detail/CVE-2021-26539" - ], - "PublishedDate": "2021-02-08T17:15:00Z", - "LastModifiedDate": "2021-03-25T23:15:00Z" + "https://access.redhat.com/security/cve/CVE-2022-0355", + "https://github.com/advisories/GHSA-wpg7-2c88-r8xv", + "https://github.com/feross/simple-get", + "https://github.com/feross/simple-get/commit/e4af095e06cd69a9235013e8507e220a79b9684f", + "https://github.com/feross/simple-get/pull/75#issuecomment-1027755026", + "https://github.com/feross/simple-get/pull/76#issuecomment-1027754710", + "https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31", + "https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31/", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0355", + "https://www.cve.org/CVERecord?id=CVE-2022-0355" + ], + "PublishedDate": "2022-01-26T04:15:06.813Z", + "LastModifiedDate": "2023-08-02T09:15:11.547Z" }, { - "VulnerabilityID": "CVE-2021-26540", - "PkgName": "sanitize-html", - "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", - "InstalledVersion": "1.4.2", - "FixedVersion": "2.3.2", + "VulnerabilityID": "CVE-2024-38355", + "PkgID": "socket.io@2.3.0", + "PkgName": "socket.io", + "PkgPath": "juice-shop/node_modules/socket.io/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/socket.io@2.3.0", + "UID": "2c5ff632350c32ee" + }, + "InstalledVersion": "2.3.0", + "FixedVersion": "2.5.1, 4.6.2", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-26540", - "Title": "sanitize-html: improper validation of hostnames set by the \"allowedIframeHostnames\" option can lead to bypass hostname whitelist for iframe element", - "Description": "Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the \"allowedIframeHostnames\" option when the \"allowIframeRelativeUrls\" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with \"/\\\\example.com\".", - "Severity": "MEDIUM", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-38355", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "socket.io: Unhandled 'error' event", + "Description": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.\n", + "Severity": "HIGH", + "CweIDs": [ + "CWE-20", + "CWE-754" + ], + "VendorSeverity": { + "ghsa": 3, + "redhat": 3 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V2Score": 5, - "V3Score": 5.3 + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V3Score": 5.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 } }, "References": [ - "https://advisory.checkmarx.net/advisory/CX-2021-4309", - "https://github.com/advisories/GHSA-mjxr-4v3x-q3m4", - "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26", - "https://github.com/apostrophecms/sanitize-html/pull/460", - "https://nvd.nist.gov/vuln/detail/CVE-2021-26540" - ], - "PublishedDate": "2021-02-08T17:15:00Z", - "LastModifiedDate": "2021-04-01T15:02:00Z" + "https://access.redhat.com/security/cve/CVE-2024-38355", + "https://github.com/socketio/socket.io", + "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", + "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", + "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38355", + "https://www.cve.org/CVERecord?id=CVE-2024-38355" + ], + "PublishedDate": "2024-06-19T20:15:11.18Z", + "LastModifiedDate": "2024-06-20T12:43:25.663Z" }, { - "VulnerabilityID": "NSWG-ECO-154", - "PkgName": "sanitize-html", - "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", - "InstalledVersion": "1.4.2", - "FixedVersion": "\u003e=1.11.4", + "VulnerabilityID": "CVE-2020-28481", + "PkgID": "socket.io@2.3.0", + "PkgName": "socket.io", + "PkgPath": "juice-shop/node_modules/socket.io/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/socket.io@2.3.0", + "UID": "2c5ff632350c32ee" + }, + "InstalledVersion": "2.3.0", + "FixedVersion": "2.4.0", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "Title": "Cross Site Scripting", - "Description": "Sanitize-html is a library for scrubbing html input of malicious values.\n\nVersions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios:\n\nIf allowed at least one nonTextTags, the result is a potential XSS vulnerability.\nPoC:\n\n```\nvar sanitizeHtml = require('sanitize-html');\n\nvar dirty = '!\u003ctextarea\u003e\u0026lt;/textarea\u0026gt;\u003csvg/onload=prompt`xs`\u0026gt;\u003c/textarea\u003e!';\nvar clean = sanitizeHtml(dirty, {\n allowedTags: [ 'textarea' ]\n});\n\nconsole.log(clean);\n\n// !\u003ctextarea\u003e\u003c/textarea\u003e\u003csvg/onload=prompt`xs`\u003e\u003c/textarea\u003e!\n```", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28481", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "CORS misconfiguration in socket.io", + "Description": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.", "Severity": "MEDIUM", + "CweIDs": [ + "CWE-346" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 4.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "V2Score": 4, + "V3Score": 4.3 + } + }, "References": [ - "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", - "https://github.com/punkave/sanitize-html/issues/100" - ] + "https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7", + "https://github.com/socketio/socket.io/issues/3671", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28481", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357", + "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859" + ], + "PublishedDate": "2021-01-19T15:15:12.06Z", + "LastModifiedDate": "2021-01-28T17:48:23.457Z" }, { - "VulnerabilityID": "CVE-2021-23440", - "PkgName": "set-value", - "PkgPath": "juice-shop/node_modules/set-value/package.json", - "InstalledVersion": "2.0.1", - "FixedVersion": "4.0.1", + "VulnerabilityID": "CVE-2022-2421", + "PkgID": "socket.io-parser@3.3.0", + "PkgName": "socket.io-parser", + "PkgPath": "juice-shop/node_modules/socket.io-client/node_modules/socket.io-parser/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/socket.io-parser@3.3.0", + "UID": "a3ee2805dc3bd63d" + }, + "InstalledVersion": "3.3.0", + "FixedVersion": "4.0.5, 4.2.1, 3.3.3, 3.4.2", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23440", - "Title": "nodejs-set-value: type confusion allows bypass of CVE-2019-10747", - "Description": "This affects the package set-value before \u003c2.0.1, \u003e=3.0.0 \u003c4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-2421", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Insufficient validation when decoding a Socket.IO packet", + "Description": "Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.", "Severity": "CRITICAL", "CweIDs": [ - "CWE-843" + "CWE-89" ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 7.5, "V3Score": 9.8 + } + }, + "References": [ + "https://csirt.divd.nl/CVE-2022-2421", + "https://csirt.divd.nl/DIVD-2022-00045", + "https://csirt.divd.nl/cases/DIVD-2022-00045", + "https://csirt.divd.nl/cves/CVE-2022-2421", + "https://github.com/socketio/socket.io-parser", + "https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14", + "https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4", + "https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050", + "https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983", + "https://nvd.nist.gov/vuln/detail/CVE-2022-2421" + ], + "PublishedDate": "2022-10-26T10:15:16.78Z", + "LastModifiedDate": "2024-01-02T19:15:09.597Z" + }, + { + "VulnerabilityID": "CVE-2020-36049", + "PkgID": "socket.io-parser@3.3.0", + "PkgName": "socket.io-parser", + "PkgPath": "juice-shop/node_modules/socket.io-client/node_modules/socket.io-parser/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/socket.io-parser@3.3.0", + "UID": "a3ee2805dc3bd63d" + }, + "InstalledVersion": "3.3.0", + "FixedVersion": "3.3.2, 3.4.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-36049", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "yarnpkg-socket.io-parser: a denial of service (memory consumption) via a large packet because a concatenation approach is used", + "Description": "socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-770" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 }, "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-36049", + "https://blog.caller.xyz/socketio-engineio-dos", + "https://blog.caller.xyz/socketio-engineio-dos/", + "https://github.com/bcaller/kill-engine-io", + "https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55", + "https://github.com/socketio/socket.io-parser/releases/tag/3.3.2", + "https://github.com/socketio/socket.io-parser/releases/tag/3.4.1", + "https://nvd.nist.gov/vuln/detail/CVE-2020-36049", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056753", + "https://www.cve.org/CVERecord?id=CVE-2020-36049", + "https://www.npmjs.com/package/socket.io-parser" + ], + "PublishedDate": "2021-01-08T00:15:11.187Z", + "LastModifiedDate": "2021-07-21T11:39:23.747Z" + }, + { + "VulnerabilityID": "CVE-2023-32695", + "PkgID": "socket.io-parser@3.3.0", + "PkgName": "socket.io-parser", + "PkgPath": "juice-shop/node_modules/socket.io-client/node_modules/socket.io-parser/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/socket.io-parser@3.3.0", + "UID": "a3ee2805dc3bd63d" + }, + "InstalledVersion": "3.3.0", + "FixedVersion": "4.2.3, 3.4.3, 3.3.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-32695", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "socket.io parser is a socket.io encoder and decoder written in JavaScr ...", + "Description": "socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.\n\n", + "Severity": "HIGH", + "CweIDs": [ + "CWE-754", + "CWE-20" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3 + }, + "CVSS": { + "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "V3Score": 7.3 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } }, "References": [ - "https://github.com/advisories/GHSA-4jqc-8m5r-9rpr", - "https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452", - "https://github.com/jonschlinkert/set-value/pull/33", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23440", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212", - "https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541", - "https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/" - ], - "PublishedDate": "2021-09-12T13:15:00Z", - "LastModifiedDate": "2021-11-03T20:29:00Z" + "https://github.com/socketio/socket.io-parser", + "https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9", + "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced", + "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3", + "https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4", + "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3", + "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9", + "https://nvd.nist.gov/vuln/detail/CVE-2023-32695" + ], + "PublishedDate": "2023-05-27T16:15:09.433Z", + "LastModifiedDate": "2023-06-05T15:54:48.487Z" }, { - "VulnerabilityID": "CVE-2020-28481", - "PkgName": "socket.io", - "PkgPath": "juice-shop/node_modules/socket.io/package.json", - "InstalledVersion": "2.3.0", - "FixedVersion": "2.4.0", + "VulnerabilityID": "CVE-2022-2421", + "PkgID": "socket.io-parser@3.4.0", + "PkgName": "socket.io-parser", + "PkgPath": "juice-shop/node_modules/socket.io-parser/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/socket.io-parser@3.4.0", + "UID": "e86428f1ace1193e" + }, + "InstalledVersion": "3.4.0", + "FixedVersion": "4.0.5, 4.2.1, 3.3.3, 3.4.2", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28481", - "Title": "Insecure defaults due to CORS misconfiguration in socket.io", - "Description": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.", - "Severity": "MEDIUM", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-2421", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Insufficient validation when decoding a Socket.IO packet", + "Description": "Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.", + "Severity": "CRITICAL", "CweIDs": [ - "CWE-346" + "CWE-89" ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", - "V2Score": 4, - "V3Score": 4.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 } }, "References": [ - "https://github.com/advisories/GHSA-fxwf-4rqh-v8g3", - "https://github.com/socketio/socket.io/issues/3671", - "https://nvd.nist.gov/vuln/detail/CVE-2020-28481", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357", - "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859" - ], - "PublishedDate": "2021-01-19T15:15:00Z", - "LastModifiedDate": "2021-01-28T17:48:00Z" + "https://csirt.divd.nl/CVE-2022-2421", + "https://csirt.divd.nl/DIVD-2022-00045", + "https://csirt.divd.nl/cases/DIVD-2022-00045", + "https://csirt.divd.nl/cves/CVE-2022-2421", + "https://github.com/socketio/socket.io-parser", + "https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14", + "https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4", + "https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050", + "https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983", + "https://nvd.nist.gov/vuln/detail/CVE-2022-2421" + ], + "PublishedDate": "2022-10-26T10:15:16.78Z", + "LastModifiedDate": "2024-01-02T19:15:09.597Z" }, { "VulnerabilityID": "CVE-2020-36049", + "PkgID": "socket.io-parser@3.4.0", "PkgName": "socket.io-parser", - "PkgPath": "juice-shop/node_modules/socket.io-client/node_modules/socket.io-parser/package.json", - "InstalledVersion": "3.3.0", - "FixedVersion": "3.4.1, 3.3.2", + "PkgPath": "juice-shop/node_modules/socket.io-parser/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/socket.io-parser@3.4.0", + "UID": "e86428f1ace1193e" + }, + "InstalledVersion": "3.4.0", + "FixedVersion": "3.3.2, 3.4.1", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", + "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-36049", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, "Title": "yarnpkg-socket.io-parser: a denial of service (memory consumption) via a large packet because a concatenation approach is used", "Description": "socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.", "Severity": "HIGH", "CweIDs": [ - "CWE-400" + "CWE-770" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", @@ -3331,73 +14060,117 @@ } }, "References": [ + "https://access.redhat.com/security/cve/CVE-2020-36049", + "https://blog.caller.xyz/socketio-engineio-dos", "https://blog.caller.xyz/socketio-engineio-dos/", - "https://github.com/advisories/GHSA-xfhh-g9f5-x4m4", "https://github.com/bcaller/kill-engine-io", "https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55", + "https://github.com/socketio/socket.io-parser/releases/tag/3.3.2", + "https://github.com/socketio/socket.io-parser/releases/tag/3.4.1", "https://nvd.nist.gov/vuln/detail/CVE-2020-36049", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056753" + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056753", + "https://www.cve.org/CVERecord?id=CVE-2020-36049", + "https://www.npmjs.com/package/socket.io-parser" ], - "PublishedDate": "2021-01-08T00:15:00Z", - "LastModifiedDate": "2021-07-21T11:39:00Z" + "PublishedDate": "2021-01-08T00:15:11.187Z", + "LastModifiedDate": "2021-07-21T11:39:23.747Z" }, { - "VulnerabilityID": "CVE-2020-36049", + "VulnerabilityID": "CVE-2023-32695", + "PkgID": "socket.io-parser@3.4.0", "PkgName": "socket.io-parser", "PkgPath": "juice-shop/node_modules/socket.io-parser/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/socket.io-parser@3.4.0", + "UID": "e86428f1ace1193e" + }, "InstalledVersion": "3.4.0", - "FixedVersion": "3.4.1, 3.3.2", + "FixedVersion": "4.2.3, 3.4.3, 3.3.4", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-36049", - "Title": "yarnpkg-socket.io-parser: a denial of service (memory consumption) via a large packet because a concatenation approach is used", - "Description": "socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-32695", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "socket.io parser is a socket.io encoder and decoder written in JavaScr ...", + "Description": "socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.\n\n", "Severity": "HIGH", "CweIDs": [ - "CWE-400" + "CWE-754", + "CWE-20" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 5, - "V3Score": 7.5 + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 }, - "redhat": { + "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ - "https://blog.caller.xyz/socketio-engineio-dos/", - "https://github.com/advisories/GHSA-xfhh-g9f5-x4m4", - "https://github.com/bcaller/kill-engine-io", - "https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55", - "https://nvd.nist.gov/vuln/detail/CVE-2020-36049", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056753" - ], - "PublishedDate": "2021-01-08T00:15:00Z", - "LastModifiedDate": "2021-07-21T11:39:00Z" + "https://github.com/socketio/socket.io-parser", + "https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9", + "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced", + "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3", + "https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4", + "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3", + "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9", + "https://nvd.nist.gov/vuln/detail/CVE-2023-32695" + ], + "PublishedDate": "2023-05-27T16:15:09.433Z", + "LastModifiedDate": "2023-06-05T15:54:48.487Z" }, { "VulnerabilityID": "CVE-2021-27290", + "PkgID": "ssri@6.0.1", "PkgName": "ssri", "PkgPath": "usr/local/lib/node_modules/npm/node_modules/ssri/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ssri@6.0.1", + "UID": "ffab25e3650ef307" + }, "InstalledVersion": "6.0.1", - "FixedVersion": "8.0.1, 7.1.1, 6.0.2", + "FixedVersion": "6.0.2, 7.1.1, 8.0.1", + "Status": "fixed", "Layer": { "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" }, - "SeveritySource": "nvd", + "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-27290", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, "Title": "nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode", "Description": "ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.", "Severity": "HIGH", + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", @@ -3410,38 +14183,237 @@ } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290", + "https://access.redhat.com/security/cve/CVE-2021-27290", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf", - "https://github.com/advisories/GHSA-vx3p-948g-6vhq", + "https://errata.almalinux.org/8/ALSA-2021-3074.html", + "https://github.com/npm/ssri", + "https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2", + "https://github.com/npm/ssri/commit/809c84d09ea87c3857fa171d42914586899d4538", + "https://github.com/npm/ssri/commit/b30dfdb00bb94ddc49a25a85a18fb27afafdfbb1", + "https://github.com/npm/ssri/pull/20#issuecomment-842677644", "https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf", "https://linux.oracle.com/cve/CVE-2021-27290.html", "https://linux.oracle.com/errata/ELSA-2021-3074.html", "https://npmjs.com", "https://nvd.nist.gov/vuln/detail/CVE-2021-27290", + "https://www.cve.org/CVERecord?id=CVE-2021-27290", + "https://www.npmjs.com/package/ssri", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-03-12T22:15:14.843Z", + "LastModifiedDate": "2022-05-13T20:51:41.243Z" + }, + { + "VulnerabilityID": "CVE-2021-46708", + "PkgID": "swagger-ui-dist@3.25.0", + "PkgName": "swagger-ui-dist", + "PkgPath": "juice-shop/node_modules/swagger-ui-dist/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/swagger-ui-dist@3.25.0", + "UID": "45dce8ae9ccfc5f4" + }, + "InstalledVersion": "3.25.0", + "FixedVersion": "4.1.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-46708", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Spoofing attack in swagger-ui-dist", + "Description": "The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1021" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V2Score": 4.3, + "V3Score": 6.1 + } + }, + "References": [ + "https://github.com/swagger-api/swagger-ui", + "https://nvd.nist.gov/vuln/detail/CVE-2021-46708", + "https://security.netapp.com/advisory/ntap-20220407-0004", + "https://security.netapp.com/advisory/ntap-20220407-0004/", + "https://security.snyk.io/vuln/SNYK-JS-SWAGGERUIDIST-2314884", + "https://www.npmjs.com/package/swagger-ui-dist/v/4.1.3" + ], + "PublishedDate": "2022-03-11T07:15:07.927Z", + "LastModifiedDate": "2023-03-28T14:39:17.107Z" + }, + { + "VulnerabilityID": "GHSA-qrmm-w75w-3wpx", + "PkgID": "swagger-ui-dist@3.25.0", + "PkgName": "swagger-ui-dist", + "PkgPath": "juice-shop/node_modules/swagger-ui-dist/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/swagger-ui-dist@3.25.0", + "UID": "45dce8ae9ccfc5f4" + }, + "InstalledVersion": "3.25.0", + "FixedVersion": "4.1.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-qrmm-w75w-3wpx", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Server side request forgery in SwaggerUI", + "Description": "SwaggerUI supports displaying remote OpenAPI definitions through the `?url` parameter. This enables robust demonstration capabilities on sites like `petstore.swagger.io`, `editor.swagger.io`, and similar sites, where users often want to see what their OpenAPI definitions would look like rendered.\n\nHowever, this functionality may pose a risk for users who host their own SwaggerUI instances. In particular, including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances.\n\nAn example scenario abusing this functionality could take the following form:\n- `https://example.com/api-docs` hosts a version of SwaggerUI with `?url=` query parameter enabled.\n- Users will trust the domain `https://example.com` and the contents of the OpenAPI definition.\n- A malicious actor may craft a similar OpenAPI definition and service that responds to the defined APIs at `https://evildomain`.\n- Users mistakenly click a phishing URL like `https://example.com/api-docs?url=https://evildomain/fakeapi.yaml` and enters sensitive data via the \"Try-it-out\" feature.\n\nWe do want to stress that this attack vector is limited to scenarios that actively trick users into divulging sensitive information. The ease of this is highly contextual and, therefore, the threat model may be different for individual users and organizations. It is *not* possible to perform non-interactive attacks (e.g., cross-site scripting or code injection) through this mechanism.\n\n### Resolution \nWe've made the decision to [disable query parameters (#4872)](https://github.com/swagger-api/swagger-ui/issues/4872) by default starting with SwaggerUI version `4.1.3`. Please update to this version when it becomes available (**ETA: 2021 December**). Users will still be able to be re-enable the options at their discretion. We'll continue to enable query parameters on the Swagger demo sites.\n\n### Workaround\nIf you host a version of SwaggerUI and wish to mitigate this issue immediately, you are encouraged to add the following custom plugin code:\n\n```js\nSwaggerUI({\n // ...other configuration options,\n plugins: [function UrlParamDisablePlugin() {\n return {\n statePlugins: {\n spec: {\n wrapActions: {\n // Remove the ?url parameter from loading an external OpenAPI definition.\n updateUrl: (oriAction) =\u003e (payload) =\u003e {\n const url = new URL(window.location.href)\n if (url.searchParams.has('url')) {\n url.searchParams.delete('url')\n window.location.replace(url.toString())\n }\n return oriAction(payload)\n }\n }\n }\n }\n }\n }],\n})\n```\n\n### Future UX work\n\nThrough the exploration of this issue, it became apparent that users may not be aware to which web server the Try-it-out function will send requests. While this information is currently presented at the top of the page, understanding may improve by displaying it closer to the \"Execute\" button where requests are actually made. We'll be exploring these UX improvements over the coming months and welcome community input. Please create a Feature Request under the GitHub Issue tab to start a conversation with us and the community.\n\n## Reflected XSS attack\n\n**Warning** in versions \u003c 3.38.0, it is possible to combine the URL options (as mentioned above) with a vulnerability in DOMPurify (https://www.cvedetails.com/cve/CVE-2020-26870/) to create a reflected XSS vector. If your version of Swagger UI is older than 3.38.0, we suggest you upgrade or implement the workaround as mentioned above.\n", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2 + }, + "References": [ + "https://github.com/domaindrivendev/Swashbuckle.AspNetCore/commit/401c7cb81e5efe835ceb8aae23e82057d57c7d29", + "https://github.com/swagger-api/swagger-ui", + "https://github.com/swagger-api/swagger-ui/commit/01a3e55960f864a0acf6a8d06e5ddaf6776a7f76", + "https://github.com/swagger-api/swagger-ui/issues/4872", + "https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx" + ] + }, + { + "VulnerabilityID": "CVE-2021-32803", + "PkgID": "tar@4.4.13", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.13", + "UID": "cbb0d28be69485fa" + }, + "InstalledVersion": "4.4.13", + "FixedVersion": "3.2.3, 4.4.15, 5.0.7, 6.1.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-32803", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite", + "Description": "The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-59", + "CWE-22" + ], + "VendorSeverity": { + "alma": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 8.2 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", + "V2Score": 5.8, + "V3Score": 8.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-32803", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-3666.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/46fe35083e2676e31c4e0a81639dce6da7aaa356", + "https://github.com/isaacs/node-tar/commit/5987d9a41f6bfbf1ddab1098e1fdcf1a5618f571", + "https://github.com/isaacs/node-tar/commit/85d3a942b4064e4ff171f91696fced7975167349", + "https://github.com/isaacs/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", + "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", + "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw", + "https://linux.oracle.com/cve/CVE-2021-32803.html", + "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", + "https://www.cve.org/CVERecord?id=CVE-2021-32803", + "https://www.npmjs.com/advisories/1771", + "https://www.npmjs.com/package/tar", "https://www.oracle.com/security-alerts/cpuoct2021.html" ], - "PublishedDate": "2021-03-12T22:15:00Z", - "LastModifiedDate": "2021-10-20T11:16:00Z" + "PublishedDate": "2021-08-03T19:15:08.297Z", + "LastModifiedDate": "2022-07-02T18:28:32.41Z" }, { "VulnerabilityID": "CVE-2021-32803", + "PkgID": "tar@4.4.13", "PkgName": "tar", "PkgPath": "usr/local/lib/node_modules/npm/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.13", + "UID": "d562d2ca966e2790" + }, "InstalledVersion": "4.4.13", - "FixedVersion": "6.1.2, 5.0.7, 4.4.15, 3.2.3", + "FixedVersion": "3.2.3, 4.4.15, 5.0.7, 6.1.2", + "Status": "fixed", "Layer": { "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" }, - "SeveritySource": "nvd", + "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-32803", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, "Title": "nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite", "Description": "The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.", "Severity": "HIGH", "CweIDs": [ + "CWE-59", "CWE-22" ], + "VendorSeverity": { + "alma": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 8.2 + }, "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", @@ -3454,38 +14426,138 @@ } }, "References": [ - "https://github.com/advisories/GHSA-r628-mhmh-qjhw", + "https://access.redhat.com/security/cve/CVE-2021-32803", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-3666.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/46fe35083e2676e31c4e0a81639dce6da7aaa356", + "https://github.com/isaacs/node-tar/commit/5987d9a41f6bfbf1ddab1098e1fdcf1a5618f571", + "https://github.com/isaacs/node-tar/commit/85d3a942b4064e4ff171f91696fced7975167349", + "https://github.com/isaacs/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw", "https://linux.oracle.com/cve/CVE-2021-32803.html", "https://linux.oracle.com/errata/ELSA-2021-3666.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", + "https://www.cve.org/CVERecord?id=CVE-2021-32803", "https://www.npmjs.com/advisories/1771", "https://www.npmjs.com/package/tar", "https://www.oracle.com/security-alerts/cpuoct2021.html" ], - "PublishedDate": "2021-08-03T19:15:00Z", - "LastModifiedDate": "2021-10-20T11:16:00Z" + "PublishedDate": "2021-08-03T19:15:08.297Z", + "LastModifiedDate": "2022-07-02T18:28:32.41Z" + }, + { + "VulnerabilityID": "CVE-2021-32804", + "PkgID": "tar@4.4.13", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.13", + "UID": "cbb0d28be69485fa" + }, + "InstalledVersion": "4.4.13", + "FixedVersion": "3.2.2, 4.4.14, 5.0.6, 6.1.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-32804", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", + "Description": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22" + ], + "VendorSeverity": { + "alma": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 8.2 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", + "V2Score": 5.8, + "V3Score": 8.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-32804", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-3666.html", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", + "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", + "https://linux.oracle.com/cve/CVE-2021-32804.html", + "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", + "https://www.cve.org/CVERecord?id=CVE-2021-32804", + "https://www.npmjs.com/advisories/1770", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-08-03T19:15:08.41Z", + "LastModifiedDate": "2022-04-25T19:12:42.19Z" }, { "VulnerabilityID": "CVE-2021-32804", + "PkgID": "tar@4.4.13", "PkgName": "tar", "PkgPath": "usr/local/lib/node_modules/npm/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.13", + "UID": "d562d2ca966e2790" + }, "InstalledVersion": "4.4.13", - "FixedVersion": "6.1.1, 5.0.6, 4.4.14, 3.2.2", + "FixedVersion": "3.2.2, 4.4.14, 5.0.6, 6.1.1", + "Status": "fixed", "Layer": { "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" }, - "SeveritySource": "nvd", + "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-32804", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, "Title": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", "Description": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", "Severity": "HIGH", "CweIDs": [ "CWE-22" ], + "VendorSeverity": { + "alma": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 8.2 + }, "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", @@ -3498,39 +14570,209 @@ } }, "References": [ - "https://github.com/advisories/GHSA-3jfq-g458-7qm9", - "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", - "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", - "https://linux.oracle.com/cve/CVE-2021-32804.html", - "https://linux.oracle.com/errata/ELSA-2021-3666.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", - "https://www.npmjs.com/advisories/1770", + "https://access.redhat.com/security/cve/CVE-2021-32804", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-3666.html", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", + "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", + "https://linux.oracle.com/cve/CVE-2021-32804.html", + "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", + "https://www.cve.org/CVERecord?id=CVE-2021-32804", + "https://www.npmjs.com/advisories/1770", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-08-03T19:15:08.41Z", + "LastModifiedDate": "2022-04-25T19:12:42.19Z" + }, + { + "VulnerabilityID": "CVE-2021-37701", + "PkgID": "tar@4.4.13", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.13", + "UID": "cbb0d28be69485fa" + }, + "InstalledVersion": "4.4.13", + "FixedVersion": "4.4.16, 5.0.8, 6.1.7", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-37701", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", + "Description": "The npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-59" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 8.2 + }, + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "V2Score": 4.4, + "V3Score": 8.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-37701", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", + "https://linux.oracle.com/cve/CVE-2021-37701.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", + "https://www.cve.org/CVERecord?id=CVE-2021-37701", + "https://www.debian.org/security/2021/dsa-5008", + "https://www.npmjs.com/advisories/1779", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-08-31T17:15:07.963Z", + "LastModifiedDate": "2023-01-19T20:11:48.61Z" + }, + { + "VulnerabilityID": "CVE-2021-37701", + "PkgID": "tar@4.4.13", + "PkgName": "tar", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.13", + "UID": "d562d2ca966e2790" + }, + "InstalledVersion": "4.4.13", + "FixedVersion": "4.4.16, 5.0.8, 6.1.7", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-37701", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", + "Description": "The npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-59" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 8.2 + }, + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "V2Score": 4.4, + "V3Score": 8.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-37701", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", + "https://linux.oracle.com/cve/CVE-2021-37701.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", + "https://www.cve.org/CVERecord?id=CVE-2021-37701", + "https://www.debian.org/security/2021/dsa-5008", + "https://www.npmjs.com/advisories/1779", "https://www.npmjs.com/package/tar", "https://www.oracle.com/security-alerts/cpuoct2021.html" ], - "PublishedDate": "2021-08-03T19:15:00Z", - "LastModifiedDate": "2021-10-20T11:16:00Z" + "PublishedDate": "2021-08-31T17:15:07.963Z", + "LastModifiedDate": "2023-01-19T20:11:48.61Z" }, { - "VulnerabilityID": "CVE-2021-37701", + "VulnerabilityID": "CVE-2021-37712", + "PkgID": "tar@4.4.13", "PkgName": "tar", - "PkgPath": "usr/local/lib/node_modules/npm/node_modules/tar/package.json", + "PkgPath": "juice-shop/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.13", + "UID": "cbb0d28be69485fa" + }, "InstalledVersion": "4.4.13", - "FixedVersion": "6.1.7, 5.0.8, 4.4.16", + "FixedVersion": "4.4.18, 5.0.10, 6.1.9", + "Status": "fixed", "Layer": { - "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", - "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-37701", - "Title": "nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", - "Description": "The npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-37712", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", + "Description": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \"short path\" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", "Severity": "HIGH", "CweIDs": [ "CWE-22", "CWE-59" ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 8.2 + }, "nvd": { "V2Vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", @@ -3543,36 +14785,72 @@ } }, "References": [ - "https://github.com/advisories/GHSA-9r2w-394v-53qc", - "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", - "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", - "https://www.npmjs.com/advisories/1779", + "https://access.redhat.com/security/cve/CVE-2021-37712", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/isaacs/node-tar/commit/1739408d3122af897caefd09662bce2ea477533b", + "https://github.com/isaacs/node-tar/commit/2f1bca027286c23e110b8dfc7efc10756fa3db5a", + "https://github.com/isaacs/node-tar/commit/3aaf19b2501bbddb145d92b3322c80dcaed3c35f", + "https://github.com/isaacs/node-tar/commit/b6162c7fafe797f856564ef37f4b82747f051455", + "https://github.com/isaacs/node-tar/commit/bb93ba243746f705092905da1955ac3b0509ba1e", + "https://github.com/isaacs/node-tar/commit/d56f790bda9fea807dd80c5083f24771dbdd6eb1", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", + "https://linux.oracle.com/cve/CVE-2021-37712.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", + "https://www.cve.org/CVERecord?id=CVE-2021-37712", + "https://www.debian.org/security/2021/dsa-5008", + "https://www.npmjs.com/advisories/1780", "https://www.npmjs.com/package/tar", "https://www.oracle.com/security-alerts/cpuoct2021.html" ], - "PublishedDate": "2021-08-31T17:15:00Z", - "LastModifiedDate": "2021-10-20T11:17:00Z" + "PublishedDate": "2021-08-31T17:15:08.023Z", + "LastModifiedDate": "2023-02-23T02:28:11.843Z" }, { "VulnerabilityID": "CVE-2021-37712", + "PkgID": "tar@4.4.13", "PkgName": "tar", "PkgPath": "usr/local/lib/node_modules/npm/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.13", + "UID": "d562d2ca966e2790" + }, "InstalledVersion": "4.4.13", - "FixedVersion": "6.1.9, 5.0.10, 4.4.18", + "FixedVersion": "4.4.18, 5.0.10, 6.1.9", + "Status": "fixed", "Layer": { "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" }, - "SeveritySource": "nvd", + "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-37712", - "Title": "nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "Description": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \"short path\" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", "Severity": "HIGH", "CweIDs": [ "CWE-22", "CWE-59" ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 8.2 + }, "nvd": { "V2Vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", @@ -3585,72 +14863,606 @@ } }, "References": [ - "https://github.com/advisories/GHSA-qq89-hq3f-393p", + "https://access.redhat.com/security/cve/CVE-2021-37712", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/isaacs/node-tar/commit/1739408d3122af897caefd09662bce2ea477533b", + "https://github.com/isaacs/node-tar/commit/2f1bca027286c23e110b8dfc7efc10756fa3db5a", + "https://github.com/isaacs/node-tar/commit/3aaf19b2501bbddb145d92b3322c80dcaed3c35f", + "https://github.com/isaacs/node-tar/commit/b6162c7fafe797f856564ef37f4b82747f051455", + "https://github.com/isaacs/node-tar/commit/bb93ba243746f705092905da1955ac3b0509ba1e", + "https://github.com/isaacs/node-tar/commit/d56f790bda9fea807dd80c5083f24771dbdd6eb1", + "https://github.com/npm/node-tar", "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", + "https://linux.oracle.com/cve/CVE-2021-37712.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", + "https://www.cve.org/CVERecord?id=CVE-2021-37712", + "https://www.debian.org/security/2021/dsa-5008", "https://www.npmjs.com/advisories/1780", "https://www.npmjs.com/package/tar", "https://www.oracle.com/security-alerts/cpuoct2021.html" ], - "PublishedDate": "2021-08-31T17:15:00Z", - "LastModifiedDate": "2021-10-20T11:17:00Z" + "PublishedDate": "2021-08-31T17:15:08.023Z", + "LastModifiedDate": "2023-02-23T02:28:11.843Z" + }, + { + "VulnerabilityID": "CVE-2021-37713", + "PkgID": "tar@4.4.13", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.13", + "UID": "cbb0d28be69485fa" + }, + "InstalledVersion": "4.4.13", + "FixedVersion": "4.4.18, 5.0.10, 6.1.9", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-37713", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", + "Description": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\\path`. If the drive letter does not match the extraction target, for example `D:\\extraction\\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 8.2 + }, + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "V2Score": 4.4, + "V3Score": 8.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 8.2 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-37713", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946", + "https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc", + "https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh", + "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", + "https://www.cve.org/CVERecord?id=CVE-2021-37713", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-08-31T17:15:08.087Z", + "LastModifiedDate": "2022-04-25T18:40:30.47Z" }, { "VulnerabilityID": "CVE-2021-37713", + "PkgID": "tar@4.4.13", "PkgName": "tar", "PkgPath": "usr/local/lib/node_modules/npm/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.13", + "UID": "d562d2ca966e2790" + }, "InstalledVersion": "4.4.13", - "FixedVersion": "6.1.9, 5.0.10, 4.4.18", + "FixedVersion": "4.4.18, 5.0.10, 6.1.9", + "Status": "fixed", "Layer": { "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" }, - "SeveritySource": "nvd", + "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-37713", - "Title": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", "Description": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\\path`. If the drive letter does not match the extraction target, for example `D:\\extraction\\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", "Severity": "HIGH", "CweIDs": [ "CWE-22" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 8.2 + }, "nvd": { "V2Vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "V2Score": 4.4, "V3Score": 8.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 8.2 } }, "References": [ - "https://github.com/advisories/GHSA-5955-9wpr-37jh", + "https://access.redhat.com/security/cve/CVE-2021-37713", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946", + "https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc", + "https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598", + "https://github.com/npm/node-tar", "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh", "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", + "https://www.cve.org/CVERecord?id=CVE-2021-37713", "https://www.npmjs.com/package/tar", "https://www.oracle.com/security-alerts/cpuoct2021.html" ], - "PublishedDate": "2021-08-31T17:15:00Z", - "LastModifiedDate": "2021-10-20T11:17:00Z" + "PublishedDate": "2021-08-31T17:15:08.087Z", + "LastModifiedDate": "2022-04-25T18:40:30.47Z" + }, + { + "VulnerabilityID": "CVE-2024-28863", + "PkgID": "tar@4.4.13", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.13", + "UID": "cbb0d28be69485fa" + }, + "InstalledVersion": "4.4.13", + "FixedVersion": "6.2.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28863", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", + "Description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400", + "CWE-770" + ], + "VendorSeverity": { + "alma": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:6147", + "https://access.redhat.com/security/cve/CVE-2024-28863", + "https://bugzilla.redhat.com/2293200", + "https://bugzilla.redhat.com/2296417", + "https://errata.almalinux.org/9/ALSA-2024-6147.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + "https://linux.oracle.com/cve/CVE-2024-28863.html", + "https://linux.oracle.com/errata/ELSA-2024-6148.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "https://security.netapp.com/advisory/ntap-20240524-0005", + "https://security.netapp.com/advisory/ntap-20240524-0005/", + "https://www.cve.org/CVERecord?id=CVE-2024-28863" + ], + "PublishedDate": "2024-03-21T23:15:10.91Z", + "LastModifiedDate": "2024-06-10T17:16:24.773Z" + }, + { + "VulnerabilityID": "CVE-2024-28863", + "PkgID": "tar@4.4.13", + "PkgName": "tar", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.13", + "UID": "d562d2ca966e2790" + }, + "InstalledVersion": "4.4.13", + "FixedVersion": "6.2.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28863", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", + "Description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400", + "CWE-770" + ], + "VendorSeverity": { + "alma": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:6147", + "https://access.redhat.com/security/cve/CVE-2024-28863", + "https://bugzilla.redhat.com/2293200", + "https://bugzilla.redhat.com/2296417", + "https://errata.almalinux.org/9/ALSA-2024-6147.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + "https://linux.oracle.com/cve/CVE-2024-28863.html", + "https://linux.oracle.com/errata/ELSA-2024-6148.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "https://security.netapp.com/advisory/ntap-20240524-0005", + "https://security.netapp.com/advisory/ntap-20240524-0005/", + "https://www.cve.org/CVERecord?id=CVE-2024-28863" + ], + "PublishedDate": "2024-03-21T23:15:10.91Z", + "LastModifiedDate": "2024-06-10T17:16:24.773Z" + }, + { + "VulnerabilityID": "CVE-2023-26136", + "PkgID": "tough-cookie@2.4.3", + "PkgName": "tough-cookie", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/tough-cookie/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tough-cookie@2.4.3", + "UID": "7c060bff52008c76" + }, + "InstalledVersion": "2.4.3", + "FixedVersion": "4.1.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26136", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "tough-cookie: prototype pollution in cookie memstore", + "Description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 4, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136" + ], + "PublishedDate": "2023-07-01T05:15:16.103Z", + "LastModifiedDate": "2024-06-21T19:15:26.163Z" + }, + { + "VulnerabilityID": "CVE-2023-26136", + "PkgID": "tough-cookie@2.5.0", + "PkgName": "tough-cookie", + "PkgPath": "juice-shop/node_modules/tough-cookie/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tough-cookie@2.5.0", + "UID": "8e71da9dbf3873ed" + }, + "InstalledVersion": "2.5.0", + "FixedVersion": "4.1.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26136", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "tough-cookie: prototype pollution in cookie memstore", + "Description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 4, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136" + ], + "PublishedDate": "2023-07-01T05:15:16.103Z", + "LastModifiedDate": "2024-06-21T19:15:26.163Z" }, { "VulnerabilityID": "CVE-2021-33623", + "PkgID": "trim-newlines@1.0.0", "PkgName": "trim-newlines", "PkgPath": "juice-shop/node_modules/trim-newlines/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/trim-newlines@1.0.0", + "UID": "5c962c819af5041a" + }, "InstalledVersion": "1.0.0", - "FixedVersion": "4.0.1, 3.0.1", + "FixedVersion": "3.0.1, 4.0.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-33623", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-trim-newlines: ReDoS in .end() method", + "Description": "The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-33623", + "https://github.com/sindresorhus/trim-newlines", + "https://github.com/sindresorhus/trim-newlines/commit/25246c6ce5eea1c82d448998733a6302a4350d91", + "https://github.com/sindresorhus/trim-newlines/commit/b10d5f4afef832b16bc56d49fc52c68cbd403869", + "https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00033.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-33623", + "https://security.netapp.com/advisory/ntap-20210702-0007", + "https://security.netapp.com/advisory/ntap-20210702-0007/", + "https://ubuntu.com/security/notices/USN-5999-1", + "https://www.cve.org/CVERecord?id=CVE-2021-33623", + "https://www.npmjs.com/package/trim-newlines" + ], + "PublishedDate": "2021-05-28T18:15:07.537Z", + "LastModifiedDate": "2023-03-01T01:58:51.267Z" + }, + { + "VulnerabilityID": "CVE-2021-3765", + "PkgID": "validator@10.11.0", + "PkgName": "validator", + "PkgPath": "juice-shop/node_modules/validator/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/validator@10.11.0", + "UID": "9fbd79e076f59a2" + }, + "InstalledVersion": "10.11.0", + "FixedVersion": "13.7.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3765", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "validator: Inefficient Regular Expression Complexity in Validator.js", + "Description": "validator.js is vulnerable to Inefficient Regular Expression Complexity", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-3765", + "https://github.com/validatorjs/validator.js", + "https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1", + "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", + "https://www.cve.org/CVERecord?id=CVE-2021-3765" + ], + "PublishedDate": "2021-11-02T07:15:07.28Z", + "LastModifiedDate": "2023-07-07T19:27:40.96Z" + }, + { + "VulnerabilityID": "CVE-2023-26115", + "PkgID": "word-wrap@1.2.3", + "PkgName": "word-wrap", + "PkgPath": "juice-shop/node_modules/word-wrap/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/word-wrap@1.2.3", + "UID": "d7caf042119092f3" + }, + "InstalledVersion": "1.2.3", + "FixedVersion": "1.2.4", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-33623", - "Title": "nodejs-trim-newlines: ReDoS in .end() method", - "Description": "The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.", - "Severity": "HIGH", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26115", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "word-wrap: ReDoS", + "Description": "All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.\r\r", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 3, + "redhat": 3 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 5, "V3Score": 7.5 }, "redhat": { @@ -3659,56 +15471,122 @@ } }, "References": [ - "https://github.com/advisories/GHSA-7p7h-4mm5-852v", - "https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1", - "https://nvd.nist.gov/vuln/detail/CVE-2021-33623", - "https://www.npmjs.com/package/trim-newlines" - ], - "PublishedDate": "2021-05-28T18:15:00Z", - "LastModifiedDate": "2021-07-02T12:15:00Z" + "https://access.redhat.com/security/cve/CVE-2023-26115", + "https://github.com/jonschlinkert/word-wrap", + "https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39", + "https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39", + "https://github.com/jonschlinkert/word-wrap/commit/420dce9a2412b21881202b73a3c34f0edc53cb2e", + "https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26115", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657", + "https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973", + "https://www.cve.org/CVERecord?id=CVE-2023-26115" + ], + "PublishedDate": "2023-06-22T05:15:09.157Z", + "LastModifiedDate": "2024-06-21T19:15:25.887Z" }, { - "VulnerabilityID": "CVE-2021-3765", - "PkgName": "validator", - "PkgPath": "juice-shop/node_modules/validator/package.json", - "InstalledVersion": "10.11.0", - "FixedVersion": "13.7.0", + "VulnerabilityID": "CVE-2024-37890", + "PkgID": "ws@6.1.4", + "PkgName": "ws", + "PkgPath": "juice-shop/node_modules/engine.io-client/node_modules/ws/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ws@6.1.4", + "UID": "ccb050cc2ffb3062" + }, + "InstalledVersion": "6.1.4", + "FixedVersion": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3765", - "Title": "Inefficient Regular Expression Complexity in validator.js", - "Description": "validator.js is vulnerable to Inefficient Regular Expression Complexity", - "Severity": "MEDIUM", - "References": [ - "https://github.com/advisories/GHSA-qgmg-gppg-76g5", - "https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1", - "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3765" + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-37890", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ws: denial of service when handling a request with many HTTP headers", + "Description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-476" ], - "PublishedDate": "2021-11-02T07:15:00Z", - "LastModifiedDate": "2021-11-02T11:31:00Z" + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-37890", + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", + "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", + "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", + "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", + "https://github.com/websockets/ws/issues/2230", + "https://github.com/websockets/ws/pull/2231", + "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + "https://nodejs.org/api/http.html#servermaxheaderscount", + "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "https://www.cve.org/CVERecord?id=CVE-2024-37890" + ], + "PublishedDate": "2024-06-17T20:15:13.203Z", + "LastModifiedDate": "2024-06-20T12:44:22.977Z" }, { "VulnerabilityID": "CVE-2021-32640", + "PkgID": "ws@6.1.4", "PkgName": "ws", "PkgPath": "juice-shop/node_modules/engine.io-client/node_modules/ws/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ws@6.1.4", + "UID": "ccb050cc2ffb3062" + }, "InstalledVersion": "6.1.4", - "FixedVersion": "5.2.3, 6.2.2, 7.4.6", + "FixedVersion": "7.4.6, 6.2.2, 5.2.3", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", + "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-32640", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, "Title": "nodejs-ws: Specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server", "Description": "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.", "Severity": "MEDIUM", "CweIDs": [ "CWE-400" ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 1 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", @@ -3721,34 +15599,121 @@ } }, "References": [ - "https://github.com/advisories/GHSA-6fc8-4gx4-v693", + "https://access.redhat.com/security/cve/CVE-2021-32640", + "https://github.com/websockets/ws", "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff", + "https://github.com/websockets/ws/issues/1895", "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693", + "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3E", "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-32640" + "https://nvd.nist.gov/vuln/detail/CVE-2021-32640", + "https://security.netapp.com/advisory/ntap-20210706-0005", + "https://security.netapp.com/advisory/ntap-20210706-0005/", + "https://www.cve.org/CVERecord?id=CVE-2021-32640" + ], + "PublishedDate": "2021-05-25T19:15:07.767Z", + "LastModifiedDate": "2023-11-07T03:35:20.38Z" + }, + { + "VulnerabilityID": "CVE-2024-37890", + "PkgID": "ws@7.2.3", + "PkgName": "ws", + "PkgPath": "juice-shop/node_modules/ws/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ws@7.2.3", + "UID": "ec3496b42446eb85" + }, + "InstalledVersion": "7.2.3", + "FixedVersion": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-37890", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ws: denial of service when handling a request with many HTTP headers", + "Description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-476" ], - "PublishedDate": "2021-05-25T19:15:00Z", - "LastModifiedDate": "2021-07-06T08:15:00Z" + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-37890", + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", + "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", + "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", + "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", + "https://github.com/websockets/ws/issues/2230", + "https://github.com/websockets/ws/pull/2231", + "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + "https://nodejs.org/api/http.html#servermaxheaderscount", + "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "https://www.cve.org/CVERecord?id=CVE-2024-37890" + ], + "PublishedDate": "2024-06-17T20:15:13.203Z", + "LastModifiedDate": "2024-06-20T12:44:22.977Z" }, { "VulnerabilityID": "CVE-2021-32640", + "PkgID": "ws@7.2.3", "PkgName": "ws", "PkgPath": "juice-shop/node_modules/ws/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ws@7.2.3", + "UID": "ec3496b42446eb85" + }, "InstalledVersion": "7.2.3", - "FixedVersion": "5.2.3, 6.2.2, 7.4.6", + "FixedVersion": "7.4.6, 6.2.2, 5.2.3", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", + "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-32640", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, "Title": "nodejs-ws: Specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server", "Description": "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.", "Severity": "MEDIUM", "CweIDs": [ "CWE-400" ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 1 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", @@ -3761,34 +15726,127 @@ } }, "References": [ - "https://github.com/advisories/GHSA-6fc8-4gx4-v693", + "https://access.redhat.com/security/cve/CVE-2021-32640", + "https://github.com/websockets/ws", "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff", + "https://github.com/websockets/ws/issues/1895", "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693", + "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3E", "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-32640" + "https://nvd.nist.gov/vuln/detail/CVE-2021-32640", + "https://security.netapp.com/advisory/ntap-20210706-0005", + "https://security.netapp.com/advisory/ntap-20210706-0005/", + "https://www.cve.org/CVERecord?id=CVE-2021-32640" + ], + "PublishedDate": "2021-05-25T19:15:07.767Z", + "LastModifiedDate": "2023-11-07T03:35:20.38Z" + }, + { + "VulnerabilityID": "CVE-2020-28502", + "PkgID": "xmlhttprequest-ssl@1.5.5", + "PkgName": "xmlhttprequest-ssl", + "PkgPath": "juice-shop/node_modules/xmlhttprequest-ssl/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/xmlhttprequest-ssl@1.5.5", + "UID": "af04f3fdbda34653" + }, + "InstalledVersion": "1.5.5", + "FixedVersion": "1.6.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28502", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-xmlhttprequest: Code injection through user input to xhr.send", + "Description": "This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 8.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-28502", + "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js#L480", + "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480", + "https://github.com/driverdan/node-XMLHttpRequest/commit/983cfc244c7567ad6a59e366e55a8037e0497fe6", + "https://github.com/mjwwit/node-XMLHttpRequest/blob/ae38832a0f1347c5e96dda665402509a3458e302/lib/XMLHttpRequest.js#L531", + "https://github.com/mjwwit/node-XMLHttpRequest/commit/ee1e81fc67729c7c0eba5537ed7fe1e30a6b3291", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28502", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938", + "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935", + "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936", + "https://www.cve.org/CVERecord?id=CVE-2020-28502" ], - "PublishedDate": "2021-05-25T19:15:00Z", - "LastModifiedDate": "2021-07-06T08:15:00Z" + "PublishedDate": "2021-03-05T18:15:12.83Z", + "LastModifiedDate": "2021-03-16T16:12:47.017Z" }, { "VulnerabilityID": "CVE-2021-31597", + "PkgID": "xmlhttprequest-ssl@1.5.5", "PkgName": "xmlhttprequest-ssl", "PkgPath": "juice-shop/node_modules/xmlhttprequest-ssl/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/xmlhttprequest-ssl@1.5.5", + "UID": "af04f3fdbda34653" + }, "InstalledVersion": "1.5.5", "FixedVersion": "1.6.1", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", + "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-31597", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, "Title": "xmlhttprequest-ssl: SSL certificate validation disabled by default", "Description": "The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.", "Severity": "CRITICAL", "CweIDs": [ "CWE-295" ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", + "V3Score": 9.4 + }, "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", @@ -3801,82 +15859,136 @@ } }, "References": [ - "https://github.com/advisories/GHSA-72mh-269x-7mh5", + "https://access.redhat.com/security/cve/CVE-2021-31597", "https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2", "https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1", "https://nvd.nist.gov/vuln/detail/CVE-2021-31597", "https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt", - "https://security.netapp.com/advisory/ntap-20210618-0004/" + "https://security.netapp.com/advisory/ntap-20210618-0004", + "https://security.netapp.com/advisory/ntap-20210618-0004/", + "https://www.cve.org/CVERecord?id=CVE-2021-31597" ], - "PublishedDate": "2021-04-23T00:15:00Z", - "LastModifiedDate": "2021-06-18T10:15:00Z" + "PublishedDate": "2021-04-23T00:15:08.283Z", + "LastModifiedDate": "2021-12-08T20:27:09.257Z" }, { - "VulnerabilityID": "CVE-2020-28502", - "PkgName": "xmlhttprequest-ssl", - "PkgPath": "juice-shop/node_modules/xmlhttprequest-ssl/package.json", - "InstalledVersion": "1.5.5", - "FixedVersion": "1.6.2", + "VulnerabilityID": "CVE-2020-7774", + "PkgID": "y18n@3.2.1", + "PkgName": "y18n", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/yargs/node_modules/y18n/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/y18n@3.2.1", + "UID": "a6935088297e4faa" + }, + "InstalledVersion": "3.2.1", + "FixedVersion": "3.2.2, 4.0.1, 5.0.5", + "Status": "fixed", "Layer": { - "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", - "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", + "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28502", - "Title": "nodejs-xmlhttprequest: Code injection through user input to xhr.send", - "Description": "This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-7774", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-y18n: prototype pollution vulnerability", + "Description": "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.", "Severity": "HIGH", "CweIDs": [ - "CWE-94" + "CWE-1321" ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 4, + "oracle-oval": 2, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + }, "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 6.8, - "V3Score": 8.1 + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 8.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 } }, "References": [ - "https://github.com/advisories/GHSA-h4j5-c7cj-74xg", - "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480", - "https://nvd.nist.gov/vuln/detail/CVE-2020-28502", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938", - "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935", - "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936" + "https://access.redhat.com/security/cve/CVE-2020-7774", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-0551.html", + "https://github.com/yargs/y18n", + "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3", + "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25", + "https://github.com/yargs/y18n/issues/96", + "https://github.com/yargs/y18n/pull/108", + "https://linux.oracle.com/cve/CVE-2020-7774.html", + "https://linux.oracle.com/errata/ELSA-2021-0551.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", + "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", + "https://www.cve.org/CVERecord?id=CVE-2020-7774", + "https://www.oracle.com/security-alerts/cpuApr2021.html" ], - "PublishedDate": "2021-03-05T18:15:00Z", - "LastModifiedDate": "2021-03-16T16:12:00Z" + "PublishedDate": "2020-11-17T13:15:12.633Z", + "LastModifiedDate": "2022-12-02T19:40:49.217Z" }, { "VulnerabilityID": "CVE-2020-7774", + "PkgID": "y18n@4.0.0", "PkgName": "y18n", - "PkgPath": "usr/local/lib/node_modules/npm/node_modules/yargs/node_modules/y18n/package.json", - "InstalledVersion": "3.2.1", - "FixedVersion": "5.0.5, 4.0.1, 3.2.2", + "PkgPath": "juice-shop/node_modules/y18n/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/y18n@4.0.0", + "UID": "d5d6a9180b63f131" + }, + "InstalledVersion": "4.0.0", + "FixedVersion": "3.2.2, 4.0.1, 5.0.5", + "Status": "fixed", "Layer": { - "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", - "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", + "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-7774", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, "Title": "nodejs-y18n: prototype pollution vulnerability", - "Description": "This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true", + "Description": "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.", "Severity": "HIGH", "CweIDs": [ - "CWE-20" + "CWE-1321" ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 4, + "oracle-oval": 2, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + }, "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "V2Score": 7.5, - "V3Score": 7.3 + "V3Score": 9.8 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", @@ -3884,7 +15996,12 @@ } }, "References": [ - "https://github.com/advisories/GHSA-c4w7-xm78-47vh", + "https://access.redhat.com/security/cve/CVE-2020-7774", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-0551.html", + "https://github.com/yargs/y18n", + "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3", + "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25", "https://github.com/yargs/y18n/issues/96", "https://github.com/yargs/y18n/pull/108", "https://linux.oracle.com/cve/CVE-2020-7774.html", @@ -3892,35 +16009,58 @@ "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", + "https://www.cve.org/CVERecord?id=CVE-2020-7774", "https://www.oracle.com/security-alerts/cpuApr2021.html" ], - "PublishedDate": "2020-11-17T13:15:00Z", - "LastModifiedDate": "2021-07-21T11:39:00Z" + "PublishedDate": "2020-11-17T13:15:12.633Z", + "LastModifiedDate": "2022-12-02T19:40:49.217Z" }, { "VulnerabilityID": "CVE-2020-7774", + "PkgID": "y18n@4.0.0", "PkgName": "y18n", "PkgPath": "usr/local/lib/node_modules/npm/node_modules/y18n/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/y18n@4.0.0", + "UID": "2d884561f733d43" + }, "InstalledVersion": "4.0.0", - "FixedVersion": "5.0.5, 4.0.1, 3.2.2", + "FixedVersion": "3.2.2, 4.0.1, 5.0.5", + "Status": "fixed", "Layer": { "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" }, - "SeveritySource": "nvd", + "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-7774", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, "Title": "nodejs-y18n: prototype pollution vulnerability", - "Description": "This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true", + "Description": "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.", "Severity": "HIGH", "CweIDs": [ - "CWE-20" + "CWE-1321" ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 4, + "oracle-oval": 2, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + }, "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "V2Score": 7.5, - "V3Score": 7.3 + "V3Score": 9.8 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", @@ -3928,7 +16068,12 @@ } }, "References": [ - "https://github.com/advisories/GHSA-c4w7-xm78-47vh", + "https://access.redhat.com/security/cve/CVE-2020-7774", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-0551.html", + "https://github.com/yargs/y18n", + "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3", + "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25", "https://github.com/yargs/y18n/issues/96", "https://github.com/yargs/y18n/pull/108", "https://linux.oracle.com/cve/CVE-2020-7774.html", @@ -3936,30 +16081,53 @@ "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", + "https://www.cve.org/CVERecord?id=CVE-2020-7774", "https://www.oracle.com/security-alerts/cpuApr2021.html" ], - "PublishedDate": "2020-11-17T13:15:00Z", - "LastModifiedDate": "2021-07-21T11:39:00Z" + "PublishedDate": "2020-11-17T13:15:12.633Z", + "LastModifiedDate": "2022-12-02T19:40:49.217Z" }, { "VulnerabilityID": "CVE-2020-7608", + "PkgID": "yargs-parser@11.1.1", "PkgName": "yargs-parser", "PkgPath": "juice-shop/node_modules/replace/node_modules/yargs-parser/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/yargs-parser@11.1.1", + "UID": "23c48c2cac04881d" + }, "InstalledVersion": "11.1.1", - "FixedVersion": "5.0.1, 13.1.2, 18.1.2, 15.0.1", + "FixedVersion": "13.1.2, 15.0.1, 18.1.1, 5.0.1", + "Status": "fixed", "Layer": { "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" }, - "SeveritySource": "nvd", + "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-7608", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, "Title": "nodejs-yargs-parser: prototype pollution vulnerability", "Description": "yargs-parser could be tricked into adding or modifying properties of Object.prototype using a \"__proto__\" payload.", "Severity": "MEDIUM", "CweIDs": [ - "CWE-20" + "CWE-1321" ], + "VendorSeverity": { + "alma": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 1 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.3 + }, "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", @@ -3972,34 +16140,62 @@ } }, "References": [ - "https://github.com/advisories/GHSA-p9pc-299p-vxgp", + "https://access.redhat.com/security/cve/CVE-2020-7608", + "https://errata.almalinux.org/8/ALSA-2021-0548.html", + "https://github.com/yargs/yargs-parser", + "https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36", + "https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2", "https://linux.oracle.com/cve/CVE-2020-7608.html", "https://linux.oracle.com/errata/ELSA-2021-0548.html", "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", - "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381" + "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381", + "https://www.cve.org/CVERecord?id=CVE-2020-7608", + "https://www.npmjs.com/advisories/1500" ], - "PublishedDate": "2020-03-16T20:15:00Z", - "LastModifiedDate": "2021-07-21T11:39:00Z" + "PublishedDate": "2020-03-16T20:15:12.86Z", + "LastModifiedDate": "2022-11-15T16:40:49.237Z" }, { "VulnerabilityID": "CVE-2020-7608", + "PkgID": "yargs-parser@9.0.2", "PkgName": "yargs-parser", "PkgPath": "usr/local/lib/node_modules/npm/node_modules/yargs-parser/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/yargs-parser@9.0.2", + "UID": "a0f80d20df4dc956" + }, "InstalledVersion": "9.0.2", - "FixedVersion": "5.0.1, 13.1.2, 18.1.2, 15.0.1", + "FixedVersion": "13.1.2, 15.0.1, 18.1.1, 5.0.1", + "Status": "fixed", "Layer": { "Digest": "sha256:1e6875f31a79a89ba75198be98bcf8542ebf5bedc72e713643f8051c1de5f953", "DiffID": "sha256:b745c9620c42ed8b3d44112811e039e9e673072cef3bb5740bb1d560a40b1f8a" }, - "SeveritySource": "nvd", + "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-7608", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, "Title": "nodejs-yargs-parser: prototype pollution vulnerability", "Description": "yargs-parser could be tricked into adding or modifying properties of Object.prototype using a \"__proto__\" payload.", "Severity": "MEDIUM", "CweIDs": [ - "CWE-20" + "CWE-1321" ], + "VendorSeverity": { + "alma": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 1 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.3 + }, "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", @@ -4012,14 +16208,144 @@ } }, "References": [ - "https://github.com/advisories/GHSA-p9pc-299p-vxgp", + "https://access.redhat.com/security/cve/CVE-2020-7608", + "https://errata.almalinux.org/8/ALSA-2021-0548.html", + "https://github.com/yargs/yargs-parser", + "https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36", + "https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2", "https://linux.oracle.com/cve/CVE-2020-7608.html", "https://linux.oracle.com/errata/ELSA-2021-0548.html", "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", - "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381" + "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381", + "https://www.cve.org/CVERecord?id=CVE-2020-7608", + "https://www.npmjs.com/advisories/1500" ], - "PublishedDate": "2020-03-16T20:15:00Z", - "LastModifiedDate": "2021-07-21T11:39:00Z" + "PublishedDate": "2020-03-16T20:15:12.86Z", + "LastModifiedDate": "2022-11-15T16:40:49.237Z" + }, + { + "VulnerabilityID": "CVE-2021-4435", + "PkgID": "yarn@1.22.4", + "PkgName": "yarn", + "PkgPath": "opt/yarn-v1.22.4/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/yarn@1.22.4", + "UID": "6ccd734cc3e26eff" + }, + "InstalledVersion": "1.22.4", + "FixedVersion": "1.22.13", + "Status": "fixed", + "Layer": { + "Digest": "sha256:dee60dddbbe0d354499cf6e1b0202cad13fc488549b4e4c7d8dcf6c2a1a03bbf", + "DiffID": "sha256:33c549f45c7f3ad21159fbcb153b96d671a3cb104f028375f55b1893dd38fc76" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-4435", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "yarn: untrusted search path", + "Description": "An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-426" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "photon": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", + "V3Score": 7.8 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", + "V3Score": 7.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-4435", + "https://bugzilla.redhat.com/show_bug.cgi?id=2262284", + "https://github.com/yarnpkg/yarn", + "https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1", + "https://github.com/yarnpkg/yarn/releases/tag/v1.22.13", + "https://nvd.nist.gov/vuln/detail/CVE-2021-4435", + "https://www.cve.org/CVERecord?id=CVE-2021-4435" + ], + "PublishedDate": "2024-02-04T20:15:45.657Z", + "LastModifiedDate": "2024-02-13T00:38:56.303Z" + } + ] + }, + { + "Target": "/juice-shop/lib/insecurity.js", + "Class": "secret", + "Secrets": [ + { + "RuleID": "private-key", + "Category": "AsymmetricPrivateKey", + "Severity": "HIGH", + "Title": "Asymmetric Private Key", + "StartLine": 19, + "EndLine": 19, + "Code": { + "Lines": [ + { + "Number": 17, + "Content": "const publicKey = fs.readFileSync('encryptionkeys/jwt.pub', 'utf8')", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": "const publicKey = fs.readFileSync('encryptionkeys/jwt.pub', 'utf8')", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": "module.exports.publicKey = publicKey", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": "module.exports.publicKey = publicKey", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + "FirstCause": true, + "LastCause": true + }, + { + "Number": 20, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + } + ] + }, + "Match": "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + "Layer": { + "Digest": "sha256:372ee704575ced2099853693fdb4f8770cd71b4bfcc2bf639c8e9f9d481ede37", + "DiffID": "sha256:6de27bb627f066285f0628172e686caf3e388a3bf266606c88d619d87d14aae3" + } } ] } diff --git a/scanners/trivy/parser/__testFiles__/juice-shop-v12.10.2-empty-results.json b/scanners/trivy/parser/__testFiles__/juice-shop-v12.10.2-empty-results.json index 6111f4a991..e69a7f758e 100644 --- a/scanners/trivy/parser/__testFiles__/juice-shop-v12.10.2-empty-results.json +++ b/scanners/trivy/parser/__testFiles__/juice-shop-v12.10.2-empty-results.json @@ -1,5 +1,6 @@ { "SchemaVersion": 2, + "CreatedAt": "2024-10-28T15:33:51.265546208Z", "ArtifactName": "bkimminich/juice-shop:v12.10.2", "ArtifactType": "container_image", "Metadata": { @@ -28,7 +29,8 @@ "ImageConfig": { "architecture": "amd64", "created": "2021-10-12T21:23:22.113753293Z", - "history": [{ + "history": [ + { "created": "2021-08-31T23:18:31.206789071Z", "created_by": "/bin/sh -c #(nop) ADD file:9d14b11183983923090d9e6d15cc51ee210466296e913bfefbfd580b3de59c95 in / " }, diff --git a/scanners/trivy/parser/__testFiles__/juice-shop-v12.10.2-no-results.json b/scanners/trivy/parser/__testFiles__/juice-shop-v12.10.2-no-results.json index b41c71828f..05e50162d2 100644 --- a/scanners/trivy/parser/__testFiles__/juice-shop-v12.10.2-no-results.json +++ b/scanners/trivy/parser/__testFiles__/juice-shop-v12.10.2-no-results.json @@ -1,5 +1,6 @@ { "SchemaVersion": 2, + "CreatedAt": "2024-10-28T15:33:51.265546208Z", "ArtifactName": "bkimminich/juice-shop:v12.10.2", "ArtifactType": "container_image", "Metadata": { @@ -28,7 +29,8 @@ "ImageConfig": { "architecture": "amd64", "created": "2021-10-12T21:23:22.113753293Z", - "history": [{ + "history": [ + { "created": "2021-08-31T23:18:31.206789071Z", "created_by": "/bin/sh -c #(nop) ADD file:9d14b11183983923090d9e6d15cc51ee210466296e913bfefbfd580b3de59c95 in / " }, diff --git a/scanners/trivy/parser/__testFiles__/juice-shop-v12.10.2.json b/scanners/trivy/parser/__testFiles__/juice-shop-v12.10.2.json index 63a070a53a..139bbe64a3 100644 --- a/scanners/trivy/parser/__testFiles__/juice-shop-v12.10.2.json +++ b/scanners/trivy/parser/__testFiles__/juice-shop-v12.10.2.json @@ -1,1536 +1,12355 @@ - { - "SchemaVersion": 2, - "ArtifactName": "bkimminich/juice-shop:v12.10.2", - "ArtifactType": "container_image", - "Metadata": { + "SchemaVersion": 2, + "CreatedAt": "2024-10-28T15:33:51.265546208Z", + "ArtifactName": "bkimminich/juice-shop:v12.10.2", + "ArtifactType": "container_image", + "Metadata": { "OS": { - "Family": "alpine", - "Name": "3.11.12", - "EOSL": true + "Family": "alpine", + "Name": "3.11.12", + "EOSL": true }, "ImageID": "sha256:be30ca1df4be08840f6ca53885a1d371d35f54eae326161a2a40aa3c535fe703", "DiffIDs": [ - "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7", - "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210", - "sha256:b8f0e895f5208b04d533d013ddec6f12642fdd679ef70bc1497ffe733c97428b", - "sha256:446ec7c50f08cfba388bcebe29f54b2a46a5ddccdabd6b4caac21cbdb7c60b4b", - "sha256:14bfcbbb53f34ede6cd7b031e162c5943a738eb21543ca1fdfdc0cc1ab578c07", - "sha256:96fd22f85d18e17255224d3bf9a75ea7da9985ecad19780e762815410c64a780", - "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1", - "sha256:873323b172036f6876ecc04895b0f8832ccecef9601ae723633fe08b9886ea83" + "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7", + "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210", + "sha256:b8f0e895f5208b04d533d013ddec6f12642fdd679ef70bc1497ffe733c97428b", + "sha256:446ec7c50f08cfba388bcebe29f54b2a46a5ddccdabd6b4caac21cbdb7c60b4b", + "sha256:14bfcbbb53f34ede6cd7b031e162c5943a738eb21543ca1fdfdc0cc1ab578c07", + "sha256:96fd22f85d18e17255224d3bf9a75ea7da9985ecad19780e762815410c64a780", + "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1", + "sha256:873323b172036f6876ecc04895b0f8832ccecef9601ae723633fe08b9886ea83" ], "RepoTags": [ - "bkimminich/juice-shop:v12.10.2" + "bkimminich/juice-shop:v12.10.2" ], "RepoDigests": [ - "bkimminich/juice-shop@sha256:33238f8c6291415c499265629b1b82ef791f5a33dff09f25c07264204a26f89b" + "bkimminich/juice-shop@sha256:33238f8c6291415c499265629b1b82ef791f5a33dff09f25c07264204a26f89b" ], "ImageConfig": { - "architecture": "amd64", - "created": "2021-10-12T21:23:22.113753293Z", - "history": [ + "architecture": "amd64", + "created": "2021-10-12T21:23:22.113753293Z", + "history": [ { - "created": "2021-08-31T23:18:31.206789071Z", - "created_by": "/bin/sh -c #(nop) ADD file:9d14b11183983923090d9e6d15cc51ee210466296e913bfefbfd580b3de59c95 in / " + "created": "2021-08-31T23:18:31.206789071Z", + "created_by": "/bin/sh -c #(nop) ADD file:9d14b11183983923090d9e6d15cc51ee210466296e913bfefbfd580b3de59c95 in / " }, { - "created": "2021-08-31T23:18:31.468221118Z", - "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]", - "empty_layer": true + "created": "2021-08-31T23:18:31.468221118Z", + "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]", + "empty_layer": true }, { - "created": "2021-08-31T23:43:22.542236428Z", - "created_by": "/bin/sh -c #(nop) ENV NODE_VERSION=12.22.6", - "empty_layer": true + "created": "2021-08-31T23:43:22.542236428Z", + "created_by": "/bin/sh -c #(nop) ENV NODE_VERSION=12.22.6", + "empty_layer": true }, { - "created": "2021-08-31T23:43:28.741308375Z", - "created_by": "/bin/sh -c addgroup -g 1000 node \u0026\u0026 adduser -u 1000 -G node -s /bin/sh -D node \u0026\u0026 apk add --no-cache libstdc++ \u0026\u0026 apk add --no-cache --virtual .build-deps curl \u0026\u0026 ARCH= \u0026\u0026 alpineArch=\"$(apk --print-arch)\" \u0026\u0026 case \"${alpineArch##*-}\" in x86_64) ARCH='x64' CHECKSUM=\"0ce2b97ecbbd84f1a5ed13278ed6845d93c6454d8550730b247a990438dba322\" ;; *) ;; esac \u0026\u0026 if [ -n \"${CHECKSUM}\" ]; then set -eu; curl -fsSLO --compressed \"https://unofficial-builds.nodejs.org/download/release/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz\"; echo \"$CHECKSUM node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz\" | sha256sum -c - \u0026\u0026 tar -xJf \"node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz\" -C /usr/local --strip-components=1 --no-same-owner \u0026\u0026 ln -s /usr/local/bin/node /usr/local/bin/nodejs; else echo \"Building from source\" \u0026\u0026 apk add --no-cache --virtual .build-deps-full binutils-gold g++ gcc gnupg libgcc linux-headers make python2 \u0026\u0026 for key in 4ED778F539E3634C779C87C6D7062848A1AB005C 94AE36675C464D64BAFA68DD7434390BDBE9B9C5 74F12602B6F1C4E913FAA37AD3A89613643B6201 71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C DD8F2338BAE7501E3DD5AC78C273792F7D83545D A48C2BEE680E841632CD4E44F07496B3EB3C1762 108F52B48DB57BB0CC439B2997B01419BD92F80A B9E2F5981AA6E0CD28160D9FF13993A75599653C ; do gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys \"$key\" || gpg --batch --keyserver keyserver.ubuntu.com --recv-keys \"$key\" ; done \u0026\u0026 curl -fsSLO --compressed \"https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz\" \u0026\u0026 curl -fsSLO --compressed \"https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc\" \u0026\u0026 gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \u0026\u0026 grep \" node-v$NODE_VERSION.tar.xz\\$\" SHASUMS256.txt | sha256sum -c - \u0026\u0026 tar -xf \"node-v$NODE_VERSION.tar.xz\" \u0026\u0026 cd \"node-v$NODE_VERSION\" \u0026\u0026 ./configure \u0026\u0026 make -j$(getconf _NPROCESSORS_ONLN) V= \u0026\u0026 make install \u0026\u0026 apk del .build-deps-full \u0026\u0026 cd .. \u0026\u0026 rm -Rf \"node-v$NODE_VERSION\" \u0026\u0026 rm \"node-v$NODE_VERSION.tar.xz\" SHASUMS256.txt.asc SHASUMS256.txt; fi \u0026\u0026 rm -f \"node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz\" \u0026\u0026 apk del .build-deps \u0026\u0026 node --version \u0026\u0026 npm --version" + "created": "2021-08-31T23:43:28.741308375Z", + "created_by": "/bin/sh -c addgroup -g 1000 node \u0026\u0026 adduser -u 1000 -G node -s /bin/sh -D node \u0026\u0026 apk add --no-cache libstdc++ \u0026\u0026 apk add --no-cache --virtual .build-deps curl \u0026\u0026 ARCH= \u0026\u0026 alpineArch=\"$(apk --print-arch)\" \u0026\u0026 case \"${alpineArch##*-}\" in x86_64) ARCH='x64' CHECKSUM=\"0ce2b97ecbbd84f1a5ed13278ed6845d93c6454d8550730b247a990438dba322\" ;; *) ;; esac \u0026\u0026 if [ -n \"${CHECKSUM}\" ]; then set -eu; curl -fsSLO --compressed \"https://unofficial-builds.nodejs.org/download/release/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz\"; echo \"$CHECKSUM node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz\" | sha256sum -c - \u0026\u0026 tar -xJf \"node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz\" -C /usr/local --strip-components=1 --no-same-owner \u0026\u0026 ln -s /usr/local/bin/node /usr/local/bin/nodejs; else echo \"Building from source\" \u0026\u0026 apk add --no-cache --virtual .build-deps-full binutils-gold g++ gcc gnupg libgcc linux-headers make python2 \u0026\u0026 for key in 4ED778F539E3634C779C87C6D7062848A1AB005C 94AE36675C464D64BAFA68DD7434390BDBE9B9C5 74F12602B6F1C4E913FAA37AD3A89613643B6201 71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C DD8F2338BAE7501E3DD5AC78C273792F7D83545D A48C2BEE680E841632CD4E44F07496B3EB3C1762 108F52B48DB57BB0CC439B2997B01419BD92F80A B9E2F5981AA6E0CD28160D9FF13993A75599653C ; do gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys \"$key\" || gpg --batch --keyserver keyserver.ubuntu.com --recv-keys \"$key\" ; done \u0026\u0026 curl -fsSLO --compressed \"https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz\" \u0026\u0026 curl -fsSLO --compressed \"https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc\" \u0026\u0026 gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \u0026\u0026 grep \" node-v$NODE_VERSION.tar.xz\\$\" SHASUMS256.txt | sha256sum -c - \u0026\u0026 tar -xf \"node-v$NODE_VERSION.tar.xz\" \u0026\u0026 cd \"node-v$NODE_VERSION\" \u0026\u0026 ./configure \u0026\u0026 make -j$(getconf _NPROCESSORS_ONLN) V= \u0026\u0026 make install \u0026\u0026 apk del .build-deps-full \u0026\u0026 cd .. \u0026\u0026 rm -Rf \"node-v$NODE_VERSION\" \u0026\u0026 rm \"node-v$NODE_VERSION.tar.xz\" SHASUMS256.txt.asc SHASUMS256.txt; fi \u0026\u0026 rm -f \"node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz\" \u0026\u0026 apk del .build-deps \u0026\u0026 node --version \u0026\u0026 npm --version" }, { - "created": "2021-08-31T23:43:29.259986126Z", - "created_by": "/bin/sh -c #(nop) ENV YARN_VERSION=1.22.5", - "empty_layer": true + "created": "2021-08-31T23:43:29.259986126Z", + "created_by": "/bin/sh -c #(nop) ENV YARN_VERSION=1.22.5", + "empty_layer": true }, { - "created": "2021-08-31T23:43:33.528239211Z", - "created_by": "/bin/sh -c apk add --no-cache --virtual .build-deps-yarn curl gnupg tar \u0026\u0026 for key in 6A010C5166006599AA17F08146C2130DFD2497F5 ; do gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys \"$key\" || gpg --batch --keyserver keyserver.ubuntu.com --recv-keys \"$key\" ; done \u0026\u0026 curl -fsSLO --compressed \"https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz\" \u0026\u0026 curl -fsSLO --compressed \"https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc\" \u0026\u0026 gpg --batch --verify yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz \u0026\u0026 mkdir -p /opt \u0026\u0026 tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/ \u0026\u0026 ln -s /opt/yarn-v$YARN_VERSION/bin/yarn /usr/local/bin/yarn \u0026\u0026 ln -s /opt/yarn-v$YARN_VERSION/bin/yarnpkg /usr/local/bin/yarnpkg \u0026\u0026 rm yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz \u0026\u0026 apk del .build-deps-yarn \u0026\u0026 yarn --version" + "created": "2021-08-31T23:43:33.528239211Z", + "created_by": "/bin/sh -c apk add --no-cache --virtual .build-deps-yarn curl gnupg tar \u0026\u0026 for key in 6A010C5166006599AA17F08146C2130DFD2497F5 ; do gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys \"$key\" || gpg --batch --keyserver keyserver.ubuntu.com --recv-keys \"$key\" ; done \u0026\u0026 curl -fsSLO --compressed \"https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz\" \u0026\u0026 curl -fsSLO --compressed \"https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc\" \u0026\u0026 gpg --batch --verify yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz \u0026\u0026 mkdir -p /opt \u0026\u0026 tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/ \u0026\u0026 ln -s /opt/yarn-v$YARN_VERSION/bin/yarn /usr/local/bin/yarn \u0026\u0026 ln -s /opt/yarn-v$YARN_VERSION/bin/yarnpkg /usr/local/bin/yarnpkg \u0026\u0026 rm yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz \u0026\u0026 apk del .build-deps-yarn \u0026\u0026 yarn --version" }, { - "created": "2021-08-31T23:43:33.764167946Z", - "created_by": "/bin/sh -c #(nop) COPY file:238737301d47304174e4d24f4def935b29b3069c03c72ae8de97d94624382fce in /usr/local/bin/ " + "created": "2021-08-31T23:43:33.764167946Z", + "created_by": "/bin/sh -c #(nop) COPY file:238737301d47304174e4d24f4def935b29b3069c03c72ae8de97d94624382fce in /usr/local/bin/ " }, { - "created": "2021-08-31T23:43:33.939059836Z", - "created_by": "/bin/sh -c #(nop) ENTRYPOINT [\"docker-entrypoint.sh\"]", - "empty_layer": true + "created": "2021-08-31T23:43:33.939059836Z", + "created_by": "/bin/sh -c #(nop) ENTRYPOINT [\"docker-entrypoint.sh\"]", + "empty_layer": true }, { - "created": "2021-08-31T23:43:34.123121758Z", - "created_by": "/bin/sh -c #(nop) CMD [\"node\"]", - "empty_layer": true + "created": "2021-08-31T23:43:34.123121758Z", + "created_by": "/bin/sh -c #(nop) CMD [\"node\"]", + "empty_layer": true }, { - "created": "2021-10-12T21:09:44.406187677Z", - "created_by": "ARG BUILD_DATE", - "comment": "buildkit.dockerfile.v0", - "empty_layer": true + "created": "2021-10-12T21:09:44.406187677Z", + "created_by": "ARG BUILD_DATE", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true }, { - "created": "2021-10-12T21:09:44.406187677Z", - "created_by": "ARG VCS_REF", - "comment": "buildkit.dockerfile.v0", - "empty_layer": true + "created": "2021-10-12T21:09:44.406187677Z", + "created_by": "ARG VCS_REF", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true }, { - "created": "2021-10-12T21:09:44.406187677Z", - "created_by": "LABEL maintainer=Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e org.opencontainers.image.title=OWASP Juice Shop org.opencontainers.image.description=Probably the most modern and sophisticated insecure web application org.opencontainers.image.authors=Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e org.opencontainers.image.vendor=Open Web Application Security Project org.opencontainers.image.documentation=https://help.owasp-juice.shop org.opencontainers.image.licenses=MIT org.opencontainers.image.version=12.10.2 org.opencontainers.image.url=https://owasp-juice.shop org.opencontainers.image.source=https://github.com/juice-shop/juice-shop org.opencontainers.image.revision=3d8a93e org.opencontainers.image.created=”2021-10-12T21:09:21Z”", - "comment": "buildkit.dockerfile.v0", - "empty_layer": true + "created": "2021-10-12T21:09:44.406187677Z", + "created_by": "LABEL maintainer=Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e org.opencontainers.image.title=OWASP Juice Shop org.opencontainers.image.description=Probably the most modern and sophisticated insecure web application org.opencontainers.image.authors=Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e org.opencontainers.image.vendor=Open Web Application Security Project org.opencontainers.image.documentation=https://help.owasp-juice.shop org.opencontainers.image.licenses=MIT org.opencontainers.image.version=12.10.2 org.opencontainers.image.url=https://owasp-juice.shop org.opencontainers.image.source=https://github.com/juice-shop/juice-shop org.opencontainers.image.revision=3d8a93e org.opencontainers.image.created=”2021-10-12T21:09:21Z”", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true }, { - "created": "2021-10-12T21:09:44.406187677Z", - "created_by": "WORKDIR /juice-shop", - "comment": "buildkit.dockerfile.v0" + "created": "2021-10-12T21:09:44.406187677Z", + "created_by": "WORKDIR /juice-shop", + "comment": "buildkit.dockerfile.v0" }, { - "created": "2021-10-12T21:09:45.159386817Z", - "created_by": "RUN |2 BUILD_DATE=”2021-10-12T21:09:21Z” VCS_REF=3d8a93e /bin/sh -c addgroup --system --gid 1001 juicer \u0026\u0026 adduser juicer --system --uid 1001 --ingroup juicer # buildkit", - "comment": "buildkit.dockerfile.v0" + "created": "2021-10-12T21:09:45.159386817Z", + "created_by": "RUN |2 BUILD_DATE=”2021-10-12T21:09:21Z” VCS_REF=3d8a93e /bin/sh -c addgroup --system --gid 1001 juicer \u0026\u0026 adduser juicer --system --uid 1001 --ingroup juicer # buildkit", + "comment": "buildkit.dockerfile.v0" }, { - "created": "2021-10-12T21:23:20.754238724Z", - "created_by": "COPY /juice-shop . # buildkit", - "comment": "buildkit.dockerfile.v0" + "created": "2021-10-12T21:23:20.754238724Z", + "created_by": "COPY /juice-shop . # buildkit", + "comment": "buildkit.dockerfile.v0" }, { - "created": "2021-10-12T21:23:22.113753293Z", - "created_by": "RUN |2 BUILD_DATE=”2021-10-12T21:09:21Z” VCS_REF=3d8a93e /bin/sh -c mkdir logs \u0026\u0026 chown -R juicer logs \u0026\u0026 chgrp -R 0 ftp/ frontend/dist/ logs/ data/ i18n/ \u0026\u0026 chmod -R g=u ftp/ frontend/dist/ logs/ data/ i18n/ # buildkit", - "comment": "buildkit.dockerfile.v0" + "created": "2021-10-12T21:23:22.113753293Z", + "created_by": "RUN |2 BUILD_DATE=”2021-10-12T21:09:21Z” VCS_REF=3d8a93e /bin/sh -c mkdir logs \u0026\u0026 chown -R juicer logs \u0026\u0026 chgrp -R 0 ftp/ frontend/dist/ logs/ data/ i18n/ \u0026\u0026 chmod -R g=u ftp/ frontend/dist/ logs/ data/ i18n/ # buildkit", + "comment": "buildkit.dockerfile.v0" }, { - "created": "2021-10-12T21:23:22.113753293Z", - "created_by": "USER 1001", - "comment": "buildkit.dockerfile.v0", - "empty_layer": true + "created": "2021-10-12T21:23:22.113753293Z", + "created_by": "USER 1001", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true }, { - "created": "2021-10-12T21:23:22.113753293Z", - "created_by": "EXPOSE map[3000/tcp:{}]", - "comment": "buildkit.dockerfile.v0", - "empty_layer": true + "created": "2021-10-12T21:23:22.113753293Z", + "created_by": "EXPOSE map[3000/tcp:{}]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true }, { - "created": "2021-10-12T21:23:22.113753293Z", - "created_by": "CMD [\"npm\" \"start\"]", - "comment": "buildkit.dockerfile.v0", - "empty_layer": true + "created": "2021-10-12T21:23:22.113753293Z", + "created_by": "CMD [\"npm\" \"start\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true } - ], - "os": "linux", - "rootfs": { + ], + "os": "linux", + "rootfs": { "type": "layers", "diff_ids": [ - "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7", - "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210", - "sha256:b8f0e895f5208b04d533d013ddec6f12642fdd679ef70bc1497ffe733c97428b", - "sha256:446ec7c50f08cfba388bcebe29f54b2a46a5ddccdabd6b4caac21cbdb7c60b4b", - "sha256:14bfcbbb53f34ede6cd7b031e162c5943a738eb21543ca1fdfdc0cc1ab578c07", - "sha256:96fd22f85d18e17255224d3bf9a75ea7da9985ecad19780e762815410c64a780", - "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1", - "sha256:873323b172036f6876ecc04895b0f8832ccecef9601ae723633fe08b9886ea83" + "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7", + "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210", + "sha256:b8f0e895f5208b04d533d013ddec6f12642fdd679ef70bc1497ffe733c97428b", + "sha256:446ec7c50f08cfba388bcebe29f54b2a46a5ddccdabd6b4caac21cbdb7c60b4b", + "sha256:14bfcbbb53f34ede6cd7b031e162c5943a738eb21543ca1fdfdc0cc1ab578c07", + "sha256:96fd22f85d18e17255224d3bf9a75ea7da9985ecad19780e762815410c64a780", + "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1", + "sha256:873323b172036f6876ecc04895b0f8832ccecef9601ae723633fe08b9886ea83" ] - }, - "config": { + }, + "config": { "Cmd": [ - "npm", - "start" + "npm", + "start" ], "Entrypoint": [ - "docker-entrypoint.sh" + "docker-entrypoint.sh" ], "Env": [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - "NODE_VERSION=12.22.6", - "YARN_VERSION=1.22.5" + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "NODE_VERSION=12.22.6", + "YARN_VERSION=1.22.5" ], "Labels": { - "maintainer": "Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e", - "org.opencontainers.image.authors": "Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e", - "org.opencontainers.image.created": "”2021-10-12T21:09:21Z”", - "org.opencontainers.image.description": "Probably the most modern and sophisticated insecure web application", - "org.opencontainers.image.documentation": "https://help.owasp-juice.shop", - "org.opencontainers.image.licenses": "MIT", - "org.opencontainers.image.revision": "3d8a93e", - "org.opencontainers.image.source": "https://github.com/juice-shop/juice-shop", - "org.opencontainers.image.title": "OWASP Juice Shop", - "org.opencontainers.image.url": "https://owasp-juice.shop", - "org.opencontainers.image.vendor": "Open Web Application Security Project", - "org.opencontainers.image.version": "12.10.2" + "maintainer": "Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e", + "org.opencontainers.image.authors": "Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e", + "org.opencontainers.image.created": "”2021-10-12T21:09:21Z”", + "org.opencontainers.image.description": "Probably the most modern and sophisticated insecure web application", + "org.opencontainers.image.documentation": "https://help.owasp-juice.shop", + "org.opencontainers.image.licenses": "MIT", + "org.opencontainers.image.revision": "3d8a93e", + "org.opencontainers.image.source": "https://github.com/juice-shop/juice-shop", + "org.opencontainers.image.title": "OWASP Juice Shop", + "org.opencontainers.image.url": "https://owasp-juice.shop", + "org.opencontainers.image.vendor": "Open Web Application Security Project", + "org.opencontainers.image.version": "12.10.2" }, "User": "1001", "WorkingDir": "/juice-shop", "ExposedPorts": { - "3000/tcp": {} + "3000/tcp": {} }, "ArgsEscaped": true - } + } } - }, - "Results": [ + }, + "Results": [ { - "Target": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", - "Class": "os-pkgs", - "Type": "alpine" + "Target": "bkimminich/juice-shop:v12.10.2 (alpine 3.11.12)", + "Class": "os-pkgs", + "Type": "alpine", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2021-42378", + "PkgID": "busybox@1.31.1-r10", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "dbdcc92319327e60" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42378", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42378", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42378" + ], + "PublishedDate": "2021-11-15T21:15:07.753Z", + "LastModifiedDate": "2023-11-07T03:39:10.25Z" + }, + { + "VulnerabilityID": "CVE-2021-42379", + "PkgID": "busybox@1.31.1-r10", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "dbdcc92319327e60" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42379", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42379", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42379" + ], + "PublishedDate": "2021-11-15T21:15:07.807Z", + "LastModifiedDate": "2023-11-07T03:39:10.34Z" + }, + { + "VulnerabilityID": "CVE-2021-42380", + "PkgID": "busybox@1.31.1-r10", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "dbdcc92319327e60" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42380", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42380", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42380" + ], + "PublishedDate": "2021-11-15T21:15:07.857Z", + "LastModifiedDate": "2023-11-07T03:39:10.423Z" + }, + { + "VulnerabilityID": "CVE-2021-42381", + "PkgID": "busybox@1.31.1-r10", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "dbdcc92319327e60" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42381", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42381", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42381" + ], + "PublishedDate": "2021-11-15T21:15:07.913Z", + "LastModifiedDate": "2023-11-07T03:39:10.5Z" + }, + { + "VulnerabilityID": "CVE-2021-42382", + "PkgID": "busybox@1.31.1-r10", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "dbdcc92319327e60" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42382", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42382", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42382" + ], + "PublishedDate": "2021-11-15T21:15:07.963Z", + "LastModifiedDate": "2023-11-07T03:39:10.577Z" + }, + { + "VulnerabilityID": "CVE-2021-42383", + "PkgID": "busybox@1.31.1-r10", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "dbdcc92319327e60" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42383", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42383", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-42383" + ], + "PublishedDate": "2021-11-15T21:15:08.017Z", + "LastModifiedDate": "2023-11-07T03:39:10.66Z" + }, + { + "VulnerabilityID": "CVE-2021-42384", + "PkgID": "busybox@1.31.1-r10", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "dbdcc92319327e60" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42384", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42384", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42384" + ], + "PublishedDate": "2021-11-15T21:15:08.07Z", + "LastModifiedDate": "2023-11-07T03:39:10.737Z" + }, + { + "VulnerabilityID": "CVE-2021-42385", + "PkgID": "busybox@1.31.1-r10", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "dbdcc92319327e60" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42385", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42385", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42385" + ], + "PublishedDate": "2021-11-15T21:15:08.123Z", + "LastModifiedDate": "2023-11-07T03:39:10.82Z" + }, + { + "VulnerabilityID": "CVE-2021-42386", + "PkgID": "busybox@1.31.1-r10", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "dbdcc92319327e60" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42386", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42386", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42386" + ], + "PublishedDate": "2021-11-15T21:15:08.173Z", + "LastModifiedDate": "2023-11-07T03:39:10.903Z" + }, + { + "VulnerabilityID": "CVE-2021-42374", + "PkgID": "busybox@1.31.1-r10", + "PkgName": "busybox", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/busybox@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "dbdcc92319327e60" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42374", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: out-of-bounds read in unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed", + "Description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-125" + ], + "VendorSeverity": { + "azure": 2, + "cbl-mariner": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H", + "V2Score": 3.3, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", + "V3Score": 5.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42374", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42374" + ], + "PublishedDate": "2021-11-15T21:15:07.54Z", + "LastModifiedDate": "2023-11-07T03:39:09.877Z" + }, + { + "VulnerabilityID": "CVE-2021-42378", + "PkgID": "ssl_client@1.31.1-r10", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "62fa654ba69800c9" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42378", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42378", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42378" + ], + "PublishedDate": "2021-11-15T21:15:07.753Z", + "LastModifiedDate": "2023-11-07T03:39:10.25Z" + }, + { + "VulnerabilityID": "CVE-2021-42379", + "PkgID": "ssl_client@1.31.1-r10", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "62fa654ba69800c9" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42379", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42379", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42379" + ], + "PublishedDate": "2021-11-15T21:15:07.807Z", + "LastModifiedDate": "2023-11-07T03:39:10.34Z" + }, + { + "VulnerabilityID": "CVE-2021-42380", + "PkgID": "ssl_client@1.31.1-r10", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "62fa654ba69800c9" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42380", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42380", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42380" + ], + "PublishedDate": "2021-11-15T21:15:07.857Z", + "LastModifiedDate": "2023-11-07T03:39:10.423Z" + }, + { + "VulnerabilityID": "CVE-2021-42381", + "PkgID": "ssl_client@1.31.1-r10", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "62fa654ba69800c9" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42381", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42381", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42381" + ], + "PublishedDate": "2021-11-15T21:15:07.913Z", + "LastModifiedDate": "2023-11-07T03:39:10.5Z" + }, + { + "VulnerabilityID": "CVE-2021-42382", + "PkgID": "ssl_client@1.31.1-r10", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "62fa654ba69800c9" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42382", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42382", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42382" + ], + "PublishedDate": "2021-11-15T21:15:07.963Z", + "LastModifiedDate": "2023-11-07T03:39:10.577Z" + }, + { + "VulnerabilityID": "CVE-2021-42383", + "PkgID": "ssl_client@1.31.1-r10", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "62fa654ba69800c9" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42383", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42383", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-42383" + ], + "PublishedDate": "2021-11-15T21:15:08.017Z", + "LastModifiedDate": "2023-11-07T03:39:10.66Z" + }, + { + "VulnerabilityID": "CVE-2021-42384", + "PkgID": "ssl_client@1.31.1-r10", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "62fa654ba69800c9" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42384", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42384", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42384" + ], + "PublishedDate": "2021-11-15T21:15:08.07Z", + "LastModifiedDate": "2023-11-07T03:39:10.737Z" + }, + { + "VulnerabilityID": "CVE-2021-42385", + "PkgID": "ssl_client@1.31.1-r10", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "62fa654ba69800c9" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42385", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42385", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42385" + ], + "PublishedDate": "2021-11-15T21:15:08.123Z", + "LastModifiedDate": "2023-11-07T03:39:10.82Z" + }, + { + "VulnerabilityID": "CVE-2021-42386", + "PkgID": "ssl_client@1.31.1-r10", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "62fa654ba69800c9" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42386", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc()", + "Description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 6.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42386", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42386" + ], + "PublishedDate": "2021-11-15T21:15:08.173Z", + "LastModifiedDate": "2023-11-07T03:39:10.903Z" + }, + { + "VulnerabilityID": "CVE-2021-42374", + "PkgID": "ssl_client@1.31.1-r10", + "PkgName": "ssl_client", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/ssl_client@1.31.1-r10?arch=x86_64\u0026distro=3.11.12", + "UID": "62fa654ba69800c9" + }, + "InstalledVersion": "1.31.1-r10", + "FixedVersion": "1.31.1-r11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42374", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "busybox: out-of-bounds read in unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed", + "Description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-125" + ], + "VendorSeverity": { + "azure": 2, + "cbl-mariner": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H", + "V2Score": 3.3, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", + "V3Score": 5.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-42374", + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + "https://security.netapp.com/advisory/ntap-20211223-0002/", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://www.cve.org/CVERecord?id=CVE-2021-42374" + ], + "PublishedDate": "2021-11-15T21:15:07.54Z", + "LastModifiedDate": "2023-11-07T03:39:09.877Z" + }, + { + "VulnerabilityID": "CVE-2022-37434", + "PkgID": "zlib@1.2.11-r3", + "PkgName": "zlib", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/zlib@1.2.11-r3?arch=x86_64\u0026distro=3.11.12", + "UID": "f19e2e44f8301a3f" + }, + "InstalledVersion": "1.2.11-r3", + "FixedVersion": "1.2.11-r4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", + "DiffID": "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-37434", + "DataSource": { + "ID": "alpine", + "Name": "Alpine Secdb", + "URL": "https://secdb.alpinelinux.org/" + }, + "Title": "zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field", + "Description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "azure": 4, + "cbl-mariner": 4, + "nvd": 4, + "oracle-oval": 2, + "photon": 4, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H", + "V3Score": 7 + } + }, + "References": [ + "http://seclists.org/fulldisclosure/2022/Oct/37", + "http://seclists.org/fulldisclosure/2022/Oct/38", + "http://seclists.org/fulldisclosure/2022/Oct/41", + "http://seclists.org/fulldisclosure/2022/Oct/42", + "http://www.openwall.com/lists/oss-security/2022/08/05/2", + "http://www.openwall.com/lists/oss-security/2022/08/09/1", + "https://access.redhat.com/errata/RHSA-2022:8291", + "https://access.redhat.com/security/cve/CVE-2022-37434", + "https://bugzilla.redhat.com/2116639", + "https://bugzilla.redhat.com/show_bug.cgi?id=2053198", + "https://bugzilla.redhat.com/show_bug.cgi?id=2077431", + "https://bugzilla.redhat.com/show_bug.cgi?id=2081296", + "https://bugzilla.redhat.com/show_bug.cgi?id=2116639", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434", + "https://errata.almalinux.org/9/ALSA-2022-8291.html", + "https://errata.rockylinux.org/RLSA-2022:8291", + "https://github.com/curl/curl/issues/9271", + "https://github.com/ivd38/zlib_overflow", + "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063", + "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1", + "https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764", + "https://linux.oracle.com/cve/CVE-2022-37434.html", + "https://linux.oracle.com/errata/ELSA-2023-1095.html", + "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/", + "https://nvd.nist.gov/vuln/detail/CVE-2022-37434", + "https://security.netapp.com/advisory/ntap-20220901-0005/", + "https://security.netapp.com/advisory/ntap-20230427-0007/", + "https://support.apple.com/kb/HT213488", + "https://support.apple.com/kb/HT213489", + "https://support.apple.com/kb/HT213490", + "https://support.apple.com/kb/HT213491", + "https://support.apple.com/kb/HT213493", + "https://support.apple.com/kb/HT213494", + "https://ubuntu.com/security/notices/USN-5570-1", + "https://ubuntu.com/security/notices/USN-5570-2", + "https://ubuntu.com/security/notices/USN-5573-1", + "https://ubuntu.com/security/notices/USN-6736-1", + "https://ubuntu.com/security/notices/USN-6736-2", + "https://www.cve.org/CVERecord?id=CVE-2022-37434", + "https://www.debian.org/security/2022/dsa-5218" + ], + "PublishedDate": "2022-08-05T07:15:07.24Z", + "LastModifiedDate": "2023-07-19T00:56:46.373Z" + } + ] }, { - "Target": "Node.js", - "Class": "lang-pkgs", - "Type": "node-pkg", - "Vulnerabilities": [ - { - "VulnerabilityID": "CVE-2021-3807", - "PkgName": "ansi-regex", - "PkgPath": "usr/local/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json", - "InstalledVersion": "3.0.0", - "FixedVersion": "5.0.1, 6.0.1", - "Layer": { + "Target": "Node.js", + "Class": "lang-pkgs", + "Type": "node-pkg", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2021-3807", + "PkgID": "ansi-regex@3.0.0", + "PkgName": "ansi-regex", + "PkgPath": "juice-shop/node_modules/wide-align/node_modules/ansi-regex/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ansi-regex@3.0.0", + "UID": "1098103cc12bf9e0" + }, + "InstalledVersion": "3.0.0", + "FixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3807", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "Description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 7.8, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html" + ], + "PublishedDate": "2021-09-17T07:15:09.273Z", + "LastModifiedDate": "2023-07-10T19:01:59.323Z" + }, + { + "VulnerabilityID": "CVE-2021-3807", + "PkgID": "ansi-regex@3.0.0", + "PkgName": "ansi-regex", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ansi-regex@3.0.0", + "UID": "309dab489f487476" + }, + "InstalledVersion": "3.0.0", + "FixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "Status": "fixed", + "Layer": { "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3807", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "Description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3807", - "Title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", - "Description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "Severity": "HIGH", - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 7.8, - "V3Score": 7.5 + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 7.8, + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html" + ], + "PublishedDate": "2021-09-17T07:15:09.273Z", + "LastModifiedDate": "2023-07-10T19:01:59.323Z" + }, + { + "VulnerabilityID": "CVE-2021-3807", + "PkgID": "ansi-regex@4.1.0", + "PkgName": "ansi-regex", + "PkgPath": "juice-shop/node_modules/ansi-regex/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ansi-regex@4.1.0", + "UID": "495d48f67277b86" + }, + "InstalledVersion": "4.1.0", + "FixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3807", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "Description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, - "References": [ - "https://github.com/advisories/GHSA-93q8-gq69-wqmw", + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 7.8, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3807" - ], - "PublishedDate": "2021-09-17T07:15:00Z", - "LastModifiedDate": "2021-10-19T13:11:00Z" - }, - { - "VulnerabilityID": "CVE-2021-3807", - "PkgName": "ansi-regex", - "PkgPath": "usr/local/lib/node_modules/npm/node_modules/yargs/node_modules/ansi-regex/package.json", - "InstalledVersion": "4.1.0", - "FixedVersion": "5.0.1, 6.0.1", - "Layer": { + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html" + ], + "PublishedDate": "2021-09-17T07:15:09.273Z", + "LastModifiedDate": "2023-07-10T19:01:59.323Z" + }, + { + "VulnerabilityID": "CVE-2021-3807", + "PkgID": "ansi-regex@4.1.0", + "PkgName": "ansi-regex", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/cliui/node_modules/ansi-regex/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ansi-regex@4.1.0", + "UID": "a3d035bf18fbde1b" + }, + "InstalledVersion": "4.1.0", + "FixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "Status": "fixed", + "Layer": { "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3807", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "Description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3807", - "Title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", - "Description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "Severity": "HIGH", - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 7.8, - "V3Score": 7.5 + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 7.8, + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html" + ], + "PublishedDate": "2021-09-17T07:15:09.273Z", + "LastModifiedDate": "2023-07-10T19:01:59.323Z" + }, + { + "VulnerabilityID": "CVE-2021-3807", + "PkgID": "ansi-regex@4.1.0", + "PkgName": "ansi-regex", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/wrap-ansi/node_modules/ansi-regex/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ansi-regex@4.1.0", + "UID": "3ca73d6adee4eb36" + }, + "InstalledVersion": "4.1.0", + "FixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3807", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "Description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, - "References": [ - "https://github.com/advisories/GHSA-93q8-gq69-wqmw", + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 7.8, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3807" - ], - "PublishedDate": "2021-09-17T07:15:00Z", - "LastModifiedDate": "2021-10-19T13:11:00Z" + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html" + ], + "PublishedDate": "2021-09-17T07:15:09.273Z", + "LastModifiedDate": "2023-07-10T19:01:59.323Z" }, { - "VulnerabilityID": "NSWG-ECO-428", - "PkgName": "base64url", - "PkgPath": "juice-shop/node_modules/base64url/package.json", - "InstalledVersion": "0.0.6", - "FixedVersion": "\u003e=3.0.0", - "Layer": { - "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", - "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + "VulnerabilityID": "CVE-2021-3807", + "PkgID": "ansi-regex@4.1.0", + "PkgName": "ansi-regex", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/yargs/node_modules/ansi-regex/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ansi-regex@4.1.0", + "UID": "d1789b4674b23b4e" + }, + "InstalledVersion": "4.1.0", + "FixedVersion": "6.0.1, 5.0.1, 4.1.1, 3.0.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3807", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", + "Description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, - "Title": "Out-of-bounds Read", - "Description": "`base64url` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below", - "Severity": "HIGH", - "References": [ - "https://github.com/brianloveswords/base64url/pull/25", - "https://hackerone.com/reports/321687" - ] + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 7.8, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2021-3807", + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/chalk/ansi-regex", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://linux.oracle.com/cve/CVE-2021-3807.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.cve.org/CVERecord?id=CVE-2021-3807", + "https://www.oracle.com/security-alerts/cpuapr2022.html" + ], + "PublishedDate": "2021-09-17T07:15:09.273Z", + "LastModifiedDate": "2023-07-10T19:01:59.323Z" }, { - "VulnerabilityID": "GHSA-rvg8-pwq2-xj7q", - "PkgName": "base64url", - "PkgPath": "juice-shop/node_modules/base64url/package.json", - "InstalledVersion": "0.0.6", - "FixedVersion": "3.0.0", - "Layer": { + "VulnerabilityID": "CVE-2021-43138", + "PkgID": "async@2.6.3", + "PkgName": "async", + "PkgPath": "juice-shop/node_modules/archiver/node_modules/async/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/async@2.6.3", + "UID": "d832dd7e90709667" + }, + "InstalledVersion": "2.6.3", + "FixedVersion": "3.2.2, 2.6.4", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-43138", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "async: Prototype Pollution in async", + "Description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 }, - "PrimaryURL": "https://github.com/advisories/GHSA-rvg8-pwq2-xj7q", - "Title": "Out-of-bounds Read in base64url", - "Description": "Versions of `base64url` before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.\n\n\n## Recommendation\n\nUpdate to version 3.0.0 or later.", - "Severity": "MEDIUM", - "References": [ - "https://github.com/advisories/GHSA-rvg8-pwq2-xj7q", - "https://github.com/brianloveswords/base64url/pull/25" - ] + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 7.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-43138", + "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "https://github.com/caolan/async", + "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + "https://github.com/caolan/async/pull/1828", + "https://jsfiddle.net/oz5twjd9", + "https://jsfiddle.net/oz5twjd9/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-43138" + ], + "PublishedDate": "2022-04-06T17:15:08.65Z", + "LastModifiedDate": "2024-06-21T19:15:20.737Z" }, { - "VulnerabilityID": "GHSA-h6ch-v84p-w6p9", - "PkgName": "diff", - "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/diff/package.json", - "InstalledVersion": "1.0.2", - "FixedVersion": "3.5.0", - "Layer": { + "VulnerabilityID": "CVE-2021-43138", + "PkgID": "async@2.6.3", + "PkgName": "async", + "PkgPath": "juice-shop/node_modules/kuromoji/node_modules/async/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/async@2.6.3", + "UID": "fe6478e41a1c8305" + }, + "InstalledVersion": "2.6.3", + "FixedVersion": "3.2.2, 2.6.4", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-43138", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "async: Prototype Pollution in async", + "Description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 }, - "PrimaryURL": "https://github.com/advisories/GHSA-h6ch-v84p-w6p9", - "Title": "Regular Expression Denial of Service (ReDoS)", - "Description": "A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", - "Severity": "HIGH", - "References": [ - "https://github.com/advisories/GHSA-h6ch-v84p-w6p9", - "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0" - ] + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 7.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-43138", + "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "https://github.com/caolan/async", + "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + "https://github.com/caolan/async/pull/1828", + "https://jsfiddle.net/oz5twjd9", + "https://jsfiddle.net/oz5twjd9/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-43138" + ], + "PublishedDate": "2022-04-06T17:15:08.65Z", + "LastModifiedDate": "2024-06-21T19:15:20.737Z" }, { - "VulnerabilityID": "CVE-2020-15084", - "PkgName": "express-jwt", - "PkgPath": "juice-shop/node_modules/express-jwt/package.json", - "InstalledVersion": "0.1.3", - "FixedVersion": "6.0.0", - "Layer": { + "VulnerabilityID": "CVE-2021-43138", + "PkgID": "async@2.6.3", + "PkgName": "async", + "PkgPath": "juice-shop/node_modules/portscanner/node_modules/async/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/async@2.6.3", + "UID": "b39f17aad08c794" + }, + "InstalledVersion": "2.6.3", + "FixedVersion": "3.2.2, 2.6.4", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-43138", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "async: Prototype Pollution in async", + "Description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-15084", - "Title": "Authorization bypass in express-jwt", - "Description": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.", - "Severity": "CRITICAL", - "CweIDs": [ - "CWE-285" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", - "V2Score": 4.3, - "V3Score": 9.1 - } + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 7.8 }, - "References": [ - "https://github.com/advisories/GHSA-6g6m-m6h5-w9gf", - "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", - "https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf", - "https://nvd.nist.gov/vuln/detail/CVE-2020-15084" - ], - "PublishedDate": "2020-06-30T16:15:00Z", - "LastModifiedDate": "2020-07-08T16:29:00Z" + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-43138", + "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "https://github.com/caolan/async", + "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + "https://github.com/caolan/async/pull/1828", + "https://jsfiddle.net/oz5twjd9", + "https://jsfiddle.net/oz5twjd9/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-43138" + ], + "PublishedDate": "2022-04-06T17:15:08.65Z", + "LastModifiedDate": "2024-06-21T19:15:20.737Z" }, { - "VulnerabilityID": "CVE-2017-16042", - "PkgName": "growl", - "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/growl/package.json", - "InstalledVersion": "1.5.1", - "FixedVersion": "1.10.0", - "Layer": { + "VulnerabilityID": "CVE-2021-43138", + "PkgID": "async@3.2.1", + "PkgName": "async", + "PkgPath": "juice-shop/node_modules/async/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/async@3.2.1", + "UID": "747e63ea251dd1ae" + }, + "InstalledVersion": "3.2.1", + "FixedVersion": "3.2.2, 2.6.4", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-43138", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "async: Prototype Pollution in async", + "Description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16042", - "Title": "nodejs-growl: Does not properly sanitize input before passing it to exec", - "Description": "Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.", - "Severity": "CRITICAL", - "CweIDs": [ - "CWE-78" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 7.5, - "V3Score": 9.8 + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 7.8 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 8.1 + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 } - }, - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16042", - "https://github.com/advisories/GHSA-qh2h-chj9-jffq", - "https://github.com/tj/node-growl/issues/60", - "https://github.com/tj/node-growl/pull/61", - "https://nodesecurity.io/advisories/146", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16042" - ], - "PublishedDate": "2018-06-04T19:29:00Z", - "LastModifiedDate": "2019-10-09T23:24:00Z" + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-43138", + "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "https://github.com/caolan/async", + "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + "https://github.com/caolan/async/pull/1828", + "https://jsfiddle.net/oz5twjd9", + "https://jsfiddle.net/oz5twjd9/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-43138" + ], + "PublishedDate": "2022-04-06T17:15:08.65Z", + "LastModifiedDate": "2024-06-21T19:15:20.737Z" + }, + { + "VulnerabilityID": "NSWG-ECO-428", + "PkgID": "base64url@0.0.6", + "PkgName": "base64url", + "PkgPath": "juice-shop/node_modules/base64url/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/base64url@0.0.6", + "UID": "37b2d3176f8fdba9" + }, + "InstalledVersion": "0.0.6", + "FixedVersion": "\u003e=3.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://hackerone.com/reports/321687", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "Out-of-bounds Read", + "Description": "`base64url` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below", + "Severity": "HIGH", + "VendorSeverity": { + "nodejs-security-wg": 3 + }, + "References": [ + "https://github.com/brianloveswords/base64url/pull/25", + "https://hackerone.com/reports/321687" + ] + }, + { + "VulnerabilityID": "GHSA-rvg8-pwq2-xj7q", + "PkgID": "base64url@0.0.6", + "PkgName": "base64url", + "PkgPath": "juice-shop/node_modules/base64url/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/base64url@0.0.6", + "UID": "37b2d3176f8fdba9" + }, + "InstalledVersion": "0.0.6", + "FixedVersion": "3.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-rvg8-pwq2-xj7q", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Out-of-bounds Read in base64url", + "Description": "Versions of `base64url` before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.\n\n\n## Recommendation\n\nUpdate to version 3.0.0 or later.", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2 + }, + "References": [ + "https://github.com/brianloveswords/base64url", + "https://github.com/brianloveswords/base64url/commit/4fbd954a0a69e9d898de2146557cc6e893e79542", + "https://github.com/brianloveswords/base64url/pull/25", + "https://hackerone.com/reports/321687" + ] }, { - "VulnerabilityID": "CVE-2021-32822", - "PkgName": "hbs", - "PkgPath": "juice-shop/node_modules/hbs/package.json", - "InstalledVersion": "4.1.2", - "Layer": { + "VulnerabilityID": "CVE-2024-45590", + "PkgID": "body-parser@1.19.0", + "PkgName": "body-parser", + "PkgPath": "juice-shop/node_modules/body-parser/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/body-parser@1.19.0", + "UID": "d474d796f1d9adc6" + }, + "InstalledVersion": "1.19.0", + "FixedVersion": "1.20.3", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45590", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "body-parser: Denial of Service Vulnerability in body-parser", + "Description": "body-parser is Node.js body parsing middleware. body-parser \u003c1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-405" + ], + "VendorSeverity": { + "azure": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-32822", - "Title": "Insertion of Sensitive Information into Externally-Accessible File or Directory and Exposure of Sensitive Information to an Unauthorized Actor in hbs", - "Description": "The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulnerability. hbs mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options a file disclosure vulnerability may be triggered in downstream applications. For an example PoC see the referenced GHSL-2021-020.", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-200" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "V2Score": 5, - "V3Score": 5.3 - } + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, - "References": [ - "https://github.com/advisories/GHSA-7f5c-rpf4-86p8", - "https://nvd.nist.gov/vuln/detail/CVE-2021-32822", - "https://securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs/" - ], - "PublishedDate": "2021-08-16T19:15:00Z", - "LastModifiedDate": "2021-08-24T15:55:00Z" + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-45590", + "https://github.com/expressjs/body-parser", + "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", + "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45590", + "https://www.cve.org/CVERecord?id=CVE-2024-45590" + ], + "PublishedDate": "2024-09-10T16:15:21.083Z", + "LastModifiedDate": "2024-09-20T16:26:44.977Z" }, { - "VulnerabilityID": "CVE-2015-9235", - "PkgName": "jsonwebtoken", - "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", - "InstalledVersion": "0.1.0", - "FixedVersion": "4.2.2", - "Layer": { + "VulnerabilityID": "CVE-2024-4068", + "PkgID": "braces@2.3.2", + "PkgName": "braces", + "PkgPath": "juice-shop/node_modules/braces/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/braces@2.3.2", + "UID": "a453a1accd8298fb" + }, + "InstalledVersion": "2.3.2", + "FixedVersion": "3.0.3", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" - }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2015-9235", - "Title": "nodejs-jsonwebtoken: verification step bypass with an altered token", - "Description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", - "Severity": "CRITICAL", - "CweIDs": [ - "CWE-327" - ], - "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 7.5, - "V3Score": 9.8 + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-4068", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "braces: fails to limit the number of characters it can handle", + "Description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1050", + "CWE-400" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "V3Score": 7.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", + "https://github.com/micromatch/braces", + "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", + "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", + "https://github.com/micromatch/braces/issues/35", + "https://github.com/micromatch/braces/pull/37", + "https://github.com/micromatch/braces/pull/40", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "https://www.cve.org/CVERecord?id=CVE-2024-4068" + ], + "PublishedDate": "2024-05-14T15:42:48.66Z", + "LastModifiedDate": "2024-07-03T02:07:03.943Z" + }, + { + "VulnerabilityID": "CVE-2024-4068", + "PkgID": "braces@3.0.2", + "PkgName": "braces", + "PkgPath": "juice-shop/node_modules/chokidar/node_modules/braces/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/braces@3.0.2", + "UID": "94370f122f8cc85d" + }, + "InstalledVersion": "3.0.2", + "FixedVersion": "3.0.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-4068", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "braces: fails to limit the number of characters it can handle", + "Description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1050", + "CWE-400" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, - "References": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", - "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", - "https://nodesecurity.io/advisories/17", - "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", - "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" - ], - "PublishedDate": "2018-05-29T20:29:00Z", - "LastModifiedDate": "2019-10-09T23:15:00Z" + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", + "https://github.com/micromatch/braces", + "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", + "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", + "https://github.com/micromatch/braces/issues/35", + "https://github.com/micromatch/braces/pull/37", + "https://github.com/micromatch/braces/pull/40", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "https://www.cve.org/CVERecord?id=CVE-2024-4068" + ], + "PublishedDate": "2024-05-14T15:42:48.66Z", + "LastModifiedDate": "2024-07-03T02:07:03.943Z" }, { - "VulnerabilityID": "NSWG-ECO-17", - "PkgName": "jsonwebtoken", - "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", - "InstalledVersion": "0.1.0", - "FixedVersion": "\u003e=4.2.2", - "Layer": { + "VulnerabilityID": "CVE-2024-4068", + "PkgID": "braces@3.0.2", + "PkgName": "braces", + "PkgPath": "juice-shop/node_modules/liftup/node_modules/braces/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/braces@3.0.2", + "UID": "1eccffde9b52b3b9" + }, + "InstalledVersion": "3.0.2", + "FixedVersion": "3.0.3", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-4068", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "braces: fails to limit the number of characters it can handle", + "Description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1050", + "CWE-400" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, - "Title": "Verification Bypass", - "Description": "It is possible for an attacker to bypass verification when \"a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)\" [1]", - "Severity": "HIGH", - "References": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", - "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" - ] + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", + "https://github.com/micromatch/braces", + "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", + "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", + "https://github.com/micromatch/braces/issues/35", + "https://github.com/micromatch/braces/pull/37", + "https://github.com/micromatch/braces/pull/40", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "https://www.cve.org/CVERecord?id=CVE-2024-4068" + ], + "PublishedDate": "2024-05-14T15:42:48.66Z", + "LastModifiedDate": "2024-07-03T02:07:03.943Z" + }, + { + "VulnerabilityID": "CVE-2024-47764", + "PkgID": "cookie@0.4.0", + "PkgName": "cookie", + "PkgPath": "juice-shop/node_modules/cookie/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/cookie@0.4.0", + "UID": "8b051932f229d69e" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "0.7.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-47764", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", + "Description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", + "Severity": "LOW", + "CweIDs": [ + "CWE-74" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 1, + "redhat": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-47764", + "https://github.com/jshttp/cookie", + "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", + "https://github.com/jshttp/cookie/pull/167", + "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + "https://www.cve.org/CVERecord?id=CVE-2024-47764" + ], + "PublishedDate": "2024-10-04T20:15:07.31Z", + "LastModifiedDate": "2024-10-07T17:48:28.117Z" + }, + { + "VulnerabilityID": "CVE-2024-47764", + "PkgID": "cookie@0.4.1", + "PkgName": "cookie", + "PkgPath": "juice-shop/node_modules/engine.io/node_modules/cookie/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/cookie@0.4.1", + "UID": "338c6cede4092431" + }, + "InstalledVersion": "0.4.1", + "FixedVersion": "0.7.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-47764", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", + "Description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", + "Severity": "LOW", + "CweIDs": [ + "CWE-74" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 1, + "redhat": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-47764", + "https://github.com/jshttp/cookie", + "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", + "https://github.com/jshttp/cookie/pull/167", + "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + "https://www.cve.org/CVERecord?id=CVE-2024-47764" + ], + "PublishedDate": "2024-10-04T20:15:07.31Z", + "LastModifiedDate": "2024-10-07T17:48:28.117Z" }, { - "VulnerabilityID": "CVE-2015-9235", - "PkgName": "jsonwebtoken", - "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", - "InstalledVersion": "0.4.0", - "FixedVersion": "4.2.2", - "Layer": { + "VulnerabilityID": "CVE-2023-46233", + "PkgID": "crypto-js@3.3.0", + "PkgName": "crypto-js", + "PkgPath": "juice-shop/node_modules/crypto-js/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/crypto-js@3.3.0", + "UID": "968c6884db7b658" + }, + "InstalledVersion": "3.3.0", + "FixedVersion": "4.2.0", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-46233", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard", + "Description": "crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-327", + "CWE-328", + "CWE-916" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 9.1 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2015-9235", - "Title": "nodejs-jsonwebtoken: verification step bypass with an altered token", - "Description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", - "Severity": "CRITICAL", - "CweIDs": [ - "CWE-327" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 7.5, - "V3Score": 9.8 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 9.1 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "V3Score": 7.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 9.1 } - }, - "References": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-46233", + "https://github.com/brix/crypto-js", + "https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a", + "https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-46233", + "https://ubuntu.com/security/notices/USN-6753-1", + "https://www.cve.org/CVERecord?id=CVE-2023-46233" + ], + "PublishedDate": "2023-10-25T21:15:10.307Z", + "LastModifiedDate": "2023-11-27T20:15:06.88Z" + }, + { + "VulnerabilityID": "CVE-2022-38900", + "PkgID": "decode-uri-component@0.2.0", + "PkgName": "decode-uri-component", + "PkgPath": "juice-shop/node_modules/decode-uri-component/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/decode-uri-component@0.2.0", + "UID": "aea0df6eccbfc92f" + }, + "InstalledVersion": "0.2.0", + "FixedVersion": "0.2.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-38900", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "decode-uri-component: improper input validation resulting in DoS", + "Description": "decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-20" + ], + "VendorSeverity": { + "alma": 1, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 1, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:6316", + "https://access.redhat.com/security/cve/CVE-2022-38900", + "https://bugzilla.redhat.com/2170644", + "https://errata.almalinux.org/9/ALSA-2023-6316.html", + "https://github.com/SamVerschueren/decode-uri-component", + "https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9", + "https://github.com/SamVerschueren/decode-uri-component/issues/5", + "https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1", + "https://github.com/advisories/GHSA-w573-4hg7-7wgq", + "https://github.com/sindresorhus/query-string/issues/345", + "https://linux.oracle.com/cve/CVE-2022-38900.html", + "https://linux.oracle.com/errata/ELSA-2023-6316.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU", + "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + "https://www.cve.org/CVERecord?id=CVE-2022-38900" + ], + "PublishedDate": "2022-11-28T13:15:10.033Z", + "LastModifiedDate": "2023-11-07T03:50:17.22Z" + }, + { + "VulnerabilityID": "CVE-2022-38900", + "PkgID": "decode-uri-component@0.2.0", + "PkgName": "decode-uri-component", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/decode-uri-component/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/decode-uri-component@0.2.0", + "UID": "4316f5bc05c5a057" + }, + "InstalledVersion": "0.2.0", + "FixedVersion": "0.2.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-38900", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "decode-uri-component: improper input validation resulting in DoS", + "Description": "decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-20" + ], + "VendorSeverity": { + "alma": 1, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 1, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:6316", + "https://access.redhat.com/security/cve/CVE-2022-38900", + "https://bugzilla.redhat.com/2170644", + "https://errata.almalinux.org/9/ALSA-2023-6316.html", + "https://github.com/SamVerschueren/decode-uri-component", + "https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9", + "https://github.com/SamVerschueren/decode-uri-component/issues/5", + "https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1", + "https://github.com/advisories/GHSA-w573-4hg7-7wgq", + "https://github.com/sindresorhus/query-string/issues/345", + "https://linux.oracle.com/cve/CVE-2022-38900.html", + "https://linux.oracle.com/errata/ELSA-2023-6316.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU", + "https://nvd.nist.gov/vuln/detail/CVE-2022-38900", + "https://www.cve.org/CVERecord?id=CVE-2022-38900" + ], + "PublishedDate": "2022-11-28T13:15:10.033Z", + "LastModifiedDate": "2023-11-07T03:50:17.22Z" + }, + { + "VulnerabilityID": "CVE-2022-24434", + "PkgID": "dicer@0.2.5", + "PkgName": "dicer", + "PkgPath": "juice-shop/node_modules/dicer/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/dicer@0.2.5", + "UID": "bbdbe521b8454f46" + }, + "InstalledVersion": "0.2.5", + "Status": "affected", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24434", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "dicer: nodejs service crash by sending a crafted payload", + "Description": "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-24434", + "https://github.com/advisories/GHSA-wm7h-9275-46v2", + "https://github.com/mscdex/busboy/issues/250", + "https://github.com/mscdex/dicer", + "https://github.com/mscdex/dicer/commit/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac", + "https://github.com/mscdex/dicer/pull/22", + "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24434", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865", + "https://snyk.io/vuln/SNYK-JS-DICER-2311764", + "https://www.cve.org/CVERecord?id=CVE-2022-24434" + ], + "PublishedDate": "2022-05-20T20:15:09.993Z", + "LastModifiedDate": "2022-06-07T02:04:44.75Z" + }, + { + "VulnerabilityID": "GHSA-h6ch-v84p-w6p9", + "PkgID": "diff@1.0.2", + "PkgName": "diff", + "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/diff/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/diff@1.0.2", + "UID": "8090d53cd9ceb81c" + }, + "InstalledVersion": "1.0.2", + "FixedVersion": "3.5.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-h6ch-v84p-w6p9", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Regular Expression Denial of Service (ReDoS)", + "Description": "A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3 + }, + "References": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1552148", + "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0", + "https://snyk.io/vuln/npm:diff:20180305", + "https://www.npmjs.com/advisories/1631", + "https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0590" + ] + }, + { + "VulnerabilityID": "CVE-2023-26132", + "PkgID": "dottie@2.0.2", + "PkgName": "dottie", + "PkgPath": "juice-shop/node_modules/dottie/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/dottie@2.0.2", + "UID": "2238c2bce359423f" + }, + "InstalledVersion": "2.0.2", + "FixedVersion": "2.0.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26132", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Versions of the package dottie before 2.0.4 are vulnerable to Prototyp ...", + "Description": "Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "ubuntu": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/mickhansen/dottie.js", + "https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js#L107", + "https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js%23L107", + "https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26132", + "https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763", + "https://www.cve.org/CVERecord?id=CVE-2023-26132" + ], + "PublishedDate": "2023-06-10T05:15:08.97Z", + "LastModifiedDate": "2023-11-07T04:09:25.51Z" + }, + { + "VulnerabilityID": "CVE-2022-21676", + "PkgID": "engine.io@4.1.1", + "PkgName": "engine.io", + "PkgPath": "juice-shop/node_modules/engine.io/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/engine.io@4.1.1", + "UID": "f2b339ecc7ba3480" + }, + "InstalledVersion": "4.1.1", + "FixedVersion": "4.1.2, 5.2.1, 6.1.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-21676", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Uncaught Exception in engine.io", + "Description": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package starting from version `4.0.0`, including those who uses depending packages like `socket.io`. Versions prior to `4.0.0` are not impacted. A fix has been released for each major branch, namely `4.1.2` for the `4.x.x` branch, `5.2.1` for the `5.x.x` branch, and `6.1.1` for the `6.x.x` branch. There is no known workaround except upgrading to a safe version.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-755", + "CWE-754" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/socketio/engine.io", + "https://github.com/socketio/engine.io/commit/66f889fc1d966bf5bfa0de1939069153643874ab", + "https://github.com/socketio/engine.io/commit/a70800d7e96da32f6e6622804ef659ebc58659db", + "https://github.com/socketio/engine.io/commit/c0e194d44933bd83bf9a4b126fca68ba7bf5098c", + "https://github.com/socketio/engine.io/releases/tag/4.1.2", + "https://github.com/socketio/engine.io/releases/tag/5.2.1", + "https://github.com/socketio/engine.io/releases/tag/6.1.1", + "https://github.com/socketio/engine.io/security/advisories/GHSA-273r-mgr4-v34f", + "https://nvd.nist.gov/vuln/detail/CVE-2022-21676", + "https://security.netapp.com/advisory/ntap-20220209-0002", + "https://security.netapp.com/advisory/ntap-20220209-0002/" + ], + "PublishedDate": "2022-01-12T19:15:09.217Z", + "LastModifiedDate": "2023-06-27T19:03:32.22Z" + }, + { + "VulnerabilityID": "CVE-2022-41940", + "PkgID": "engine.io@4.1.1", + "PkgName": "engine.io", + "PkgPath": "juice-shop/node_modules/engine.io/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/engine.io@4.1.1", + "UID": "f2b339ecc7ba3480" + }, + "InstalledVersion": "4.1.1", + "FixedVersion": "3.6.1, 6.2.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-41940", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "engine.io: Specially crafted HTTP request can trigger an uncaught exception", + "Description": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-248" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-41940", + "https://github.com/socketio/engine.io", + "https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6", + "https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085", + "https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w", + "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", + "https://www.cve.org/CVERecord?id=CVE-2022-41940" + ], + "PublishedDate": "2022-11-22T01:15:37.847Z", + "LastModifiedDate": "2022-11-26T03:26:25.847Z" + }, + { + "VulnerabilityID": "CVE-2024-27088", + "PkgID": "es5-ext@0.10.53", + "PkgName": "es5-ext", + "PkgPath": "juice-shop/node_modules/es5-ext/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/es5-ext@0.10.53", + "UID": "d43eb34bf4a97503" + }, + "InstalledVersion": "0.10.53", + "FixedVersion": "0.10.63", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-27088", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "es5-ext contains ECMAScript 5 extensions. Passing functions with very ...", + "Description": "es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into `function#copy` or `function#toStringTokens` may cause the script to stall. The vulnerability is patched in v0.10.63.", + "Severity": "LOW", + "CweIDs": [ + "CWE-1333", + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 1 + }, + "References": [ + "https://github.com/medikoo/es5-ext", + "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2", + "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602", + "https://github.com/medikoo/es5-ext/issues/201", + "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h", + "https://nvd.nist.gov/vuln/detail/CVE-2024-27088" + ], + "PublishedDate": "2024-02-26T17:15:11Z", + "LastModifiedDate": "2024-02-26T22:10:40.463Z" + }, + { + "VulnerabilityID": "CVE-2024-29041", + "PkgID": "express@4.17.1", + "PkgName": "express", + "PkgPath": "juice-shop/node_modules/express/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/express@4.17.1", + "UID": "abb859d9a01cee0d" + }, + "InstalledVersion": "4.17.1", + "FixedVersion": "4.19.2, 5.0.0-beta.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-29041", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "express: cause malformed URLs to be evaluated", + "Description": "Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1286", + "CWE-601" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-29041", + "https://expressjs.com/en/4x/api.html#res.location", + "https://github.com/expressjs/express", + "https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd", + "https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94", + "https://github.com/expressjs/express/pull/5539", + "https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc", + "https://github.com/koajs/koa/issues/1800", + "https://nvd.nist.gov/vuln/detail/CVE-2024-29041", + "https://www.cve.org/CVERecord?id=CVE-2024-29041" + ], + "PublishedDate": "2024-03-25T21:15:46.847Z", + "LastModifiedDate": "2024-03-26T12:55:05.01Z" + }, + { + "VulnerabilityID": "CVE-2024-43796", + "PkgID": "express@4.17.1", + "PkgName": "express", + "PkgPath": "juice-shop/node_modules/express/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/express@4.17.1", + "UID": "abb859d9a01cee0d" + }, + "InstalledVersion": "4.17.1", + "FixedVersion": "4.20.0, 5.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-43796", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "express: Improper Input Handling in Express Redirects", + "Description": "Express.js minimalist web framework for node. In express \u003c 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 4.7 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-43796", + "https://github.com/expressjs/express", + "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", + "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", + "https://www.cve.org/CVERecord?id=CVE-2024-43796" + ], + "PublishedDate": "2024-09-10T15:15:17.51Z", + "LastModifiedDate": "2024-09-20T16:07:47.997Z" + }, + { + "VulnerabilityID": "CVE-2020-15084", + "PkgID": "express-jwt@0.1.3", + "PkgName": "express-jwt", + "PkgPath": "juice-shop/node_modules/express-jwt/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/express-jwt@0.1.3", + "UID": "ff43a00952d1fea" + }, + "InstalledVersion": "0.1.3", + "FixedVersion": "6.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-15084", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Authorization bypass in express-jwt", + "Description": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-863", + "CWE-285" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 7.7 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V2Score": 4.3, + "V3Score": 9.1 + } + }, + "References": [ + "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", + "https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf", + "https://nvd.nist.gov/vuln/detail/CVE-2020-15084" + ], + "PublishedDate": "2020-06-30T16:15:15.22Z", + "LastModifiedDate": "2022-10-21T18:00:47.803Z" + }, + { + "VulnerabilityID": "CVE-2022-36313", + "PkgID": "file-type@16.5.3", + "PkgName": "file-type", + "PkgPath": "juice-shop/node_modules/file-type/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/file-type@16.5.3", + "UID": "d16d15b530ad043c" + }, + "InstalledVersion": "16.5.3", + "FixedVersion": "16.5.4, 17.1.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-36313", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop", + "Description": "An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-835" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-36313", + "https://github.com/sindresorhus/file-type", + "https://github.com/sindresorhus/file-type/commit/2c4d1200c99dffb7d515b9b9951ef43c22bf7e47", + "https://github.com/sindresorhus/file-type/commit/8f981c32e2750d2516457e305e502ee2ad715759#diff-c853b2249e99790d8725774cf63c90c5ab17112067df6e267f3701d7bf591d12", + "https://github.com/sindresorhus/file-type/commit/d86835680f4cccbee1a60628783c36700ec9e254", + "https://github.com/sindresorhus/file-type/compare/v12.4.2...v13.0.0#diff-c853b2249e99790d8725774cf63c90c5ab17112067df6e267f3701d7bf591d12R611-R613", + "https://github.com/sindresorhus/file-type/releases/tag/v16.5.4", + "https://github.com/sindresorhus/file-type/releases/tag/v17.1.3", + "https://nvd.nist.gov/vuln/detail/CVE-2022-36313", + "https://security.netapp.com/advisory/ntap-20220909-0005", + "https://security.netapp.com/advisory/ntap-20220909-0005/", + "https://security.snyk.io/vuln/SNYK-JS-FILETYPE-2958042", + "https://www.cve.org/CVERecord?id=CVE-2022-36313", + "https://www.npmjs.com/package/file-type" + ], + "PublishedDate": "2022-07-21T16:15:09.297Z", + "LastModifiedDate": "2022-10-27T13:25:12.297Z" + }, + { + "VulnerabilityID": "CVE-2022-33987", + "PkgID": "got@6.7.1", + "PkgName": "got", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/got/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/got@6.7.1", + "UID": "3ee46f2ea1ebedf" + }, + "InstalledVersion": "6.7.1", + "FixedVersion": "12.1.0, 11.8.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-33987", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets", + "Description": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2022-33987", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/sindresorhus/got", + "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc", + "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + "https://github.com/sindresorhus/got/pull/2047", + "https://github.com/sindresorhus/got/releases/tag/v11.8.5", + "https://github.com/sindresorhus/got/releases/tag/v12.1.0", + "https://linux.oracle.com/cve/CVE-2022-33987.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + "https://www.cve.org/CVERecord?id=CVE-2022-33987" + ], + "PublishedDate": "2022-06-18T21:15:07.933Z", + "LastModifiedDate": "2022-06-28T16:15:31.27Z" + }, + { + "VulnerabilityID": "CVE-2022-33987", + "PkgID": "got@8.3.2", + "PkgName": "got", + "PkgPath": "juice-shop/node_modules/got/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/got@8.3.2", + "UID": "565e22ebc733911a" + }, + "InstalledVersion": "8.3.2", + "FixedVersion": "12.1.0, 11.8.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-33987", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets", + "Description": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6595", + "https://access.redhat.com/security/cve/CVE-2022-33987", + "https://bugzilla.redhat.com/1907444", + "https://bugzilla.redhat.com/1945459", + "https://bugzilla.redhat.com/1964461", + "https://bugzilla.redhat.com/2007557", + "https://bugzilla.redhat.com/2098556", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://errata.almalinux.org/9/ALSA-2022-6595.html", + "https://github.com/sindresorhus/got", + "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc", + "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + "https://github.com/sindresorhus/got/pull/2047", + "https://github.com/sindresorhus/got/releases/tag/v11.8.5", + "https://github.com/sindresorhus/got/releases/tag/v12.1.0", + "https://linux.oracle.com/cve/CVE-2022-33987.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + "https://www.cve.org/CVERecord?id=CVE-2022-33987" + ], + "PublishedDate": "2022-06-18T21:15:07.933Z", + "LastModifiedDate": "2022-06-28T16:15:31.27Z" + }, + { + "VulnerabilityID": "CVE-2017-16042", + "PkgID": "growl@1.5.1", + "PkgName": "growl", + "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/growl/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/growl@1.5.1", + "UID": "67dc34a94a791bee" + }, + "InstalledVersion": "1.5.1", + "FixedVersion": "1.10.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16042", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-growl: Does not properly sanitize input before passing it to exec", + "Description": "Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-78", + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2017-16042", + "https://github.com/tj/node-growl", + "https://github.com/tj/node-growl/commit/d71177d5331c9de4658aca62e0ac921f178b0669", + "https://github.com/tj/node-growl/issues/60", + "https://github.com/tj/node-growl/pull/61", + "https://github.com/tj/node-growl/pull/62", + "https://nodesecurity.io/advisories/146", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16042", + "https://www.cve.org/CVERecord?id=CVE-2017-16042", + "https://www.npmjs.com/advisories/146" + ], + "PublishedDate": "2018-06-04T19:29:02.1Z", + "LastModifiedDate": "2019-10-09T23:24:38.987Z" + }, + { + "VulnerabilityID": "CVE-2022-1537", + "PkgID": "grunt@1.4.1", + "PkgName": "grunt", + "PkgPath": "juice-shop/node_modules/grunt/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/grunt@1.4.1", + "UID": "3a5ec40d9f2aa178" + }, + "InstalledVersion": "1.4.1", + "FixedVersion": "1.5.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-1537", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "gruntjs: race condition leading to arbitrary file write", + "Description": "file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-367" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7 + }, + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C", + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.9, + "V3Score": 7 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-1537", + "https://github.com/gruntjs/grunt", + "https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae", + "https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d", + "https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-1537", + "https://ubuntu.com/security/notices/USN-5847-1", + "https://www.cve.org/CVERecord?id=CVE-2022-1537" + ], + "PublishedDate": "2022-05-10T14:15:08.403Z", + "LastModifiedDate": "2023-04-05T22:15:07.09Z" + }, + { + "VulnerabilityID": "CVE-2022-0436", + "PkgID": "grunt@1.4.1", + "PkgName": "grunt", + "PkgPath": "juice-shop/node_modules/grunt/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/grunt@1.4.1", + "UID": "3a5ec40d9f2aa178" + }, + "InstalledVersion": "1.4.1", + "FixedVersion": "1.5.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0436", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.", + "Description": "Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-22" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "ubuntu": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.5 + }, + "nvd": { + "V2Vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V2Score": 2.1, + "V3Score": 5.5 + } + }, + "References": [ + "https://github.com/gruntjs/grunt", + "https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665", + "https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665 (v1.5.0)", + "https://github.com/gruntjs/grunt/commit/b0ec6e12426fc8d5720dee1702f6a67455c5986c", + "https://github.com/gruntjs/grunt/pull/1740", + "https://github.com/gruntjs/grunt/pull/1743", + "https://huntr.dev/bounties/f55315e9-9f6d-4dbb-8c40-bae50c1ae92b", + "https://lists.debian.org/debian-lts-announce/2023/04/msg00008.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0436", + "https://ubuntu.com/security/notices/USN-5847-1", + "https://www.cve.org/CVERecord?id=CVE-2022-0436" + ], + "PublishedDate": "2022-04-12T21:15:07.643Z", + "LastModifiedDate": "2023-04-06T15:15:08.727Z" + }, + { + "VulnerabilityID": "CVE-2021-32822", + "PkgID": "hbs@4.1.2", + "PkgName": "hbs", + "PkgPath": "juice-shop/node_modules/hbs/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/hbs@4.1.2", + "UID": "560a396918d11c15" + }, + "InstalledVersion": "4.1.2", + "Status": "affected", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-32822", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Insertion of Sensitive Information into Externally-Accessible File or Directory and Exposure of Sensitive Information to an Unauthorized Actor in hbs", + "Description": "The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulnerability. hbs mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options a file disclosure vulnerability may be triggered in downstream applications. For an example PoC see the referenced GHSL-2021-020.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-94", + "CWE-538" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", + "V3Score": 4 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V2Score": 5, + "V3Score": 5.3 + } + }, + "References": [ + "https://github.com/pillarjs/hbs", + "https://nvd.nist.gov/vuln/detail/CVE-2021-32822", + "https://securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs", + "https://securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs/" + ], + "PublishedDate": "2021-08-16T19:15:14.083Z", + "LastModifiedDate": "2022-07-02T18:23:07.957Z" + }, + { + "VulnerabilityID": "CVE-2022-25881", + "PkgID": "http-cache-semantics@3.8.1", + "PkgName": "http-cache-semantics", + "PkgPath": "juice-shop/node_modules/http-cache-semantics/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/http-cache-semantics@3.8.1", + "UID": "868c747b9b0d5ddb" + }, + "InstalledVersion": "3.8.1", + "FixedVersion": "4.1.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25881", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability", + "Description": "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.\r\r", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:2655", + "https://access.redhat.com/security/cve/CVE-2022-25881", + "https://bugzilla.redhat.com/2165824", + "https://bugzilla.redhat.com/2168631", + "https://bugzilla.redhat.com/2171935", + "https://bugzilla.redhat.com/2172190", + "https://bugzilla.redhat.com/2172204", + "https://bugzilla.redhat.com/2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2165824", + "https://bugzilla.redhat.com/show_bug.cgi?id=2168631", + "https://bugzilla.redhat.com/show_bug.cgi?id=2171935", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172190", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172204", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2178076", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25881", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807", + "https://errata.almalinux.org/9/ALSA-2023-2655.html", + "https://errata.rockylinux.org/RLSA-2023:2655", + "https://github.com/kornelski/http-cache-semantics", + "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83", + "https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74", + "https://linux.oracle.com/cve/CVE-2022-25881.html", + "https://linux.oracle.com/errata/ELSA-2023-2655.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + "https://security.netapp.com/advisory/ntap-20230622-0008", + "https://security.netapp.com/advisory/ntap-20230622-0008/", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332", + "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783", + "https://www.cve.org/CVERecord?id=CVE-2022-25881" + ], + "PublishedDate": "2023-01-31T05:15:11.81Z", + "LastModifiedDate": "2023-11-07T03:44:51.8Z" + }, + { + "VulnerabilityID": "CVE-2022-25881", + "PkgID": "http-cache-semantics@3.8.1", + "PkgName": "http-cache-semantics", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/http-cache-semantics/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/http-cache-semantics@3.8.1", + "UID": "e38c4ff794b1dfac" + }, + "InstalledVersion": "3.8.1", + "FixedVersion": "4.1.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25881", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability", + "Description": "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.\r\r", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:2655", + "https://access.redhat.com/security/cve/CVE-2022-25881", + "https://bugzilla.redhat.com/2165824", + "https://bugzilla.redhat.com/2168631", + "https://bugzilla.redhat.com/2171935", + "https://bugzilla.redhat.com/2172190", + "https://bugzilla.redhat.com/2172204", + "https://bugzilla.redhat.com/2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2165824", + "https://bugzilla.redhat.com/show_bug.cgi?id=2168631", + "https://bugzilla.redhat.com/show_bug.cgi?id=2171935", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172190", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172204", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2178076", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25881", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807", + "https://errata.almalinux.org/9/ALSA-2023-2655.html", + "https://errata.rockylinux.org/RLSA-2023:2655", + "https://github.com/kornelski/http-cache-semantics", + "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83", + "https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74", + "https://linux.oracle.com/cve/CVE-2022-25881.html", + "https://linux.oracle.com/errata/ELSA-2023-2655.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + "https://security.netapp.com/advisory/ntap-20230622-0008", + "https://security.netapp.com/advisory/ntap-20230622-0008/", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332", + "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783", + "https://www.cve.org/CVERecord?id=CVE-2022-25881" + ], + "PublishedDate": "2023-01-31T05:15:11.81Z", + "LastModifiedDate": "2023-11-07T03:44:51.8Z" + }, + { + "VulnerabilityID": "CVE-2024-29415", + "PkgID": "ip@1.1.5", + "PkgName": "ip", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/ip/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ip@1.1.5", + "UID": "c205c9c968b8c15c" + }, + "InstalledVersion": "1.1.5", + "Status": "affected", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-29415", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "node-ip: Incomplete fix for CVE-2023-42282", + "Description": "The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-918", + "CWE-941" + ], + "VendorSeverity": { + "ghsa": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-29415", + "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", + "https://github.com/indutny/node-ip", + "https://github.com/indutny/node-ip/issues/150", + "https://github.com/indutny/node-ip/pull/143", + "https://github.com/indutny/node-ip/pull/144", + "https://nvd.nist.gov/vuln/detail/CVE-2024-29415", + "https://www.cve.org/CVERecord?id=CVE-2024-29415" + ], + "PublishedDate": "2024-05-27T20:15:08.97Z", + "LastModifiedDate": "2024-08-16T14:35:01.26Z" + }, + { + "VulnerabilityID": "CVE-2023-42282", + "PkgID": "ip@1.1.5", + "PkgName": "ip", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/ip/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ip@1.1.5", + "UID": "c205c9c968b8c15c" + }, + "InstalledVersion": "1.1.5", + "FixedVersion": "2.0.1, 1.1.9", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-42282", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ip: arbitrary code execution via the isPublic() function", + "Description": "The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", + "Severity": "LOW", + "CweIDs": [ + "CWE-918" + ], + "VendorSeverity": { + "azure": 4, + "cbl-mariner": 4, + "ghsa": 1, + "nvd": 4, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-42282", + "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", + "https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447", + "https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999", + "https://github.com/indutny/node-ip", + "https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa", + "https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894", + "https://github.com/indutny/node-ip/pull/138", + "https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-42282", + "https://security.netapp.com/advisory/ntap-20240315-0008/", + "https://ubuntu.com/security/notices/USN-6643-1", + "https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/", + "https://www.cve.org/CVERecord?id=CVE-2023-42282" + ], + "PublishedDate": "2024-02-08T17:15:10.84Z", + "LastModifiedDate": "2024-10-09T15:14:21.817Z" + }, + { + "VulnerabilityID": "CVE-2021-3918", + "PkgID": "json-schema@0.2.3", + "PkgName": "json-schema", + "PkgPath": "juice-shop/node_modules/json-schema/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/json-schema@0.2.3", + "UID": "a95b849c2e02b2a2" + }, + "InstalledVersion": "0.2.3", + "FixedVersion": "0.4.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3918", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-json-schema: Prototype pollution vulnerability", + "Description": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 4, + "nvd": 4, + "oracle-oval": 2, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-3918", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/kriszyp/json-schema", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0)", + "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a", + "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa", + "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9", + "https://linux.oracle.com/cve/CVE-2021-3918.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + "https://ubuntu.com/security/notices/USN-6103-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3918" + ], + "PublishedDate": "2021-11-13T09:15:06.737Z", + "LastModifiedDate": "2023-02-03T19:15:59.437Z" + }, + { + "VulnerabilityID": "CVE-2021-3918", + "PkgID": "json-schema@0.2.3", + "PkgName": "json-schema", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/json-schema/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/json-schema@0.2.3", + "UID": "e6e8892303068e66" + }, + "InstalledVersion": "0.2.3", + "FixedVersion": "0.4.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3918", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-json-schema: Prototype pollution vulnerability", + "Description": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 4, + "nvd": 4, + "oracle-oval": 2, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-3918", + "https://errata.almalinux.org/8/ALSA-2022-0350.html", + "https://github.com/kriszyp/json-schema", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741", + "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0)", + "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a", + "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa", + "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9", + "https://linux.oracle.com/cve/CVE-2021-3918.html", + "https://linux.oracle.com/errata/ELSA-2022-0350.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", + "https://ubuntu.com/security/notices/USN-6103-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3918" + ], + "PublishedDate": "2021-11-13T09:15:06.737Z", + "LastModifiedDate": "2023-02-03T19:15:59.437Z" + }, + { + "VulnerabilityID": "CVE-2022-46175", + "PkgID": "json5@2.2.0", + "PkgName": "json5", + "PkgPath": "juice-shop/node_modules/json5/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/json5@2.2.0", + "UID": "f2804f3a2573eb9c" + }, + "InstalledVersion": "2.2.0", + "FixedVersion": "2.2.2, 1.0.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-46175", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "json5: Prototype Pollution in JSON5 via Parse Method", + "Description": "JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "azure": 3, + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H", + "V3Score": 7.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-46175", + "https://github.com/json5/json5", + "https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972", + "https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8", + "https://github.com/json5/json5/issues/199", + "https://github.com/json5/json5/issues/295", + "https://github.com/json5/json5/pull/298", + "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE", + "https://nvd.nist.gov/vuln/detail/CVE-2022-46175", + "https://ubuntu.com/security/notices/USN-6758-1", + "https://www.cve.org/CVERecord?id=CVE-2022-46175" + ], + "PublishedDate": "2022-12-24T04:15:08.787Z", + "LastModifiedDate": "2023-11-26T01:15:07.177Z" + }, + { + "VulnerabilityID": "CVE-2015-9235", + "PkgID": "jsonwebtoken@0.1.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "324977895803c3d7" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "4.2.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2015-9235", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-jsonwebtoken: verification step bypass with an altered token", + "Description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-327", + "CWE-20" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2015-9235", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", "https://nodesecurity.io/advisories/17", "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "https://www.cve.org/CVERecord?id=CVE-2015-9235", + "https://www.npmjs.com/advisories/17", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" + ], + "PublishedDate": "2018-05-29T20:29:00.33Z", + "LastModifiedDate": "2019-10-09T23:15:57.76Z" + }, + { + "VulnerabilityID": "CVE-2022-23539", + "PkgID": "jsonwebtoken@0.1.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "324977895803c3d7" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23539", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen", + "Description": "Versions `\u003c=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-327" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23539", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23539" + ], + "PublishedDate": "2022-12-23T00:15:12.347Z", + "LastModifiedDate": "2024-06-21T19:15:22.683Z" + }, + { + "VulnerabilityID": "NSWG-ECO-17", + "PkgID": "jsonwebtoken@0.1.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "324977895803c3d7" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "\u003e=4.2.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "nodejs-security-wg", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "Verification Bypass", + "Description": "It is possible for an attacker to bypass verification when \"a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)\" [1]", + "Severity": "HIGH", + "VendorSeverity": { + "nodejs-security-wg": 3 + }, + "References": [ + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" - ], - "PublishedDate": "2018-05-29T20:29:00Z", - "LastModifiedDate": "2019-10-09T23:15:00Z" + ] + }, + { + "VulnerabilityID": "CVE-2022-23540", + "PkgID": "jsonwebtoken@0.1.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "324977895803c3d7" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23540", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass", + "Description": "In versions `\u003c=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-347", + "CWE-287" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 6.4 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 7.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 6.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23540", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23540" + ], + "PublishedDate": "2022-12-22T19:15:08.967Z", + "LastModifiedDate": "2024-06-21T19:15:22.84Z" + }, + { + "VulnerabilityID": "CVE-2022-23541", + "PkgID": "jsonwebtoken@0.1.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "324977895803c3d7" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23541", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", + "Description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions `\u003c= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1259", + "CWE-287" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 6.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23541", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23541" + ], + "PublishedDate": "2022-12-22T18:15:09.39Z", + "LastModifiedDate": "2024-06-21T19:15:22.97Z" + }, + { + "VulnerabilityID": "CVE-2015-9235", + "PkgID": "jsonwebtoken@0.4.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "b220953c826bca0" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "4.2.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2015-9235", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-jsonwebtoken: verification step bypass with an altered token", + "Description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-327", + "CWE-20" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2015-9235", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://nodesecurity.io/advisories/17", + "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "https://www.cve.org/CVERecord?id=CVE-2015-9235", + "https://www.npmjs.com/advisories/17", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" + ], + "PublishedDate": "2018-05-29T20:29:00.33Z", + "LastModifiedDate": "2019-10-09T23:15:57.76Z" + }, + { + "VulnerabilityID": "CVE-2022-23539", + "PkgID": "jsonwebtoken@0.4.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "b220953c826bca0" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23539", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen", + "Description": "Versions `\u003c=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-327" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23539", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23539" + ], + "PublishedDate": "2022-12-23T00:15:12.347Z", + "LastModifiedDate": "2024-06-21T19:15:22.683Z" + }, + { + "VulnerabilityID": "NSWG-ECO-17", + "PkgID": "jsonwebtoken@0.4.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "b220953c826bca0" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "\u003e=4.2.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "nodejs-security-wg", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "Verification Bypass", + "Description": "It is possible for an attacker to bypass verification when \"a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)\" [1]", + "Severity": "HIGH", + "VendorSeverity": { + "nodejs-security-wg": 3 + }, + "References": [ + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" + ] + }, + { + "VulnerabilityID": "CVE-2022-23540", + "PkgID": "jsonwebtoken@0.4.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "b220953c826bca0" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23540", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass", + "Description": "In versions `\u003c=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-347", + "CWE-287" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 6.4 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 7.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 6.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23540", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23540" + ], + "PublishedDate": "2022-12-22T19:15:08.967Z", + "LastModifiedDate": "2024-06-21T19:15:22.84Z" + }, + { + "VulnerabilityID": "CVE-2022-23541", + "PkgID": "jsonwebtoken@0.4.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "b220953c826bca0" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23541", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", + "Description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions `\u003c= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1259", + "CWE-287" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 6.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23541", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23541" + ], + "PublishedDate": "2022-12-22T18:15:09.39Z", + "LastModifiedDate": "2024-06-21T19:15:22.97Z" + }, + { + "VulnerabilityID": "CVE-2016-1000223", + "PkgID": "jws@0.2.6", + "PkgName": "jws", + "PkgPath": "juice-shop/node_modules/jws/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jws@0.2.6", + "UID": "da4a6fd70bb8e740" + }, + "InstalledVersion": "0.2.6", + "FixedVersion": "\u003e=3.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-1000223", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "Forgeable Public/Private Tokens", + "Description": "Since \"algorithm\" isn't enforced in `jws.verify()`, a malicious user could choose what algorithm is sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.\n\nIn addition, there is the `none` algorithm to be concerned about. In versions prior to 3.0.0, verification of the token could be bypassed when the `alg` field is set to `none`.\n\n*Edit ( 7/29/16 ): A previous version of this advisory incorrectly stated that the vulnerability was patched in version 2.0.0 instead of 3.0.0. The advisory has been updated to reflect this new information. Thanks to Fabien Catteau for reporting the error.*", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3, + "nodejs-security-wg": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "V3Score": 8.7 + } + }, + "References": [ + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/brianloveswords/node-jws", + "https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e", + "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223", + "https://snyk.io/vuln/npm:jws:20160726", + "https://www.npmjs.com/advisories/88" + ] + }, + { + "VulnerabilityID": "CVE-2024-34393", + "PkgID": "libxmljs2@0.26.7", + "PkgName": "libxmljs2", + "PkgPath": "juice-shop/node_modules/libxmljs2/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/libxmljs2@0.26.7", + "UID": "ed058d9ba277282a" + }, + "InstalledVersion": "0.26.7", + "Status": "affected", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34393", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "libxmljs2 type confusion vulnerability when parsing specially crafted XML", + "Description": "libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of attrs() that was called on a parsed node. This vulnerability might lead to denial of service (on both 32-bit systems and 64-bit systems), data leak, infinite loop and remote code execution (on 32-bit systems with the XML_PARSE_HUGE flag enabled).", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + } + }, + "References": [ + "https://github.com/marudor/libxmljs2", + "https://github.com/marudor/libxmljs2/issues/204", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34393", + "https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097", + "https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097/" + ], + "PublishedDate": "2024-05-02T19:15:06.48Z", + "LastModifiedDate": "2024-05-03T12:50:34.25Z" + }, + { + "VulnerabilityID": "CVE-2024-34394", + "PkgID": "libxmljs2@0.26.7", + "PkgName": "libxmljs2", + "PkgPath": "juice-shop/node_modules/libxmljs2/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/libxmljs2@0.26.7", + "UID": "ed058d9ba277282a" + }, + "InstalledVersion": "0.26.7", + "Status": "affected", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34394", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "libxmljs2 vulnerable to type confusion when parsing specially crafted XML", + "Description": "libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the namespaces() function (which invokes XmlNode::get_local_namespaces()) on a grand-child of a node that refers to an entity. This vulnerability can lead to denial of service and remote code execution.", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + } + }, + "References": [ + "https://github.com/marudor/libxmljs2", + "https://github.com/marudor/libxmljs2/issues/205", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34394", + "https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098", + "https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098/" + ], + "PublishedDate": "2024-05-02T19:15:06.63Z", + "LastModifiedDate": "2024-05-03T12:50:34.25Z" + }, + { + "VulnerabilityID": "CVE-2019-10744", + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "2055fc9d42487aec" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "4.17.12", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", + "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 9.1 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V2Score": 6.4, + "V3Score": 9.1 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 9.1 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2019:3024", + "https://access.redhat.com/security/cve/CVE-2019-10744", + "https://github.com/lodash/lodash/pull/4336", + "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "https://security.netapp.com/advisory/ntap-20191004-0005", + "https://security.netapp.com/advisory/ntap-20191004-0005/", + "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2019-10744", + "https://www.npmjs.com/advisories/1065", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html" + ], + "PublishedDate": "2019-07-26T00:15:11.217Z", + "LastModifiedDate": "2024-01-21T02:45:24.433Z" + }, + { + "VulnerabilityID": "CVE-2018-16487", + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "2055fc9d42487aec" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "\u003e=4.17.11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "lodash: Prototype pollution in utilities function", + "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 3, + "nodejs-security-wg": 3, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V2Score": 6.8, + "V3Score": 5.6 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2018-16487", + "https://github.com/advisories/GHSA-4xc9-xhrj-v574", + "https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad", + "https://hackerone.com/reports/380873", + "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", + "https://security.netapp.com/advisory/ntap-20190919-0004", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://www.cve.org/CVERecord?id=CVE-2018-16487", + "https://www.npmjs.com/advisories/782" + ], + "PublishedDate": "2019-02-01T18:29:00.943Z", + "LastModifiedDate": "2020-09-18T16:38:27.95Z" + }, + { + "VulnerabilityID": "CVE-2021-23337", + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "2055fc9d42487aec" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "4.17.21", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23337", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: command injection via template", + "Description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.2 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.2 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-23337", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "https://www.cve.org/CVERecord?id=CVE-2021-23337", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-02-15T13:15:12.56Z", + "LastModifiedDate": "2022-09-13T21:25:02.093Z" + }, + { + "VulnerabilityID": "CVE-2019-1010266", + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "2055fc9d42487aec" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "4.17.11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010266", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "lodash: uncontrolled resource consumption in Data handler causing denial of service", + "Description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-770", + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 4, + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 4.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-1010266", + "https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347", + "https://github.com/lodash/lodash/issues/3359", + "https://github.com/lodash/lodash/wiki/Changelog", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", + "https://security.netapp.com/advisory/ntap-20190919-0004", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://snyk.io/vuln/SNYK-JS-LODASH-73639", + "https://www.cve.org/CVERecord?id=CVE-2019-1010266" + ], + "PublishedDate": "2019-07-17T21:15:10.873Z", + "LastModifiedDate": "2020-09-30T13:40:43.663Z" + }, + { + "VulnerabilityID": "CVE-2020-28500", + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "2055fc9d42487aec" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "4.17.21", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28500", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", + "Description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-28500", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + "https://github.com/lodash/lodash/pull/5065", + "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + "https://www.cve.org/CVERecord?id=CVE-2020-28500", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-02-15T11:15:12.397Z", + "LastModifiedDate": "2022-09-13T21:18:50.543Z" + }, + { + "VulnerabilityID": "CVE-2018-3721", + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "2055fc9d42487aec" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "\u003e=4.17.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "lodash: Prototype pollution in utilities function", + "Description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", + "Severity": "LOW", + "CweIDs": [ + "CWE-1321", + "CWE-471" + ], + "VendorSeverity": { + "ghsa": 2, + "nodejs-security-wg": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 6.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 4, + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 2.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2018-3721", + "https://github.com/advisories/GHSA-fvqr-27wr-82fm", + "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", + "https://hackerone.com/reports/310443", + "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", + "https://security.netapp.com/advisory/ntap-20190919-0004", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://www.cve.org/CVERecord?id=CVE-2018-3721", + "https://www.npmjs.com/advisories/577" + ], + "PublishedDate": "2018-06-07T02:29:08.317Z", + "LastModifiedDate": "2024-02-16T16:54:46.91Z" + }, + { + "VulnerabilityID": "CVE-2019-10744", + "PkgID": "lodash@4.17.11", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@4.17.11", + "UID": "22cbf4c65c5d1e98" + }, + "InstalledVersion": "4.17.11", + "FixedVersion": "4.17.12", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", + "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 9.1 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V2Score": 6.4, + "V3Score": 9.1 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 9.1 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2019:3024", + "https://access.redhat.com/security/cve/CVE-2019-10744", + "https://github.com/lodash/lodash/pull/4336", + "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "https://security.netapp.com/advisory/ntap-20191004-0005", + "https://security.netapp.com/advisory/ntap-20191004-0005/", + "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2019-10744", + "https://www.npmjs.com/advisories/1065", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html" + ], + "PublishedDate": "2019-07-26T00:15:11.217Z", + "LastModifiedDate": "2024-01-21T02:45:24.433Z" + }, + { + "VulnerabilityID": "CVE-2020-8203", + "PkgID": "lodash@4.17.11", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@4.17.11", + "UID": "22cbf4c65c5d1e98" + }, + "InstalledVersion": "4.17.11", + "FixedVersion": "4.17.19", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8203", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "Description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321", + "CWE-770" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 7.4 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V2Score": 5.8, + "V3Score": 7.4 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 7.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-8203", + "https://github.com/github/advisory-database/pull/2884", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + "https://github.com/lodash/lodash/issues/4744", + "https://github.com/lodash/lodash/issues/4874", + "https://github.com/lodash/lodash/wiki/Changelog#v41719", + "https://hackerone.com/reports/712065", + "https://hackerone.com/reports/864701", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "https://security.netapp.com/advisory/ntap-20200724-0006", + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + "https://www.cve.org/CVERecord?id=CVE-2020-8203", + "https://www.npmjs.com/advisories/1523", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2020-07-15T17:15:11.797Z", + "LastModifiedDate": "2024-01-21T02:37:13.193Z" + }, + { + "VulnerabilityID": "CVE-2021-23337", + "PkgID": "lodash@4.17.11", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@4.17.11", + "UID": "22cbf4c65c5d1e98" + }, + "InstalledVersion": "4.17.11", + "FixedVersion": "4.17.21", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23337", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: command injection via template", + "Description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.2 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.2 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-23337", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "https://www.cve.org/CVERecord?id=CVE-2021-23337", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-02-15T13:15:12.56Z", + "LastModifiedDate": "2022-09-13T21:25:02.093Z" + }, + { + "VulnerabilityID": "CVE-2020-28500", + "PkgID": "lodash@4.17.11", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@4.17.11", + "UID": "22cbf4c65c5d1e98" + }, + "InstalledVersion": "4.17.11", + "FixedVersion": "4.17.21", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28500", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", + "Description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-28500", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + "https://github.com/lodash/lodash/pull/5065", + "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + "https://www.cve.org/CVERecord?id=CVE-2020-28500", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-02-15T11:15:12.397Z", + "LastModifiedDate": "2022-09-13T21:18:50.543Z" + }, + { + "VulnerabilityID": "CVE-2020-8203", + "PkgID": "lodash.set@4.3.2", + "PkgName": "lodash.set", + "PkgPath": "juice-shop/node_modules/lodash.set/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash.set@4.3.2", + "UID": "91ab835ab813b84b" + }, + "InstalledVersion": "4.3.2", + "Status": "affected", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8203", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "Description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321", + "CWE-770" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 7.4 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V2Score": 5.8, + "V3Score": 7.4 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 7.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-8203", + "https://github.com/github/advisory-database/pull/2884", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + "https://github.com/lodash/lodash/issues/4744", + "https://github.com/lodash/lodash/issues/4874", + "https://github.com/lodash/lodash/wiki/Changelog#v41719", + "https://hackerone.com/reports/712065", + "https://hackerone.com/reports/864701", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "https://security.netapp.com/advisory/ntap-20200724-0006", + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + "https://www.cve.org/CVERecord?id=CVE-2020-8203", + "https://www.npmjs.com/advisories/1523", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2020-07-15T17:15:11.797Z", + "LastModifiedDate": "2024-01-21T02:37:13.193Z" + }, + { + "VulnerabilityID": "GHSA-5mrr-rgp6-x4gr", + "PkgID": "marsdb@0.6.11", + "PkgName": "marsdb", + "PkgPath": "juice-shop/node_modules/marsdb/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/marsdb@0.6.11", + "UID": "54edd9a172aae6f9" + }, + "InstalledVersion": "0.6.11", + "Status": "affected", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-5mrr-rgp6-x4gr", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Command Injection in marsdb", + "Description": "All versions of `marsdb` are vulnerable to Command Injection. In the `DocumentMatcher` class, selectors on `$where` clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed.\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.", + "Severity": "CRITICAL", + "VendorSeverity": { + "ghsa": 4 + }, + "References": [ + "https://github.com/bkimminich/juice-shop/issues/1173", + "https://www.npmjs.com/advisories/1122" + ] + }, + { + "VulnerabilityID": "CVE-2024-4067", + "PkgID": "micromatch@3.1.10", + "PkgName": "micromatch", + "PkgPath": "juice-shop/node_modules/micromatch/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/micromatch@3.1.10", + "UID": "dff9b87c3884f86c" + }, + "InstalledVersion": "3.1.10", + "FixedVersion": "4.0.8", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-4067", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "micromatch: vulnerable to Regular Expression Denial of Service", + "Description": "The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067/", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/", + "https://github.com/micromatch/micromatch", + "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", + "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", + "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", + "https://github.com/micromatch/micromatch/issues/243", + "https://github.com/micromatch/micromatch/pull/247", + "https://github.com/micromatch/micromatch/pull/266", + "https://github.com/micromatch/micromatch/releases/tag/4.0.8", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + "https://www.cve.org/CVERecord?id=CVE-2024-4067" + ], + "PublishedDate": "2024-05-14T15:42:47.947Z", + "LastModifiedDate": "2024-08-28T00:15:04.13Z" + }, + { + "VulnerabilityID": "CVE-2024-4067", + "PkgID": "micromatch@4.0.4", + "PkgName": "micromatch", + "PkgPath": "juice-shop/node_modules/liftup/node_modules/micromatch/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/micromatch@4.0.4", + "UID": "5c7ca79ac07cef17" + }, + "InstalledVersion": "4.0.4", + "FixedVersion": "4.0.8", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-4067", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "micromatch: vulnerable to Regular Expression Denial of Service", + "Description": "The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067/", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/", + "https://github.com/micromatch/micromatch", + "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", + "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", + "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", + "https://github.com/micromatch/micromatch/issues/243", + "https://github.com/micromatch/micromatch/pull/247", + "https://github.com/micromatch/micromatch/pull/266", + "https://github.com/micromatch/micromatch/releases/tag/4.0.8", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + "https://www.cve.org/CVERecord?id=CVE-2024-4067" + ], + "PublishedDate": "2024-05-14T15:42:47.947Z", + "LastModifiedDate": "2024-08-28T00:15:04.13Z" + }, + { + "VulnerabilityID": "CVE-2022-3517", + "PkgID": "minimatch@3.0.4", + "PkgName": "minimatch", + "PkgPath": "juice-shop/node_modules/minimatch/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimatch@3.0.4", + "UID": "354b39c8aaf5287c" + }, + "InstalledVersion": "3.0.4", + "FixedVersion": "3.0.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3517", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-minimatch: ReDoS via the braceExpand function", + "Description": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333", + "CWE-400" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2022-3517", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/grafana/grafana-image-renderer/issues/329", + "https://github.com/isaacs/minimatch", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6 (v3.0.5)", + "https://github.com/nodejs/node/issues/42510", + "https://linux.oracle.com/cve/CVE-2022-3517.html", + "https://linux.oracle.com/errata/ELSA-2023-1743.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + "https://ubuntu.com/security/notices/USN-6086-1", + "https://www.cve.org/CVERecord?id=CVE-2022-3517" + ], + "PublishedDate": "2022-10-17T20:15:09.937Z", + "LastModifiedDate": "2023-11-07T03:51:21.323Z" + }, + { + "VulnerabilityID": "CVE-2022-3517", + "PkgID": "minimatch@3.0.4", + "PkgName": "minimatch", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/minimatch/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimatch@3.0.4", + "UID": "fb8fa8096a378141" + }, + "InstalledVersion": "3.0.4", + "FixedVersion": "3.0.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3517", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-minimatch: ReDoS via the braceExpand function", + "Description": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333", + "CWE-400" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2022-3517", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/grafana/grafana-image-renderer/issues/329", + "https://github.com/isaacs/minimatch", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6 (v3.0.5)", + "https://github.com/nodejs/node/issues/42510", + "https://linux.oracle.com/cve/CVE-2022-3517.html", + "https://linux.oracle.com/errata/ELSA-2023-1743.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + "https://ubuntu.com/security/notices/USN-6086-1", + "https://www.cve.org/CVERecord?id=CVE-2022-3517" + ], + "PublishedDate": "2022-10-17T20:15:09.937Z", + "LastModifiedDate": "2023-11-07T03:51:21.323Z" + }, + { + "VulnerabilityID": "CVE-2021-44906", + "PkgID": "minimist@0.2.1", + "PkgName": "minimist", + "PkgPath": "juice-shop/node_modules/bower-config/node_modules/minimist/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimist@0.2.1", + "UID": "35e38df19c1a9e9f" + }, + "InstalledVersion": "0.2.1", + "FixedVersion": "1.2.6, 0.2.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-44906", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "minimist: prototype pollution", + "Description": "Minimist \u003c=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 4, + "nvd": 4, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906" + ], + "PublishedDate": "2022-03-17T16:15:07.51Z", + "LastModifiedDate": "2024-06-21T19:15:20.917Z" + }, + { + "VulnerabilityID": "CVE-2021-44906", + "PkgID": "minimist@1.2.5", + "PkgName": "minimist", + "PkgPath": "juice-shop/node_modules/minimist/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimist@1.2.5", + "UID": "15a810922ec9b334" + }, + "InstalledVersion": "1.2.5", + "FixedVersion": "1.2.6, 0.2.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-44906", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "minimist: prototype pollution", + "Description": "Minimist \u003c=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 4, + "nvd": 4, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906" + ], + "PublishedDate": "2022-03-17T16:15:07.51Z", + "LastModifiedDate": "2024-06-21T19:15:20.917Z" + }, + { + "VulnerabilityID": "CVE-2021-44906", + "PkgID": "minimist@1.2.5", + "PkgName": "minimist", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/minimist/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimist@1.2.5", + "UID": "79e1ba86bd09d378" + }, + "InstalledVersion": "1.2.5", + "FixedVersion": "1.2.6, 0.2.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-44906", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "minimist: prototype pollution", + "Description": "Minimist \u003c=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 4, + "nvd": 4, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906" + ], + "PublishedDate": "2022-03-17T16:15:07.51Z", + "LastModifiedDate": "2024-06-21T19:15:20.917Z" + }, + { + "VulnerabilityID": "CVE-2021-44906", + "PkgID": "minimist@1.2.5", + "PkgName": "minimist", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/mkdirp/node_modules/minimist/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimist@1.2.5", + "UID": "7ae7eb3ea86cd85e" + }, + "InstalledVersion": "1.2.5", + "FixedVersion": "1.2.6, 0.2.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-44906", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "minimist: prototype pollution", + "Description": "Minimist \u003c=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 4, + "nvd": 4, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0321", + "https://access.redhat.com/security/cve/CVE-2021-44906", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2130518", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", + "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", + "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", + "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", + "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + "https://errata.almalinux.org/9/ALSA-2023-0321.html", + "https://errata.rockylinux.org/RLSA-2023:0321", + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://linux.oracle.com/cve/CVE-2021-44906.html", + "https://linux.oracle.com/errata/ELSA-2023-0321.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068", + "https://www.cve.org/CVERecord?id=CVE-2021-44906" + ], + "PublishedDate": "2022-03-17T16:15:07.51Z", + "LastModifiedDate": "2024-06-21T19:15:20.917Z" + }, + { + "VulnerabilityID": "CVE-2017-18214", + "PkgID": "moment@2.0.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.0.0", + "UID": "379ec1daf3fac294" + }, + "InstalledVersion": "2.0.0", + "FixedVersion": "2.19.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-18214", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-moment: Regular expression denial of service", + "Description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "azure": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2017-18214", + "https://github.com/advisories/GHSA-446m-mv8f-q348", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb", + "https://github.com/moment/moment/issues/4163", + "https://github.com/moment/moment/pull/4326", + "https://nodesecurity.io/advisories/532", + "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", + "https://www.cve.org/CVERecord?id=CVE-2017-18214", + "https://www.npmjs.com/advisories/532", + "https://www.tenable.com/security/tns-2019-02" + ], + "PublishedDate": "2018-03-04T21:29:00.23Z", + "LastModifiedDate": "2022-02-14T18:03:21.767Z" + }, + { + "VulnerabilityID": "CVE-2022-24785", + "PkgID": "moment@2.0.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.0.0", + "UID": "379ec1daf3fac294" + }, + "InstalledVersion": "2.0.0", + "FixedVersion": "2.29.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24785", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Moment.js: Path traversal in moment.locale", + "Description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-27" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09" + ], + "PublishedDate": "2022-04-04T17:15:07.583Z", + "LastModifiedDate": "2023-11-07T03:44:37.003Z" + }, + { + "VulnerabilityID": "CVE-2016-4055", + "PkgID": "moment@2.0.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.0.0", + "UID": "379ec1daf3fac294" + }, + "InstalledVersion": "2.0.0", + "FixedVersion": "\u003e=2.11.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-4055", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "moment.js: regular expression denial of service", + "Description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a \"regular expression Denial of Service (ReDoS).\"", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 2, + "nodejs-security-wg": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 7.8, + "V3Score": 6.5 + }, + "redhat": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V2Score": 4.3 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2016/04/20/11", + "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "http://www.securityfocus.com/bid/95849", + "https://access.redhat.com/security/cve/CVE-2016-4055", + "https://github.com/advisories/GHSA-87vv-r9j6-g5qv", + "https://github.com/moment/moment", + "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3Cdev.flink.apache.org%3E", + "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E", + "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E", + "https://nodesecurity.io/advisories/55", + "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", + "https://www.cve.org/CVERecord?id=CVE-2016-4055", + "https://www.npmjs.com/advisories/55", + "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS", + "https://www.tenable.com/security/tns-2019-02" + ], + "PublishedDate": "2017-01-23T21:59:01.33Z", + "LastModifiedDate": "2023-11-07T02:32:33.253Z" + }, + { + "VulnerabilityID": "CVE-2022-24785", + "PkgID": "moment@2.29.1", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/file-stream-rotator/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.29.1", + "UID": "e07c3b13a095f6a3" + }, + "InstalledVersion": "2.29.1", + "FixedVersion": "2.29.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24785", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Moment.js: Path traversal in moment.locale", + "Description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-27" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09" + ], + "PublishedDate": "2022-04-04T17:15:07.583Z", + "LastModifiedDate": "2023-11-07T03:44:37.003Z" + }, + { + "VulnerabilityID": "CVE-2022-24785", + "PkgID": "moment@2.29.1", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/filehound/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.29.1", + "UID": "2a828da32817cc71" + }, + "InstalledVersion": "2.29.1", + "FixedVersion": "2.29.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24785", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Moment.js: Path traversal in moment.locale", + "Description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-27" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09" + ], + "PublishedDate": "2022-04-04T17:15:07.583Z", + "LastModifiedDate": "2023-11-07T03:44:37.003Z" + }, + { + "VulnerabilityID": "CVE-2022-24785", + "PkgID": "moment@2.29.1", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/finale-rest/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.29.1", + "UID": "abb8ea7eda98ce73" + }, + "InstalledVersion": "2.29.1", + "FixedVersion": "2.29.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24785", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Moment.js: Path traversal in moment.locale", + "Description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-27" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09" + ], + "PublishedDate": "2022-04-04T17:15:07.583Z", + "LastModifiedDate": "2023-11-07T03:44:37.003Z" + }, + { + "VulnerabilityID": "CVE-2022-24785", + "PkgID": "moment@2.29.1", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/moment-timezone/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.29.1", + "UID": "b78f2f8a06d1e874" + }, + "InstalledVersion": "2.29.1", + "FixedVersion": "2.29.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24785", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Moment.js: Path traversal in moment.locale", + "Description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-27" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09" + ], + "PublishedDate": "2022-04-04T17:15:07.583Z", + "LastModifiedDate": "2023-11-07T03:44:37.003Z" + }, + { + "VulnerabilityID": "CVE-2022-24785", + "PkgID": "moment@2.29.1", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/sequelize/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.29.1", + "UID": "90231bea3beef271" + }, + "InstalledVersion": "2.29.1", + "FixedVersion": "2.29.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24785", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Moment.js: Path traversal in moment.locale", + "Description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-27" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09" + ], + "PublishedDate": "2022-04-04T17:15:07.583Z", + "LastModifiedDate": "2023-11-07T03:44:37.003Z" + }, + { + "VulnerabilityID": "CVE-2022-24785", + "PkgID": "moment@2.29.1", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/unit-compare/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.29.1", + "UID": "2e45c75555d396d" + }, + "InstalledVersion": "2.29.1", + "FixedVersion": "2.29.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24785", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Moment.js: Path traversal in moment.locale", + "Description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-27" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09" + ], + "PublishedDate": "2022-04-04T17:15:07.583Z", + "LastModifiedDate": "2023-11-07T03:44:37.003Z" + }, + { + "VulnerabilityID": "CVE-2022-31129", + "PkgID": "moment@2.29.1", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/file-stream-rotator/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.29.1", + "UID": "e07c3b13a095f6a3" + }, + "InstalledVersion": "2.29.1", + "FixedVersion": "2.29.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-31129", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "moment: inefficient parsing algorithm resulting in DoS", + "Description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333", + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129" + ], + "PublishedDate": "2022-07-06T18:15:19.57Z", + "LastModifiedDate": "2023-11-07T03:47:32.993Z" + }, + { + "VulnerabilityID": "CVE-2022-31129", + "PkgID": "moment@2.29.1", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/filehound/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.29.1", + "UID": "2a828da32817cc71" + }, + "InstalledVersion": "2.29.1", + "FixedVersion": "2.29.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-31129", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "moment: inefficient parsing algorithm resulting in DoS", + "Description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333", + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129" + ], + "PublishedDate": "2022-07-06T18:15:19.57Z", + "LastModifiedDate": "2023-11-07T03:47:32.993Z" + }, + { + "VulnerabilityID": "CVE-2022-31129", + "PkgID": "moment@2.29.1", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/finale-rest/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.29.1", + "UID": "abb8ea7eda98ce73" + }, + "InstalledVersion": "2.29.1", + "FixedVersion": "2.29.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-31129", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "moment: inefficient parsing algorithm resulting in DoS", + "Description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333", + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129" + ], + "PublishedDate": "2022-07-06T18:15:19.57Z", + "LastModifiedDate": "2023-11-07T03:47:32.993Z" + }, + { + "VulnerabilityID": "CVE-2022-31129", + "PkgID": "moment@2.29.1", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/moment-timezone/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.29.1", + "UID": "b78f2f8a06d1e874" + }, + "InstalledVersion": "2.29.1", + "FixedVersion": "2.29.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-31129", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "moment: inefficient parsing algorithm resulting in DoS", + "Description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333", + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129" + ], + "PublishedDate": "2022-07-06T18:15:19.57Z", + "LastModifiedDate": "2023-11-07T03:47:32.993Z" + }, + { + "VulnerabilityID": "CVE-2022-31129", + "PkgID": "moment@2.29.1", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/sequelize/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.29.1", + "UID": "90231bea3beef271" + }, + "InstalledVersion": "2.29.1", + "FixedVersion": "2.29.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-31129", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "moment: inefficient parsing algorithm resulting in DoS", + "Description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333", + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129" + ], + "PublishedDate": "2022-07-06T18:15:19.57Z", + "LastModifiedDate": "2023-11-07T03:47:32.993Z" + }, + { + "VulnerabilityID": "CVE-2022-31129", + "PkgID": "moment@2.29.1", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/unit-compare/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.29.1", + "UID": "2e45c75555d396d" + }, + "InstalledVersion": "2.29.1", + "FixedVersion": "2.29.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-31129", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "moment: inefficient parsing algorithm resulting in DoS", + "Description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333", + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-31129", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3", + "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", + "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4", + "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe", + "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504", + "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633", + "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO", + "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", + "https://security.netapp.com/advisory/ntap-20221014-0003", + "https://security.netapp.com/advisory/ntap-20221014-0003/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://ubuntu.com/security/notices/USN-6550-1", + "https://www.cve.org/CVERecord?id=CVE-2022-31129" + ], + "PublishedDate": "2022-07-06T18:15:19.57Z", + "LastModifiedDate": "2023-11-07T03:47:32.993Z" + }, + { + "VulnerabilityID": "GHSA-v78c-4p63-2j6c", + "PkgID": "moment-timezone@0.5.33", + "PkgName": "moment-timezone", + "PkgPath": "juice-shop/node_modules/moment-timezone/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment-timezone@0.5.33", + "UID": "1771adb3e3a670bc" + }, + "InstalledVersion": "0.5.33", + "FixedVersion": "0.5.35", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-v78c-4p63-2j6c", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Cleartext Transmission of Sensitive Information in moment-timezone", + "Description": "### Impact\n\n* if Alice uses `grunt data` (or `grunt release`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website\n* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)\n\n### Patches\nProblem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.\n\n### Workarounds\nSpecify the exact version of tzdata (like `2014d`, full command being `grunt data:2014d`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.\n", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2 + }, + "References": [ + "https://github.com/moment/moment-timezone", + "https://github.com/moment/moment-timezone/commit/7915ac567ab19700e44ad6b5d8ef0b85e48a9e75", + "https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c" + ] + }, + { + "VulnerabilityID": "GHSA-56x4-j7p9-fcf9", + "PkgID": "moment-timezone@0.5.33", + "PkgName": "moment-timezone", + "PkgPath": "juice-shop/node_modules/moment-timezone/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment-timezone@0.5.33", + "UID": "1771adb3e3a670bc" + }, + "InstalledVersion": "0.5.33", + "FixedVersion": "0.5.35", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-56x4-j7p9-fcf9", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Command Injection in moment-timezone", + "Description": "### Impact\n\nAll versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection.\n\n* if Alice uses tzdata pipeline to package moment-timezone on her own (for example via `grunt data:2014d`, where `2014d` stands for the version of the tzdata to be used from IANA's website),\n* and Alice let's Mallory select the version (`2014d` in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task\n\n#### Am I affected?\n\n##### Do you build custom versions of moment-timezone with grunt?\n\nIf no, you're not affected.\n\n##### Do you allow a third party to specify which particular version you want build?\n\nIf yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task.\n\n### Description\n\n#### Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint\n\nThe `tasks/data-download.js` script takes in a parameter from grunt and uses it to form a command line which is then executed:\n\n```\n6 module.exports = function (grunt) {\n7 grunt.registerTask('data-download', '1. Download data from iana.org/time-zones.', function (version) {\n8 version = version || 'latest';\n\n10 var done = this.async(),\n11 src = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz',\n12 curl = path.resolve('temp/curl', version, 'data.tar.gz'),\n13 dest = path.resolve('temp/download', version);\n...\n24 exec('curl ' + src + ' -o ' + curl + ' \u0026\u0026 cd ' + dest + ' \u0026\u0026 gzip -dc ' + curl + ' | tar -xf -', function (err) {\n```\n\nOrdinarily, one one run this script using something like `grunt data-download:2014d`, in which case version would have the value `2014d`. However, if an attacker were to provide additional content on the command line, they would be able to execute arbitrary code\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-download:2014d ; echo flag\u003e/tmp/foo #'\n\\Running \"data-download:2014d ; echo flag\u003e/tmp/foo #\" (data-download) task\n\u003e\u003e Downloading https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag\u003e/tmp/foo #.tar.gz\n\u003e\u003e Downloaded https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag\u003e/tmp/foo #.tar.gz\n\nDone.\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/foo\nflag\n```\n\n#### Command Injection via data-zdump.js\n\nThe `tasks/data-zdump.js` script reads a list of files present in a temporary directory (created by previous tasks), and for each one, assembles and executes a command line without sanitization. As a result, an attacker able to influence the contents of that directory could gain code execution. This attack is exacerbated by timezone data being downloaded via cleartext FTP (described above), but beyond that, an attacker at iana.org able to modify the timezone files could disrupt any systems that build moment-timezone.\n\n```\n15 files = grunt.file.expand({ filter : 'isFile', cwd : 'temp/zic/' + version }, '**/*');\n...\n27 function next () {\n...\n33 var file = files.pop(),\n34 src = path.join(zicBase, file),\n35 dest = path.join(zdumpBase, file);\n36 exec('zdump -v ' + src, { maxBuffer: 20*1024*1024 }, function (err, stdout) {\n```\n\nIn this case, an attacker able to add a file to `temp/zic/2014d` (for example) with a filename like `Z; curl www.example.com` would influence the called to exec on line 36 and run arbitrary code. There are a few minor challenges in exploiting this, since the string needs to be a valid filename.\n\n#### Command Injection via data-zic.js\n\nSimilar to the vulnerability in /tasks/data-download.js, the /tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization.\n\n```\n10 var done = this.async(),\n11 dest = path.resolve('temp/zic', version),\n...\n22 var file = files.shift(),\n23 src = path.resolve('temp/download', version, file);\n24\n25 exec('zic -d ' + dest + ' ' + src, function (err) {\n```\n\nAs a result, an attacker able to influence that string can run arbitrary commands. Of course, it requires an attacker able to influence the command passed to grunt, so may be unlikely in practice.\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-zic:2014d; echo hi \u003e /tmp/evil; echo '\nRunning \"data-zic:2014d; echo hi \u003e /tmp/evil; echo \" (data-zic) task\nexec: zid -d /usr/src/app/moment-timezone/temp/zic/2014d; echo hi \u003e /tmp/evil; echo /usr/src/app/moment-timezone/temp/download/2014d; echo hi \u003e /tmp/evil; echo /africa\n...\n\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/evil\nhi\n```\n\n### Patches\n\nThe supplied patch on top of 0.5.34 is applicable with minor tweaks to all affected versions. It switches `exec` to `execFile` so arbitrary bash fragments won't be executed any more.\n\n### References\n\n* https://knowledge-base.secureflag.com/vulnerabilities/code_injection/os_command_injection_nodejs.html\n* https://auth0.com/blog/preventing-command-injection-attacks-in-node-js-apps/", + "Severity": "LOW", + "VendorSeverity": { + "ghsa": 1 + }, + "References": [ + "https://github.com/moment/moment-timezone", + "https://github.com/moment/moment-timezone/commit/ce955a301ff372e8e9fb3a5b516620c60e7a082a", + "https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9" + ] + }, + { + "VulnerabilityID": "CVE-2022-21213", + "PkgID": "mout@1.2.3", + "PkgName": "mout", + "PkgPath": "juice-shop/node_modules/mout/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/mout@1.2.3", + "UID": "c9c69fbaf97d321e" + }, + "InstalledVersion": "1.2.3", + "FixedVersion": "1.2.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-21213", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Prototype Pollution in mout", + "Description": "This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7792](https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544).", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/mout/mout", + "https://github.com/mout/mout/blob/master/src/object/deepFillIn.js", + "https://github.com/mout/mout/blob/master/src/object/deepMixIn.js", + "https://github.com/mout/mout/commit/17ffdc2a96417a63a0147156dc045e90d0d14c64", + "https://github.com/mout/mout/pull/279", + "https://nvd.nist.gov/vuln/detail/CVE-2022-21213", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2870623", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2870622", + "https://snyk.io/vuln/SNYK-JS-MOUT-2342654" + ], + "PublishedDate": "2022-06-17T20:15:10.363Z", + "LastModifiedDate": "2022-06-28T14:43:48.983Z" + }, + { + "VulnerabilityID": "CVE-2022-0235", + "PkgID": "node-fetch@2.6.5", + "PkgName": "node-fetch", + "PkgPath": "juice-shop/node_modules/node-fetch/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/node-fetch@2.6.5", + "UID": "7998e77af642f47e" + }, + "InstalledVersion": "2.6.5", + "FixedVersion": "3.1.1, 2.6.7", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0235", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "node-fetch: exposure of sensitive information to an unauthorized actor", + "Description": "node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor", + "Severity": "HIGH", + "CweIDs": [ + "CWE-200", + "CWE-601" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.8 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V2Score": 5.8, + "V3Score": 6.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0050", + "https://access.redhat.com/security/cve/CVE-2022-0235", + "https://bugzilla.redhat.com/2044591", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/2150323", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://errata.almalinux.org/8/ALSA-2023-0050.html", + "https://github.com/node-fetch/node-fetch", + "https://github.com/node-fetch/node-fetch/commit/1ef4b560a17e644a02a3bfdea7631ffeee578b35", + "https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10", + "https://github.com/node-fetch/node-fetch/commit/5c32f002fdd65b1c6a8f1e3620210813d45c7e60", + "https://github.com/node-fetch/node-fetch/pull/1449/commits/5c32f002fdd65b1c6a8f1e3620210813d45c7e60", + "https://github.com/node-fetch/node-fetch/pull/1453", + "https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7", + "https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/", + "https://linux.oracle.com/cve/CVE-2022-0235.html", + "https://linux.oracle.com/errata/ELSA-2023-0050.html", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0235", + "https://ubuntu.com/security/notices/USN-6158-1", + "https://www.cve.org/CVERecord?id=CVE-2022-0235" + ], + "PublishedDate": "2022-01-16T17:15:07.87Z", + "LastModifiedDate": "2023-02-03T19:16:07.09Z" + }, + { + "VulnerabilityID": "CVE-2021-23771", + "PkgID": "notevil@1.3.3", + "PkgName": "notevil", + "PkgPath": "juice-shop/node_modules/notevil/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/notevil@1.3.3", + "UID": "3e66e3cc17ffdfc2" + }, + "InstalledVersion": "1.3.3", + "Status": "affected", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23771", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Sandbox escape in notevil and argencoders-notevil", + "Description": "This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V2Score": 6.4, + "V3Score": 6.5 + } + }, + "References": [ + "https://github.com/mmckegg/notevil", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23771", + "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587", + "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946" + ], + "PublishedDate": "2022-03-17T12:15:07.74Z", + "LastModifiedDate": "2022-03-24T01:46:38.647Z" + }, + { + "VulnerabilityID": "CVE-2024-45296", + "PkgID": "path-to-regexp@0.1.7", + "PkgName": "path-to-regexp", + "PkgPath": "juice-shop/node_modules/path-to-regexp/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/path-to-regexp@0.1.7", + "UID": "e423dc94410f6cb2" + }, + "InstalledVersion": "0.1.7", + "FixedVersion": "1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45296", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "path-to-regexp: Backtracking regular expressions cause ReDoS", + "Description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-45296", + "https://github.com/pillarjs/path-to-regexp", + "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", + "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", + "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", + "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", + "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", + "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", + "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", + "https://www.cve.org/CVERecord?id=CVE-2024-45296" + ], + "PublishedDate": "2024-09-09T19:15:13.33Z", + "LastModifiedDate": "2024-09-10T12:09:50.377Z" + }, + { + "VulnerabilityID": "CVE-2024-36361", + "PkgID": "pug@3.0.2", + "PkgName": "pug", + "PkgPath": "juice-shop/node_modules/pug/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/pug@3.0.2", + "UID": "ad7c055e56c40520" + }, + "InstalledVersion": "3.0.2", + "FixedVersion": "3.0.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-36361", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Pug allows JavaScript code execution if an application accepts untrusted input", + "Description": "Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", + "V3Score": 6.8 + } + }, + "References": [ + "https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug", + "https://github.com/pugjs/pug", + "https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328", + "https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb", + "https://github.com/pugjs/pug/pull/3428", + "https://github.com/pugjs/pug/pull/3438", + "https://github.com/pugjs/pug/releases/tag/pug%403.0.3", + "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + "https://pugjs.org/api/reference.html", + "https://www.npmjs.com/package/pug-code-gen" + ], + "PublishedDate": "2024-05-24T06:15:08.947Z", + "LastModifiedDate": "2024-08-02T04:17:00.323Z" + }, + { + "VulnerabilityID": "CVE-2024-36361", + "PkgID": "pug-code-gen@3.0.2", + "PkgName": "pug-code-gen", + "PkgPath": "juice-shop/node_modules/pug-code-gen/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/pug-code-gen@3.0.2", + "UID": "1171dc9382e0482" + }, + "InstalledVersion": "3.0.2", + "FixedVersion": "3.0.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-36361", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Pug allows JavaScript code execution if an application accepts untrusted input", + "Description": "Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", + "V3Score": 6.8 + } + }, + "References": [ + "https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug", + "https://github.com/pugjs/pug", + "https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328", + "https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb", + "https://github.com/pugjs/pug/pull/3428", + "https://github.com/pugjs/pug/pull/3438", + "https://github.com/pugjs/pug/releases/tag/pug%403.0.3", + "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + "https://pugjs.org/api/reference.html", + "https://www.npmjs.com/package/pug-code-gen" + ], + "PublishedDate": "2024-05-24T06:15:08.947Z", + "LastModifiedDate": "2024-08-02T04:17:00.323Z" + }, + { + "VulnerabilityID": "CVE-2022-24999", + "PkgID": "qs@6.5.2", + "PkgName": "qs", + "PkgPath": "juice-shop/node_modules/request/node_modules/qs/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/qs@6.5.2", + "UID": "e549cd19af95a943" + }, + "InstalledVersion": "6.5.2", + "FixedVersion": "6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24999", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "express: \"qs\" prototype poisoning causes the hang of the node process", + "Description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b\u0026a[__proto__]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0050", + "https://access.redhat.com/security/cve/CVE-2022-24999", + "https://bugzilla.redhat.com/2044591", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/2150323", + "https://errata.almalinux.org/8/ALSA-2023-0050.html", + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs", + "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999", + "https://linux.oracle.com/cve/CVE-2022-24999.html", + "https://linux.oracle.com/errata/ELSA-2023-0050.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + "https://security.netapp.com/advisory/ntap-20230908-0005/", + "https://www.cve.org/CVERecord?id=CVE-2022-24999" + ], + "PublishedDate": "2022-11-26T22:15:10.153Z", + "LastModifiedDate": "2023-09-08T17:15:15.687Z" + }, + { + "VulnerabilityID": "CVE-2022-24999", + "PkgID": "qs@6.5.2", + "PkgName": "qs", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/qs/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/qs@6.5.2", + "UID": "7988bc6857cc9b8f" + }, + "InstalledVersion": "6.5.2", + "FixedVersion": "6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24999", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "express: \"qs\" prototype poisoning causes the hang of the node process", + "Description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b\u0026a[__proto__]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0050", + "https://access.redhat.com/security/cve/CVE-2022-24999", + "https://bugzilla.redhat.com/2044591", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/2150323", + "https://errata.almalinux.org/8/ALSA-2023-0050.html", + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs", + "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999", + "https://linux.oracle.com/cve/CVE-2022-24999.html", + "https://linux.oracle.com/errata/ELSA-2023-0050.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + "https://security.netapp.com/advisory/ntap-20230908-0005/", + "https://www.cve.org/CVERecord?id=CVE-2022-24999" + ], + "PublishedDate": "2022-11-26T22:15:10.153Z", + "LastModifiedDate": "2023-09-08T17:15:15.687Z" + }, + { + "VulnerabilityID": "CVE-2022-24999", + "PkgID": "qs@6.7.0", + "PkgName": "qs", + "PkgPath": "juice-shop/node_modules/qs/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/qs@6.7.0", + "UID": "a8707c07a27fb373" + }, + "InstalledVersion": "6.7.0", + "FixedVersion": "6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24999", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "express: \"qs\" prototype poisoning causes the hang of the node process", + "Description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b\u0026a[__proto__]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "alma": 2, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:0050", + "https://access.redhat.com/security/cve/CVE-2022-24999", + "https://bugzilla.redhat.com/2044591", + "https://bugzilla.redhat.com/2066009", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2140911", + "https://bugzilla.redhat.com/2150323", + "https://errata.almalinux.org/8/ALSA-2023-0050.html", + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs", + "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999", + "https://linux.oracle.com/cve/CVE-2022-24999.html", + "https://linux.oracle.com/errata/ELSA-2023-0050.html", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + "https://security.netapp.com/advisory/ntap-20230908-0005/", + "https://www.cve.org/CVERecord?id=CVE-2022-24999" + ], + "PublishedDate": "2022-11-26T22:15:10.153Z", + "LastModifiedDate": "2023-09-08T17:15:15.687Z" + }, + { + "VulnerabilityID": "CVE-2023-28155", + "PkgID": "request@2.88.0", + "PkgName": "request", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/request/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/request@2.88.0", + "UID": "35acc5474af90254" + }, + "InstalledVersion": "2.88.0", + "Status": "affected", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-28155", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", + "Description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-918" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/" + ], + "PublishedDate": "2023-03-16T15:15:11.107Z", + "LastModifiedDate": "2024-08-02T13:15:37.183Z" + }, + { + "VulnerabilityID": "CVE-2023-28155", + "PkgID": "request@2.88.2", + "PkgName": "request", + "PkgPath": "juice-shop/node_modules/request/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/request@2.88.2", + "UID": "406f85740981fc77" + }, + "InstalledVersion": "2.88.2", + "Status": "affected", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-28155", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", + "Description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-918" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/" + ], + "PublishedDate": "2023-03-16T15:15:11.107Z", + "LastModifiedDate": "2024-08-02T13:15:37.183Z" + }, + { + "VulnerabilityID": "CVE-2022-25887", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "dba6e401aaa6d720" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "2.7.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25887", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "sanitize-html: insecure global regular expression replacement logic may lead to ReDoS", + "Description": "The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-25887", + "https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c", + "https://github.com/apostrophecms/sanitize-html/pull/557", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25887", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102", + "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526", + "https://www.cve.org/CVERecord?id=CVE-2022-25887" + ], + "PublishedDate": "2022-08-30T05:15:07.727Z", + "LastModifiedDate": "2023-08-08T14:22:24.967Z" + }, + { + "VulnerabilityID": "CVE-2016-1000237", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "dba6e401aaa6d720" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "\u003e=1.4.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-1000237", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "XSS - Sanitization not applied recursively", + "Description": "sanitize-html before 1.4.3 has XSS.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "ghsa": 2, + "nodejs-security-wg": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V2Score": 4.3, + "V3Score": 6.1 + } + }, + "References": [ + "https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf", + "https://github.com/apostrophecms/sanitize-html/issues/29", + "https://github.com/punkave/sanitize-html/issues/29", + "https://nodesecurity.io/advisories/135", + "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", + "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json", + "https://www.npmjs.com/advisories/135" + ], + "PublishedDate": "2020-01-23T15:15:13.16Z", + "LastModifiedDate": "2020-01-24T19:44:22.967Z" + }, + { + "VulnerabilityID": "CVE-2017-16016", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "dba6e401aaa6d720" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "1.11.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16016", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Cross-Site Scripting in sanitize-html", + "Description": "Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V2Score": 4.3, + "V3Score": 6.1 + } + }, + "References": [ + "https://github.com/advisories/GHSA-xc6g-ggrc-qq4r", + "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))", + "https://github.com/punkave/sanitize-html/issues/100", + "https://nodesecurity.io/advisories/154", + "https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", + "https://www.npmjs.com/advisories/154" + ], + "PublishedDate": "2018-06-04T19:29:01.023Z", + "LastModifiedDate": "2019-10-09T23:24:36.61Z" + }, + { + "VulnerabilityID": "CVE-2021-26539", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "dba6e401aaa6d720" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "2.3.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-26539", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation", + "Description": "Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the \"allowedIframeHostnames\" option.", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-26539", + "https://advisory.checkmarx.net/advisory/CX-2021-4308", + "https://github.com/apostrophecms/sanitize-html", + "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22", + "https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da", + "https://github.com/apostrophecms/sanitize-html/pull/458", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", + "https://www.cve.org/CVERecord?id=CVE-2021-26539" + ], + "PublishedDate": "2021-02-08T17:15:13.673Z", + "LastModifiedDate": "2022-04-26T15:24:43.517Z" + }, + { + "VulnerabilityID": "CVE-2021-26540", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "dba6e401aaa6d720" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "2.3.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-26540", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "sanitize-html: improper validation of hostnames set by the \"allowedIframeHostnames\" option can lead to bypass hostname whitelist for iframe element", + "Description": "Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the \"allowedIframeHostnames\" option when the \"allowIframeRelativeUrls\" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with \"/\\\\example.com\".", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-26540", + "https://advisory.checkmarx.net/advisory/CX-2021-4309", + "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26", + "https://github.com/apostrophecms/sanitize-html/pull/460", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", + "https://www.cve.org/CVERecord?id=CVE-2021-26540" + ], + "PublishedDate": "2021-02-08T17:15:13.737Z", + "LastModifiedDate": "2021-04-01T15:02:12.757Z" + }, + { + "VulnerabilityID": "CVE-2024-21501", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "dba6e401aaa6d720" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "2.12.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-21501", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "sanitize-html: Information Exposure when used on the backend", + "Description": "Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-200", + "CWE-538" + ], + "VendorSeverity": { + "ghsa": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-21501", + "https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf", + "https://github.com/apostrophecms/apostrophe/discussions/4436", + "https://github.com/apostrophecms/sanitize-html", + "https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4", + "https://github.com/apostrophecms/sanitize-html/pull/650", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21501", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557", + "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334", + "https://www.cve.org/CVERecord?id=CVE-2024-21501" + ], + "PublishedDate": "2024-02-24T05:15:44.31Z", + "LastModifiedDate": "2024-08-28T18:35:07.823Z" + }, + { + "VulnerabilityID": "NSWG-ECO-154", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "dba6e401aaa6d720" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "\u003e=1.11.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "nodejs-security-wg", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Title": "Cross Site Scripting", + "Description": "Sanitize-html is a library for scrubbing html input of malicious values.\n\nVersions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios:\n\nIf allowed at least one nonTextTags, the result is a potential XSS vulnerability.\nPoC:\n\n```\nvar sanitizeHtml = require('sanitize-html');\n\nvar dirty = '!\u003ctextarea\u003e\u0026lt;/textarea\u0026gt;\u003csvg/onload=prompt`xs`\u0026gt;\u003c/textarea\u003e!';\nvar clean = sanitizeHtml(dirty, {\n allowedTags: [ 'textarea' ]\n});\n\nconsole.log(clean);\n\n// !\u003ctextarea\u003e\u003c/textarea\u003e\u003csvg/onload=prompt`xs`\u003e\u003c/textarea\u003e!\n```", + "Severity": "MEDIUM", + "VendorSeverity": { + "nodejs-security-wg": 2 + }, + "References": [ + "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "https://github.com/punkave/sanitize-html/issues/100" + ] + }, + { + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@5.3.0", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/node-gyp/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@5.3.0", + "UID": "ec5aea0c6055af29" + }, + "InstalledVersion": "5.3.0", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" + }, + { + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@5.7.1", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/check-dependencies/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@5.7.1", + "UID": "755cb6611ac8b8e4" + }, + "InstalledVersion": "5.7.1", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" + }, + { + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@5.7.1", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/make-dir/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@5.7.1", + "UID": "593b65762dd0c7de" + }, + "InstalledVersion": "5.7.1", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" + }, + { + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@5.7.1", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/node-abi/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@5.7.1", + "UID": "791fdca13ab40676" + }, + "InstalledVersion": "5.7.1", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" + }, + { + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@5.7.1", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/node-pre-gyp/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@5.7.1", + "UID": "b9293965c5dfdb21" + }, + "InstalledVersion": "5.7.1", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" + }, + { + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@5.7.1", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/normalize-package-data/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@5.7.1", + "UID": "80c242f72b0892c" + }, + "InstalledVersion": "5.7.1", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" + }, + { + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@5.7.1", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/sqlite3/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@5.7.1", + "UID": "46cd6acbe6b27172" + }, + "InstalledVersion": "5.7.1", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" + }, + { + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@5.7.1", + "PkgName": "semver", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@5.7.1", + "UID": "498c93d70350dfd5" + }, + "InstalledVersion": "5.7.1", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" + }, + { + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@6.3.0", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/libxmljs2/node_modules/make-dir/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@6.3.0", + "UID": "6c5e2eca4bb146cc" + }, + "InstalledVersion": "6.3.0", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" + }, + { + "VulnerabilityID": "CVE-2022-25883", + "PkgID": "semver@7.3.5", + "PkgName": "semver", + "PkgPath": "juice-shop/node_modules/semver/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/semver@7.3.5", + "UID": "aad91340cfcadea" + }, + "InstalledVersion": "7.3.5", + "FixedVersion": "7.5.2, 6.3.1, 5.7.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25883", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-semver: Regular expression denial of service", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:5363", + "https://access.redhat.com/security/cve/CVE-2022-25883", + "https://bugzilla.redhat.com/2216475", + "https://bugzilla.redhat.com/2230948", + "https://bugzilla.redhat.com/2230955", + "https://bugzilla.redhat.com/2230956", + "https://errata.almalinux.org/9/ALSA-2023-5363.html", + "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "https://github.com/npm/node-semver", + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://linux.oracle.com/cve/CVE-2022-25883.html", + "https://linux.oracle.com/errata/ELSA-2023-5363.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795", + "https://www.cve.org/CVERecord?id=CVE-2022-25883" + ], + "PublishedDate": "2023-06-21T05:15:09.06Z", + "LastModifiedDate": "2023-11-07T03:44:51.993Z" + }, + { + "VulnerabilityID": "CVE-2024-43799", + "PkgID": "send@0.17.1", + "PkgName": "send", + "PkgPath": "juice-shop/node_modules/send/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/send@0.17.1", + "UID": "12e49f5658967055" + }, + "InstalledVersion": "0.17.1", + "FixedVersion": "0.19.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-43799", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "send: Code Execution Vulnerability in Send Library", + "Description": "Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 4.7 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-43799", + "https://github.com/pillarjs/send", + "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", + "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", + "https://www.cve.org/CVERecord?id=CVE-2024-43799" + ], + "PublishedDate": "2024-09-10T15:15:17.727Z", + "LastModifiedDate": "2024-09-20T16:57:14.687Z" + }, + { + "VulnerabilityID": "CVE-2023-22578", + "PkgID": "sequelize@6.7.0", + "PkgName": "sequelize", + "PkgPath": "juice-shop/node_modules/sequelize/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sequelize@6.7.0", + "UID": "aedcfe7893558eae" + }, + "InstalledVersion": "6.7.0", + "FixedVersion": "6.29.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-22578", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Sequelize - Default support for “raw attributes” when using parentheses", + "Description": "Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-790" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 10 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://csirt.divd.nl/CVE-2023-22578", + "https://csirt.divd.nl/DIVD-2022-00020", + "https://csirt.divd.nl/DIVD-2022-00020/", + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/discussions/15694", + "https://github.com/sequelize/sequelize/pull/15710", + "https://github.com/sequelize/sequelize/releases/tag/v6.29.0", + "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + "https://github.com/sequelize/sequelize/security/advisories/GHSA-f598-mfpv-gmfx", + "https://nvd.nist.gov/vuln/detail/CVE-2023-22578" + ], + "PublishedDate": "2023-02-16T15:15:18.16Z", + "LastModifiedDate": "2023-03-03T19:23:56.89Z" + }, + { + "VulnerabilityID": "CVE-2023-22579", + "PkgID": "sequelize@6.7.0", + "PkgName": "sequelize", + "PkgPath": "juice-shop/node_modules/sequelize/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sequelize@6.7.0", + "UID": "aedcfe7893558eae" + }, + "InstalledVersion": "6.7.0", + "FixedVersion": "6.28.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-22579", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Unsafe fall-through in getWhereConditions", + "Description": "Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-843" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 10 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.8 + } + }, + "References": [ + "https://csirt.divd.nl/CVE-2023-22579", + "https://csirt.divd.nl/DIVD-2022-00020", + "https://csirt.divd.nl/DIVD-2022-00020/", + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/discussions/15698", + "https://github.com/sequelize/sequelize/pull/15375", + "https://github.com/sequelize/sequelize/pull/15699", + "https://github.com/sequelize/sequelize/releases/tag/v6.28.1", + "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + "https://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95", + "https://nvd.nist.gov/vuln/detail/CVE-2023-22579" + ], + "PublishedDate": "2023-02-16T15:15:18.46Z", + "LastModifiedDate": "2023-04-28T18:50:21Z" + }, + { + "VulnerabilityID": "CVE-2023-25813", + "PkgID": "sequelize@6.7.0", + "PkgName": "sequelize", + "PkgPath": "juice-shop/node_modules/sequelize/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sequelize@6.7.0", + "UID": "aedcfe7893558eae" + }, + "InstalledVersion": "6.7.0", + "FixedVersion": "6.19.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-25813", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Sequelize vulnerable to SQL Injection via replacements", + "Description": "Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-89" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 10 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b", + "https://github.com/sequelize/sequelize/issues/14519", + "https://github.com/sequelize/sequelize/releases/tag/v6.19.1", + "https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw", + "https://nvd.nist.gov/vuln/detail/CVE-2023-25813", + "https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027" + ], + "PublishedDate": "2023-02-22T19:15:11.777Z", + "LastModifiedDate": "2023-03-03T02:04:19.6Z" + }, + { + "VulnerabilityID": "CVE-2023-22580", + "PkgID": "sequelize@6.7.0", + "PkgName": "sequelize", + "PkgPath": "juice-shop/node_modules/sequelize/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sequelize@6.7.0", + "UID": "aedcfe7893558eae" + }, + "InstalledVersion": "6.7.0", + "FixedVersion": "6.28.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-22580", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Sequelize information disclosure vulnerability", + "Description": "Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-200" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://csirt.divd.nl/CVE-2023-22580", + "https://csirt.divd.nl/DIVD-2022-00020", + "https://csirt.divd.nl/DIVD-2022-00020/", + "https://github.com/sequelize/sequelize", + "https://github.com/sequelize/sequelize/pull/15375", + "https://github.com/sequelize/sequelize/pull/15699", + "https://github.com/sequelize/sequelize/releases/tag/v6.28.1", + "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", + "https://nvd.nist.gov/vuln/detail/CVE-2023-22580" + ], + "PublishedDate": "2023-02-16T15:15:18.727Z", + "LastModifiedDate": "2023-04-28T18:52:21.847Z" + }, + { + "VulnerabilityID": "CVE-2024-43800", + "PkgID": "serve-static@1.14.1", + "PkgName": "serve-static", + "PkgPath": "juice-shop/node_modules/serve-static/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/serve-static@1.14.1", + "UID": "64ee99b4a44131f2" + }, + "InstalledVersion": "1.14.1", + "FixedVersion": "1.16.0, 2.1.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-43800", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "serve-static: Improper Sanitization in serve-static", + "Description": "serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 4.7 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-43800", + "https://github.com/expressjs/serve-static", + "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", + "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", + "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", + "https://www.cve.org/CVERecord?id=CVE-2024-43800" + ], + "PublishedDate": "2024-09-10T15:15:17.937Z", + "LastModifiedDate": "2024-09-20T17:36:30.313Z" + }, + { + "VulnerabilityID": "CVE-2022-0355", + "PkgID": "simple-get@3.1.0", + "PkgName": "simple-get", + "PkgPath": "juice-shop/node_modules/simple-get/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/simple-get@3.1.0", + "UID": "c18cc4cf6edbcc91" + }, + "InstalledVersion": "3.1.0", + "FixedVersion": "4.0.1, 3.1.1, 2.8.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0355", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "simple-get: exposure of sensitive information to an unauthorized actor", + "Description": "Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.\n\n", + "Severity": "HIGH", + "CweIDs": [ + "CWE-212" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-0355", + "https://github.com/advisories/GHSA-wpg7-2c88-r8xv", + "https://github.com/feross/simple-get", + "https://github.com/feross/simple-get/commit/e4af095e06cd69a9235013e8507e220a79b9684f", + "https://github.com/feross/simple-get/pull/75#issuecomment-1027755026", + "https://github.com/feross/simple-get/pull/76#issuecomment-1027754710", + "https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31", + "https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31/", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0355", + "https://www.cve.org/CVERecord?id=CVE-2022-0355" + ], + "PublishedDate": "2022-01-26T04:15:06.813Z", + "LastModifiedDate": "2023-08-02T09:15:11.547Z" + }, + { + "VulnerabilityID": "CVE-2024-38355", + "PkgID": "socket.io@3.1.2", + "PkgName": "socket.io", + "PkgPath": "juice-shop/node_modules/socket.io/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/socket.io@3.1.2", + "UID": "2cfa07ffcdb1bf43" + }, + "InstalledVersion": "3.1.2", + "FixedVersion": "2.5.1, 4.6.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-38355", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "socket.io: Unhandled 'error' event", + "Description": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.\n", + "Severity": "HIGH", + "CweIDs": [ + "CWE-20", + "CWE-754" + ], + "VendorSeverity": { + "ghsa": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-38355", + "https://github.com/socketio/socket.io", + "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", + "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", + "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38355", + "https://www.cve.org/CVERecord?id=CVE-2024-38355" + ], + "PublishedDate": "2024-06-19T20:15:11.18Z", + "LastModifiedDate": "2024-06-20T12:43:25.663Z" + }, + { + "VulnerabilityID": "CVE-2022-2421", + "PkgID": "socket.io-parser@4.0.4", + "PkgName": "socket.io-parser", + "PkgPath": "juice-shop/node_modules/socket.io-parser/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/socket.io-parser@4.0.4", + "UID": "bbba0cea86a6fcc" + }, + "InstalledVersion": "4.0.4", + "FixedVersion": "4.0.5, 4.2.1, 3.3.3, 3.4.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-2421", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Insufficient validation when decoding a Socket.IO packet", + "Description": "Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-89" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://csirt.divd.nl/CVE-2022-2421", + "https://csirt.divd.nl/DIVD-2022-00045", + "https://csirt.divd.nl/cases/DIVD-2022-00045", + "https://csirt.divd.nl/cves/CVE-2022-2421", + "https://github.com/socketio/socket.io-parser", + "https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14", + "https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4", + "https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050", + "https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983", + "https://nvd.nist.gov/vuln/detail/CVE-2022-2421" + ], + "PublishedDate": "2022-10-26T10:15:16.78Z", + "LastModifiedDate": "2024-01-02T19:15:09.597Z" + }, + { + "VulnerabilityID": "CVE-2023-32695", + "PkgID": "socket.io-parser@4.0.4", + "PkgName": "socket.io-parser", + "PkgPath": "juice-shop/node_modules/socket.io-parser/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/socket.io-parser@4.0.4", + "UID": "bbba0cea86a6fcc" + }, + "InstalledVersion": "4.0.4", + "FixedVersion": "4.2.3, 3.4.3, 3.3.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-32695", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "socket.io parser is a socket.io encoder and decoder written in JavaScr ...", + "Description": "socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.\n\n", + "Severity": "HIGH", + "CweIDs": [ + "CWE-754", + "CWE-20" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/socketio/socket.io-parser", + "https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9", + "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced", + "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3", + "https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4", + "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3", + "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9", + "https://nvd.nist.gov/vuln/detail/CVE-2023-32695" + ], + "PublishedDate": "2023-05-27T16:15:09.433Z", + "LastModifiedDate": "2023-06-05T15:54:48.487Z" + }, + { + "VulnerabilityID": "CVE-2022-21227", + "PkgID": "sqlite3@5.0.2", + "PkgName": "sqlite3", + "PkgPath": "juice-shop/node_modules/sqlite3/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sqlite3@5.0.2", + "UID": "62b2071ae11024a" + }, + "InstalledVersion": "5.0.2", + "FixedVersion": "5.0.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-21227", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "sqlite3: Denial of Service (DoS) in sqlite3", + "Description": "The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine.", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-21227", + "https://github.com/TryGhost/node-sqlite3", + "https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4a", + "https://github.com/TryGhost/node-sqlite3/issues/1440", + "https://github.com/TryGhost/node-sqlite3/issues/1449", + "https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-9qrh-qjmc-5w2p", + "https://nvd.nist.gov/vuln/detail/CVE-2022-21227", + "https://security.snyk.io/vuln/SNYK-JS-SQLITE3-2388645", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805470", + "https://snyk.io/vuln/SNYK-JS-SQLITE3-2388645", + "https://www.cve.org/CVERecord?id=CVE-2022-21227" + ], + "PublishedDate": "2022-05-01T16:15:08.197Z", + "LastModifiedDate": "2022-05-11T14:10:40.683Z" + }, + { + "VulnerabilityID": "CVE-2022-43441", + "PkgID": "sqlite3@5.0.2", + "PkgName": "sqlite3", + "PkgPath": "juice-shop/node_modules/sqlite3/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sqlite3@5.0.2", + "UID": "62b2071ae11024a" + }, + "InstalledVersion": "5.0.2", + "FixedVersion": "5.1.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-43441", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "A code execution vulnerability exists in the Statement Bindings functi ...", + "Description": "A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-913", + "CWE-915" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://github.com/TryGhost/node-sqlite3", + "https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781", + "https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-jqv5-7xpx-qj74", + "https://nvd.nist.gov/vuln/detail/CVE-2022-43441", + "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1645" + ], + "PublishedDate": "2023-03-16T21:15:11.023Z", + "LastModifiedDate": "2023-03-22T21:01:25.97Z" }, { - "VulnerabilityID": "NSWG-ECO-17", - "PkgName": "jsonwebtoken", - "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", - "InstalledVersion": "0.4.0", - "FixedVersion": "\u003e=4.2.2", - "Layer": { + "VulnerabilityID": "CVE-2021-46708", + "PkgID": "swagger-ui-dist@3.52.4", + "PkgName": "swagger-ui-dist", + "PkgPath": "juice-shop/node_modules/swagger-ui-dist/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/swagger-ui-dist@3.52.4", + "UID": "ffda9051d97e41f7" + }, + "InstalledVersion": "3.52.4", + "FixedVersion": "4.1.3", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-46708", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Spoofing attack in swagger-ui-dist", + "Description": "The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1021" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 }, - "Title": "Verification Bypass", - "Description": "It is possible for an attacker to bypass verification when \"a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)\" [1]", - "Severity": "HIGH", - "References": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", - "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" - ] + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V2Score": 4.3, + "V3Score": 6.1 + } + }, + "References": [ + "https://github.com/swagger-api/swagger-ui", + "https://nvd.nist.gov/vuln/detail/CVE-2021-46708", + "https://security.netapp.com/advisory/ntap-20220407-0004", + "https://security.netapp.com/advisory/ntap-20220407-0004/", + "https://security.snyk.io/vuln/SNYK-JS-SWAGGERUIDIST-2314884", + "https://www.npmjs.com/package/swagger-ui-dist/v/4.1.3" + ], + "PublishedDate": "2022-03-11T07:15:07.927Z", + "LastModifiedDate": "2023-03-28T14:39:17.107Z" }, { - "VulnerabilityID": "CVE-2016-1000223", - "PkgName": "jws", - "PkgPath": "juice-shop/node_modules/jws/package.json", - "InstalledVersion": "0.2.6", - "FixedVersion": "3.0.0", - "Layer": { + "VulnerabilityID": "GHSA-qrmm-w75w-3wpx", + "PkgID": "swagger-ui-dist@3.52.4", + "PkgName": "swagger-ui-dist", + "PkgPath": "juice-shop/node_modules/swagger-ui-dist/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/swagger-ui-dist@3.52.4", + "UID": "ffda9051d97e41f7" + }, + "InstalledVersion": "3.52.4", + "FixedVersion": "4.1.3", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" - }, - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-1000223", - "Title": "Forgeable Public/Private Tokens", - "Description": "Since \"algorithm\" isn't enforced in `jws.verify()`, a malicious user could choose what algorithm is sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.\n\nIn addition, there is the `none` algorithm to be concerned about. In versions prior to 3.0.0, verification of the token could be bypassed when the `alg` field is set to `none`.\n\n*Edit ( 7/29/16 ): A previous version of this advisory incorrectly stated that the vulnerability was patched in version 2.0.0 instead of 3.0.0. The advisory has been updated to reflect this new information. Thanks to Fabien Catteau for reporting the error.*", - "Severity": "HIGH", - "References": [ - "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "https://github.com/advisories/GHSA-gjcw-v447-2w7q", - "https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e", - "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223" - ] + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-qrmm-w75w-3wpx", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Server side request forgery in SwaggerUI", + "Description": "SwaggerUI supports displaying remote OpenAPI definitions through the `?url` parameter. This enables robust demonstration capabilities on sites like `petstore.swagger.io`, `editor.swagger.io`, and similar sites, where users often want to see what their OpenAPI definitions would look like rendered.\n\nHowever, this functionality may pose a risk for users who host their own SwaggerUI instances. In particular, including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances.\n\nAn example scenario abusing this functionality could take the following form:\n- `https://example.com/api-docs` hosts a version of SwaggerUI with `?url=` query parameter enabled.\n- Users will trust the domain `https://example.com` and the contents of the OpenAPI definition.\n- A malicious actor may craft a similar OpenAPI definition and service that responds to the defined APIs at `https://evildomain`.\n- Users mistakenly click a phishing URL like `https://example.com/api-docs?url=https://evildomain/fakeapi.yaml` and enters sensitive data via the \"Try-it-out\" feature.\n\nWe do want to stress that this attack vector is limited to scenarios that actively trick users into divulging sensitive information. The ease of this is highly contextual and, therefore, the threat model may be different for individual users and organizations. It is *not* possible to perform non-interactive attacks (e.g., cross-site scripting or code injection) through this mechanism.\n\n### Resolution \nWe've made the decision to [disable query parameters (#4872)](https://github.com/swagger-api/swagger-ui/issues/4872) by default starting with SwaggerUI version `4.1.3`. Please update to this version when it becomes available (**ETA: 2021 December**). Users will still be able to be re-enable the options at their discretion. We'll continue to enable query parameters on the Swagger demo sites.\n\n### Workaround\nIf you host a version of SwaggerUI and wish to mitigate this issue immediately, you are encouraged to add the following custom plugin code:\n\n```js\nSwaggerUI({\n // ...other configuration options,\n plugins: [function UrlParamDisablePlugin() {\n return {\n statePlugins: {\n spec: {\n wrapActions: {\n // Remove the ?url parameter from loading an external OpenAPI definition.\n updateUrl: (oriAction) =\u003e (payload) =\u003e {\n const url = new URL(window.location.href)\n if (url.searchParams.has('url')) {\n url.searchParams.delete('url')\n window.location.replace(url.toString())\n }\n return oriAction(payload)\n }\n }\n }\n }\n }\n }],\n})\n```\n\n### Future UX work\n\nThrough the exploration of this issue, it became apparent that users may not be aware to which web server the Try-it-out function will send requests. While this information is currently presented at the top of the page, understanding may improve by displaying it closer to the \"Execute\" button where requests are actually made. We'll be exploring these UX improvements over the coming months and welcome community input. Please create a Feature Request under the GitHub Issue tab to start a conversation with us and the community.\n\n## Reflected XSS attack\n\n**Warning** in versions \u003c 3.38.0, it is possible to combine the URL options (as mentioned above) with a vulnerability in DOMPurify (https://www.cvedetails.com/cve/CVE-2020-26870/) to create a reflected XSS vector. If your version of Swagger UI is older than 3.38.0, we suggest you upgrade or implement the workaround as mentioned above.\n", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2 + }, + "References": [ + "https://github.com/domaindrivendev/Swashbuckle.AspNetCore/commit/401c7cb81e5efe835ceb8aae23e82057d57c7d29", + "https://github.com/swagger-api/swagger-ui", + "https://github.com/swagger-api/swagger-ui/commit/01a3e55960f864a0acf6a8d06e5ddaf6776a7f76", + "https://github.com/swagger-api/swagger-ui/issues/4872", + "https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx" + ] }, { - "VulnerabilityID": "CVE-2019-10744", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", - "InstalledVersion": "2.4.2", - "FixedVersion": "4.17.12", - "Layer": { + "VulnerabilityID": "CVE-2021-32804", + "PkgID": "tar@2.2.2", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/node-gyp/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@2.2.2", + "UID": "732a5020e4e89723" + }, + "InstalledVersion": "2.2.2", + "FixedVersion": "3.2.2, 4.4.14, 5.0.6, 6.1.1", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-32804", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", + "Description": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22" + ], + "VendorSeverity": { + "alma": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 8.2 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744", - "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", - "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", - "Severity": "CRITICAL", - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V2Score": 6.4, - "V3Score": 9.1 + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", + "V2Score": 5.8, + "V3Score": 8.1 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V3Score": 9.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", + "V3Score": 8.1 } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2019:3024", - "https://github.com/advisories/GHSA-jf85-cpcp-j695", - "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", - "https://security.netapp.com/advisory/ntap-20191004-0005/", - "https://snyk.io/vuln/SNYK-JS-LODASH-450202", - "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html" - ], - "PublishedDate": "2019-07-26T00:15:00Z", - "LastModifiedDate": "2021-03-16T13:57:00Z" + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-32804", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://errata.almalinux.org/8/ALSA-2021-3666.html", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", + "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", + "https://linux.oracle.com/cve/CVE-2021-32804.html", + "https://linux.oracle.com/errata/ELSA-2021-3666.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", + "https://www.cve.org/CVERecord?id=CVE-2021-32804", + "https://www.npmjs.com/advisories/1770", + "https://www.npmjs.com/package/tar", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-08-03T19:15:08.41Z", + "LastModifiedDate": "2022-04-25T19:12:42.19Z" }, { - "VulnerabilityID": "CVE-2020-8203", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", - "InstalledVersion": "2.4.2", - "FixedVersion": "4.17.19", - "Layer": { + "VulnerabilityID": "CVE-2021-37713", + "PkgID": "tar@2.2.2", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/node-gyp/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@2.2.2", + "UID": "732a5020e4e89723" + }, + "InstalledVersion": "2.2.2", + "FixedVersion": "4.4.18, 5.0.10, 6.1.9", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-37713", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", + "Description": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\\path`. If the drive letter does not match the extraction target, for example `D:\\extraction\\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 8.2 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8203", - "Title": "nodejs-lodash: prototype pollution in zipObjectDeep function", - "Description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-770" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V2Score": 5.8, - "V3Score": 7.4 + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "V2Score": 4.4, + "V3Score": 8.6 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V3Score": 7.4 + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 8.2 } - }, - "References": [ - "https://github.com/advisories/GHSA-p6mc-m468-83gw", - "https://github.com/lodash/lodash/issues/4874", - "https://hackerone.com/reports/712065", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", - "https://security.netapp.com/advisory/ntap-20200724-0006/", - "https://www.npmjs.com/advisories/1523", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-37713", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946", + "https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc", + "https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598", + "https://github.com/npm/node-tar", + "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh", + "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", + "https://www.cve.org/CVERecord?id=CVE-2021-37713", + "https://www.npmjs.com/package/tar", "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2020-07-15T17:15:00Z", - "LastModifiedDate": "2021-10-20T11:15:00Z" + ], + "PublishedDate": "2021-08-31T17:15:08.087Z", + "LastModifiedDate": "2022-04-25T18:40:30.47Z" }, { - "VulnerabilityID": "CVE-2021-23337", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", - "InstalledVersion": "2.4.2", - "FixedVersion": "4.17.21", - "Layer": { + "VulnerabilityID": "CVE-2024-28863", + "PkgID": "tar@2.2.2", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/node-gyp/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@2.2.2", + "UID": "732a5020e4e89723" + }, + "InstalledVersion": "2.2.2", + "FixedVersion": "6.2.1", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" - }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23337", - "Title": "nodejs-lodash: command injection via template", - "Description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-77" - ], - "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 6.5, - "V3Score": 7.2 + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28863", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", + "Description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400", + "CWE-770" + ], + "VendorSeverity": { + "alma": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 7.2 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 } - }, - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337", - "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", - "https://security.netapp.com/advisory/ntap-20210312-0006/", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", - "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2021-02-15T13:15:00Z", - "LastModifiedDate": "2021-10-20T11:16:00Z" + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:6147", + "https://access.redhat.com/security/cve/CVE-2024-28863", + "https://bugzilla.redhat.com/2293200", + "https://bugzilla.redhat.com/2296417", + "https://errata.almalinux.org/9/ALSA-2024-6147.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + "https://linux.oracle.com/cve/CVE-2024-28863.html", + "https://linux.oracle.com/errata/ELSA-2024-6148.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "https://security.netapp.com/advisory/ntap-20240524-0005", + "https://security.netapp.com/advisory/ntap-20240524-0005/", + "https://www.cve.org/CVERecord?id=CVE-2024-28863" + ], + "PublishedDate": "2024-03-21T23:15:10.91Z", + "LastModifiedDate": "2024-06-10T17:16:24.773Z" }, { - "VulnerabilityID": "CVE-2018-16487", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", - "InstalledVersion": "2.4.2", - "FixedVersion": "4.17.11", - "Layer": { + "VulnerabilityID": "CVE-2024-28863", + "PkgID": "tar@4.4.19", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.19", + "UID": "b2f700056d98ebcd" + }, + "InstalledVersion": "4.4.19", + "FixedVersion": "6.2.1", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" - }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487", - "Title": "lodash: Prototype pollution in utilities function", - "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", - "Severity": "MEDIUM", - "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "V2Score": 6.8, - "V3Score": 5.6 + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28863", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", + "Description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400", + "CWE-770" + ], + "VendorSeverity": { + "alma": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "V3Score": 5.6 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 } - }, - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487", - "https://github.com/advisories/GHSA-4xc9-xhrj-v574", - "https://hackerone.com/reports/380873", - "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", - "https://security.netapp.com/advisory/ntap-20190919-0004/" - ], - "PublishedDate": "2019-02-01T18:29:00Z", - "LastModifiedDate": "2020-09-18T16:38:00Z" + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:6147", + "https://access.redhat.com/security/cve/CVE-2024-28863", + "https://bugzilla.redhat.com/2293200", + "https://bugzilla.redhat.com/2296417", + "https://errata.almalinux.org/9/ALSA-2024-6147.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + "https://linux.oracle.com/cve/CVE-2024-28863.html", + "https://linux.oracle.com/errata/ELSA-2024-6148.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "https://security.netapp.com/advisory/ntap-20240524-0005", + "https://security.netapp.com/advisory/ntap-20240524-0005/", + "https://www.cve.org/CVERecord?id=CVE-2024-28863" + ], + "PublishedDate": "2024-03-21T23:15:10.91Z", + "LastModifiedDate": "2024-06-10T17:16:24.773Z" }, { - "VulnerabilityID": "CVE-2018-3721", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", - "InstalledVersion": "2.4.2", - "FixedVersion": "4.17.5", - "Layer": { + "VulnerabilityID": "CVE-2024-28863", + "PkgID": "tar@4.4.19", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/sqlite3/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.19", + "UID": "9af47d252e35183a" + }, + "InstalledVersion": "4.4.19", + "FixedVersion": "6.2.1", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" - }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721", - "Title": "lodash: Prototype pollution in utilities function", - "Description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", - "Severity": "MEDIUM", - "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N", - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", - "V2Score": 4, - "V3Score": 6.5 + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28863", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", + "Description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400", + "CWE-770" + ], + "VendorSeverity": { + "alma": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 2.9 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:6147", + "https://access.redhat.com/security/cve/CVE-2024-28863", + "https://bugzilla.redhat.com/2293200", + "https://bugzilla.redhat.com/2296417", + "https://errata.almalinux.org/9/ALSA-2024-6147.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + "https://linux.oracle.com/cve/CVE-2024-28863.html", + "https://linux.oracle.com/errata/ELSA-2024-6148.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "https://security.netapp.com/advisory/ntap-20240524-0005", + "https://security.netapp.com/advisory/ntap-20240524-0005/", + "https://www.cve.org/CVERecord?id=CVE-2024-28863" + ], + "PublishedDate": "2024-03-21T23:15:10.91Z", + "LastModifiedDate": "2024-06-10T17:16:24.773Z" + }, + { + "VulnerabilityID": "CVE-2024-28863", + "PkgID": "tar@4.4.19", + "PkgName": "tar", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.19", + "UID": "1cfb25a2305c6e50" + }, + "InstalledVersion": "4.4.19", + "FixedVersion": "6.2.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28863", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", + "Description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400", + "CWE-770" + ], + "VendorSeverity": { + "alma": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 }, - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721", - "https://github.com/advisories/GHSA-fvqr-27wr-82fm", - "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", - "https://hackerone.com/reports/310443", - "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", - "https://security.netapp.com/advisory/ntap-20190919-0004/", - "https://snyk.io/vuln/npm:lodash:20180130", - "https://www.npmjs.com/advisories/577" - ], - "PublishedDate": "2018-06-07T02:29:00Z", - "LastModifiedDate": "2019-10-03T00:03:00Z" + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:6147", + "https://access.redhat.com/security/cve/CVE-2024-28863", + "https://bugzilla.redhat.com/2293200", + "https://bugzilla.redhat.com/2296417", + "https://errata.almalinux.org/9/ALSA-2024-6147.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + "https://linux.oracle.com/cve/CVE-2024-28863.html", + "https://linux.oracle.com/errata/ELSA-2024-6148.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "https://security.netapp.com/advisory/ntap-20240524-0005", + "https://security.netapp.com/advisory/ntap-20240524-0005/", + "https://www.cve.org/CVERecord?id=CVE-2024-28863" + ], + "PublishedDate": "2024-03-21T23:15:10.91Z", + "LastModifiedDate": "2024-06-10T17:16:24.773Z" }, { - "VulnerabilityID": "CVE-2019-1010266", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", - "InstalledVersion": "2.4.2", - "FixedVersion": "4.17.11", - "Layer": { + "VulnerabilityID": "CVE-2024-28863", + "PkgID": "tar@6.1.11", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@6.1.11", + "UID": "49510ca7c2ebc375" + }, + "InstalledVersion": "6.1.11", + "FixedVersion": "6.2.1", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" - }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010266", - "Title": "lodash: uncontrolled resource consumption in Data handler causing denial of service", - "Description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", - "Severity": "MEDIUM", - "CweIDs": [ + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28863", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", + "Description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400", "CWE-770" - ], - "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 4, - "V3Score": 6.5 + ], + "VendorSeverity": { + "alma": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 4.4 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 } - }, - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266", - "https://github.com/advisories/GHSA-x5rq-j2xg-h7qm", - "https://github.com/lodash/lodash/issues/3359", - "https://github.com/lodash/lodash/wiki/Changelog", - "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", - "https://security.netapp.com/advisory/ntap-20190919-0004/", - "https://snyk.io/vuln/SNYK-JS-LODASH-73639" - ], - "PublishedDate": "2019-07-17T21:15:00Z", - "LastModifiedDate": "2020-09-30T13:40:00Z" + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:6147", + "https://access.redhat.com/security/cve/CVE-2024-28863", + "https://bugzilla.redhat.com/2293200", + "https://bugzilla.redhat.com/2296417", + "https://errata.almalinux.org/9/ALSA-2024-6147.html", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + "https://linux.oracle.com/cve/CVE-2024-28863.html", + "https://linux.oracle.com/errata/ELSA-2024-6148.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "https://security.netapp.com/advisory/ntap-20240524-0005", + "https://security.netapp.com/advisory/ntap-20240524-0005/", + "https://www.cve.org/CVERecord?id=CVE-2024-28863" + ], + "PublishedDate": "2024-03-21T23:15:10.91Z", + "LastModifiedDate": "2024-06-10T17:16:24.773Z" }, { - "VulnerabilityID": "CVE-2019-10744", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/lodash/package.json", - "InstalledVersion": "4.17.11", - "FixedVersion": "4.17.12", - "Layer": { - "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", - "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + "VulnerabilityID": "CVE-2023-26136", + "PkgID": "tough-cookie@2.4.3", + "PkgName": "tough-cookie", + "PkgPath": "usr/local/lib/node_modules/npm/node_modules/tough-cookie/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tough-cookie@2.4.3", + "UID": "7c060bff52008c76" + }, + "InstalledVersion": "2.4.3", + "FixedVersion": "4.1.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d0fe2b74aff960282c3c01d80bbbb5b45a12e84f7e2ad3b65daac8f42351d5a6", + "DiffID": "sha256:f8700d3a252fffe60e30bc672e8a6560f30a3ce8816f2ad396020553fe4d9210" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26136", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "tough-cookie: prototype pollution in cookie memstore", + "Description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 4, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744", - "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", - "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", - "Severity": "CRITICAL", - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V2Score": 6.4, - "V3Score": 9.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V3Score": 9.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2019:3024", - "https://github.com/advisories/GHSA-jf85-cpcp-j695", - "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", - "https://security.netapp.com/advisory/ntap-20191004-0005/", - "https://snyk.io/vuln/SNYK-JS-LODASH-450202", - "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html" - ], - "PublishedDate": "2019-07-26T00:15:00Z", - "LastModifiedDate": "2021-03-16T13:57:00Z" + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136" + ], + "PublishedDate": "2023-07-01T05:15:16.103Z", + "LastModifiedDate": "2024-06-21T19:15:26.163Z" }, { - "VulnerabilityID": "CVE-2020-8203", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/lodash/package.json", - "InstalledVersion": "4.17.11", - "FixedVersion": "4.17.19", - "Layer": { + "VulnerabilityID": "CVE-2023-26136", + "PkgID": "tough-cookie@2.5.0", + "PkgName": "tough-cookie", + "PkgPath": "juice-shop/node_modules/tough-cookie/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tough-cookie@2.5.0", + "UID": "8e71da9dbf3873ed" + }, + "InstalledVersion": "2.5.0", + "FixedVersion": "4.1.3", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26136", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "tough-cookie: prototype pollution in cookie memstore", + "Description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 4, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8203", - "Title": "nodejs-lodash: prototype pollution in zipObjectDeep function", - "Description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-770" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V2Score": 5.8, - "V3Score": 7.4 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", - "V3Score": 7.4 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 } - }, - "References": [ - "https://github.com/advisories/GHSA-p6mc-m468-83gw", - "https://github.com/lodash/lodash/issues/4874", - "https://hackerone.com/reports/712065", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", - "https://security.netapp.com/advisory/ntap-20200724-0006/", - "https://www.npmjs.com/advisories/1523", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2020-07-15T17:15:00Z", - "LastModifiedDate": "2021-10-20T11:15:00Z" + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136" + ], + "PublishedDate": "2023-07-01T05:15:16.103Z", + "LastModifiedDate": "2024-06-21T19:15:26.163Z" }, { - "VulnerabilityID": "CVE-2021-23337", - "PkgName": "lodash", - "PkgPath": "juice-shop/node_modules/clarinet/benchmark/node_modules/lodash/package.json", - "InstalledVersion": "4.17.11", - "FixedVersion": "4.17.21", - "Layer": { + "VulnerabilityID": "CVE-2021-3765", + "PkgID": "validator@13.6.0", + "PkgName": "validator", + "PkgPath": "juice-shop/node_modules/validator/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/validator@13.6.0", + "UID": "2f782836ed5d11f6" + }, + "InstalledVersion": "13.6.0", + "FixedVersion": "13.7.0", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3765", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "validator: Inefficient Regular Expression Complexity in Validator.js", + "Description": "validator.js is vulnerable to Inefficient Regular Expression Complexity", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23337", - "Title": "nodejs-lodash: command injection via template", - "Description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-77" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 6.5, - "V3Score": 7.2 + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 7.2 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } - }, - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337", - "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", - "https://security.netapp.com/advisory/ntap-20210312-0006/", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", - "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2021-02-15T13:15:00Z", - "LastModifiedDate": "2021-10-20T11:16:00Z" + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-3765", + "https://github.com/validatorjs/validator.js", + "https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1", + "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3765", + "https://www.cve.org/CVERecord?id=CVE-2021-3765" + ], + "PublishedDate": "2021-11-02T07:15:07.28Z", + "LastModifiedDate": "2023-07-07T19:27:40.96Z" }, { - "VulnerabilityID": "GHSA-5mrr-rgp6-x4gr", - "PkgName": "marsdb", - "PkgPath": "juice-shop/node_modules/marsdb/package.json", - "InstalledVersion": "0.6.11", - "Layer": { + "VulnerabilityID": "GHSA-xx4c-jj58-r7x6", + "PkgID": "validator@13.6.0", + "PkgName": "validator", + "PkgPath": "juice-shop/node_modules/validator/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/validator@13.6.0", + "UID": "2f782836ed5d11f6" + }, + "InstalledVersion": "13.6.0", + "FixedVersion": "13.7.0", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" - }, - "PrimaryURL": "https://github.com/advisories/GHSA-5mrr-rgp6-x4gr", - "Title": "Command Injection in marsdb", - "Description": "All versions of `marsdb` are vulnerable to Command Injection. In the `DocumentMatcher` class, selectors on `$where` clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed.\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.", - "Severity": "CRITICAL", - "References": [ - "https://github.com/advisories/GHSA-5mrr-rgp6-x4gr", - "https://github.com/bkimminich/juice-shop/issues/1173" - ] + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-xx4c-jj58-r7x6", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Inefficient Regular Expression Complexity in Validator.js", + "Description": "### Impact\nVersions of `validator` prior to 13.7.0 are affected by an inefficient Regular Expression complexity when using the `rtrim` and `trim` sanitizers.\n\n### Patches\nThe problem has been patched in validator 13.7.0", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://github.com/validatorjs/validator.js", + "https://github.com/validatorjs/validator.js/issues/1599", + "https://github.com/validatorjs/validator.js/pull/1738", + "https://github.com/validatorjs/validator.js/security/advisories/GHSA-xx4c-jj58-r7x6", + "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3765" + ] }, { - "VulnerabilityID": "CVE-2017-18214", - "PkgName": "moment", - "PkgPath": "juice-shop/node_modules/moment/package.json", - "InstalledVersion": "2.0.0", - "FixedVersion": "2.19.3", - "Layer": { + "VulnerabilityID": "CVE-2021-23449", + "PkgID": "vm2@3.9.3", + "PkgName": "vm2", + "PkgPath": "juice-shop/node_modules/vm2/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/vm2@3.9.3", + "UID": "8e293d2b1cfb2f05" + }, + "InstalledVersion": "3.9.3", + "FixedVersion": "3.9.4", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23449", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "Prototype Pollution in vm2", + "Description": "This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-18214", - "Title": "nodejs-moment: Regular expression denial of service", - "Description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-400" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 5, - "V3Score": 7.5 - }, - "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 5.3 + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 10 } - }, - "References": [ - "https://github.com/advisories/GHSA-446m-mv8f-q348", - "https://github.com/moment/moment/issues/4163", - "https://nodesecurity.io/advisories/532", - "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", - "https://www.tenable.com/security/tns-2019-02" - ], - "PublishedDate": "2018-03-04T21:29:00Z", - "LastModifiedDate": "2020-11-16T20:23:00Z" + }, + "References": [ + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886", + "https://github.com/patriksimek/vm2/issues/363", + "https://github.com/patriksimek/vm2/releases/tag/3.9.4", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23449", + "https://security.netapp.com/advisory/ntap-20211029-0010", + "https://security.netapp.com/advisory/ntap-20211029-0010/", + "https://snyk.io/vuln/SNYK-JS-VM2-1585918" + ], + "PublishedDate": "2021-10-18T17:15:07.79Z", + "LastModifiedDate": "2022-06-28T14:11:45.273Z" }, { - "VulnerabilityID": "CVE-2016-4055", - "PkgName": "moment", - "PkgPath": "juice-shop/node_modules/moment/package.json", - "InstalledVersion": "2.0.0", - "FixedVersion": "2.11.2", - "Layer": { + "VulnerabilityID": "CVE-2021-23555", + "PkgID": "vm2@3.9.3", + "PkgName": "vm2", + "PkgPath": "juice-shop/node_modules/vm2/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/vm2@3.9.3", + "UID": "8e293d2b1cfb2f05" + }, + "InstalledVersion": "3.9.3", + "FixedVersion": "3.9.6", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23555", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "vm2: vulnerable to Sandbox Bypass", + "Description": "The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.", + "Severity": "CRITICAL", + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-4055", - "Title": "moment.js: regular expression denial of service", - "Description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a \"regular expression Denial of Service (ReDoS).\"", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-399" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 7.8, - "V3Score": 6.5 + "V2Vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 10, + "V3Score": 9.8 }, "redhat": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", - "V2Score": 4.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 } - }, - "References": [ - "http://www.openwall.com/lists/oss-security/2016/04/20/11", - "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "http://www.securityfocus.com/bid/95849", - "https://github.com/advisories/GHSA-87vv-r9j6-g5qv", - "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E", - "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E", - "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E", - "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E", - "https://nodesecurity.io/advisories/55", - "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", - "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS", - "https://www.tenable.com/security/tns-2019-02" - ], - "PublishedDate": "2017-01-23T21:59:00Z", - "LastModifiedDate": "2019-08-11T18:15:00Z" + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-23555", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23555", + "https://security.snyk.io/vuln/SNYK-JS-VM2-2309905", + "https://snyk.io/vuln/SNYK-JS-VM2-2309905", + "https://www.cve.org/CVERecord?id=CVE-2021-23555" + ], + "PublishedDate": "2022-02-11T20:15:07.44Z", + "LastModifiedDate": "2022-02-22T20:12:04.073Z" }, { - "VulnerabilityID": "CVE-2016-1000237", - "PkgName": "sanitize-html", - "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", - "InstalledVersion": "1.4.2", - "FixedVersion": "1.4.3", - "Layer": { + "VulnerabilityID": "CVE-2022-25893", + "PkgID": "vm2@3.9.3", + "PkgName": "vm2", + "PkgPath": "juice-shop/node_modules/vm2/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/vm2@3.9.3", + "UID": "8e293d2b1cfb2f05" + }, + "InstalledVersion": "3.9.3", + "FixedVersion": "3.9.10", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25893", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "vm2 vulnerable to Arbitrary Code Execution", + "Description": "The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.", + "Severity": "CRITICAL", + "VendorSeverity": { + "ghsa": 4, + "nvd": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-1000237", - "Title": "XSS - Sanitization not applied recursively", - "Description": "sanitize-html before 1.4.3 has XSS.", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-79" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "V2Score": 4.3, - "V3Score": 6.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 } - }, - "References": [ - "https://github.com/advisories/GHSA-3j7m-hmh3-9jmp", - "https://github.com/punkave/sanitize-html/issues/29", - "https://nodesecurity.io/advisories/135", - "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", - "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json" - ], - "PublishedDate": "2020-01-23T15:15:00Z", - "LastModifiedDate": "2020-01-24T19:44:00Z" + }, + "References": [ + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/issues/444", + "https://github.com/patriksimek/vm2/pull/445", + "https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25893", + "https://security.snyk.io/vuln/SNYK-JS-VM2-2990237" + ], + "PublishedDate": "2022-12-21T05:15:11.22Z", + "LastModifiedDate": "2023-01-03T13:59:08.26Z" }, { - "VulnerabilityID": "CVE-2017-16016", - "PkgName": "sanitize-html", - "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", - "InstalledVersion": "1.4.2", - "FixedVersion": "1.11.4", - "Layer": { + "VulnerabilityID": "CVE-2022-36067", + "PkgID": "vm2@3.9.3", + "PkgName": "vm2", + "PkgPath": "juice-shop/node_modules/vm2/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/vm2@3.9.3", + "UID": "8e293d2b1cfb2f05" + }, + "InstalledVersion": "3.9.3", + "FixedVersion": "3.9.11", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-36067", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "vm2: Sandbox Escape in vm2", + "Description": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-913" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 10 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16016", - "Title": "Cross-Site Scripting in sanitize-html", - "Description": "Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-79" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "V2Score": 4.3, - "V3Score": 6.1 - } + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 10 }, - "References": [ - "https://github.com/advisories/GHSA-xc6g-ggrc-qq4r", - "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", - "https://github.com/punkave/sanitize-html/issues/100", - "https://nodesecurity.io/advisories/154", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16016" - ], - "PublishedDate": "2018-06-04T19:29:00Z", - "LastModifiedDate": "2019-10-09T23:24:00Z" + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 10 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-36067", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71", + "https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164", + "https://github.com/patriksimek/vm2/issues/467", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq", + "https://nvd.nist.gov/vuln/detail/CVE-2022-36067", + "https://security.netapp.com/advisory/ntap-20221017-0002", + "https://security.netapp.com/advisory/ntap-20221017-0002/", + "https://www.cve.org/CVERecord?id=CVE-2022-36067", + "https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067" + ], + "PublishedDate": "2022-09-06T22:15:09.207Z", + "LastModifiedDate": "2022-11-08T03:03:23.473Z" }, { - "VulnerabilityID": "CVE-2021-26539", - "PkgName": "sanitize-html", - "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", - "InstalledVersion": "1.4.2", - "FixedVersion": "2.3.1", - "Layer": { + "VulnerabilityID": "CVE-2023-29017", + "PkgID": "vm2@3.9.3", + "PkgName": "vm2", + "PkgPath": "juice-shop/node_modules/vm2/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/vm2@3.9.3", + "UID": "8e293d2b1cfb2f05" + }, + "InstalledVersion": "3.9.3", + "FixedVersion": "3.9.15", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-29017", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "vm2: sandbox escape", + "Description": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-913" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-26539", - "Title": "sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation", - "Description": "Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the \"allowedIframeHostnames\" option.", - "Severity": "MEDIUM", - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V2Score": 5, - "V3Score": 5.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V3Score": 5.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 } - }, - "References": [ - "https://advisory.checkmarx.net/advisory/CX-2021-4308", - "https://github.com/advisories/GHSA-rjqq-98f6-6j3r", - "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22", - "https://github.com/apostrophecms/sanitize-html/pull/458", - "https://nvd.nist.gov/vuln/detail/CVE-2021-26539" - ], - "PublishedDate": "2021-02-08T17:15:00Z", - "LastModifiedDate": "2021-03-25T23:15:00Z" + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-29017", + "https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50", + "https://github.com/patriksimek/vm2/issues/515", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv", + "https://nvd.nist.gov/vuln/detail/CVE-2023-29017", + "https://www.cve.org/CVERecord?id=CVE-2023-29017" + ], + "PublishedDate": "2023-04-06T20:15:08.723Z", + "LastModifiedDate": "2023-04-13T13:20:46.003Z" }, { - "VulnerabilityID": "CVE-2021-26540", - "PkgName": "sanitize-html", - "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", - "InstalledVersion": "1.4.2", - "FixedVersion": "2.3.2", - "Layer": { + "VulnerabilityID": "CVE-2023-29199", + "PkgID": "vm2@3.9.3", + "PkgName": "vm2", + "PkgPath": "juice-shop/node_modules/vm2/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/vm2@3.9.3", + "UID": "8e293d2b1cfb2f05" + }, + "InstalledVersion": "3.9.3", + "FixedVersion": "3.9.16", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-29199", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "vm2: Sandbox Escape", + "Description": "There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.\n", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-913" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-26540", - "Title": "sanitize-html: improper validation of hostnames set by the \"allowedIframeHostnames\" option can lead to bypass hostname whitelist for iframe element", - "Description": "Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the \"allowedIframeHostnames\" option when the \"allowIframeRelativeUrls\" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with \"/\\\\example.com\".", - "Severity": "MEDIUM", - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V2Score": 5, - "V3Score": 5.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 10 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V3Score": 5.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 } - }, - "References": [ - "https://advisory.checkmarx.net/advisory/CX-2021-4309", - "https://github.com/advisories/GHSA-mjxr-4v3x-q3m4", - "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26", - "https://github.com/apostrophecms/sanitize-html/pull/460", - "https://nvd.nist.gov/vuln/detail/CVE-2021-26540" - ], - "PublishedDate": "2021-02-08T17:15:00Z", - "LastModifiedDate": "2021-04-01T15:02:00Z" + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-29199", + "https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7", + "https://github.com/patriksimek/vm2/issues/516", + "https://github.com/patriksimek/vm2/releases/tag/3.9.16", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985", + "https://nvd.nist.gov/vuln/detail/CVE-2023-29199", + "https://www.cve.org/CVERecord?id=CVE-2023-29199" + ], + "PublishedDate": "2023-04-14T19:15:09.337Z", + "LastModifiedDate": "2023-04-25T15:14:48.277Z" }, { - "VulnerabilityID": "NSWG-ECO-154", - "PkgName": "sanitize-html", - "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", - "InstalledVersion": "1.4.2", - "FixedVersion": "\u003e=1.11.4", - "Layer": { + "VulnerabilityID": "CVE-2023-30547", + "PkgID": "vm2@3.9.3", + "PkgName": "vm2", + "PkgPath": "juice-shop/node_modules/vm2/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/vm2@3.9.3", + "UID": "8e293d2b1cfb2f05" + }, + "InstalledVersion": "3.9.3", + "FixedVersion": "3.9.17", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-30547", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "vm2: Sandbox Escape when exception sanitization", + "Description": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-74" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 }, - "Title": "Cross Site Scripting", - "Description": "Sanitize-html is a library for scrubbing html input of malicious values.\n\nVersions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios:\n\nIf allowed at least one nonTextTags, the result is a potential XSS vulnerability.\nPoC:\n\n```\nvar sanitizeHtml = require('sanitize-html');\n\nvar dirty = '!\u003ctextarea\u003e\u0026lt;/textarea\u0026gt;\u003csvg/onload=prompt`xs`\u0026gt;\u003c/textarea\u003e!';\nvar clean = sanitizeHtml(dirty, {\n allowedTags: [ 'textarea' ]\n});\n\nconsole.log(clean);\n\n// !\u003ctextarea\u003e\u003c/textarea\u003e\u003csvg/onload=prompt`xs`\u003e\u003c/textarea\u003e!\n```", - "Severity": "MEDIUM", - "References": [ - "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", - "https://github.com/punkave/sanitize-html/issues/100" - ] + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 10 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-30547", + "https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049", + "https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5", + "https://github.com/patriksimek/vm2/releases/tag/3.9.17", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m", + "https://nvd.nist.gov/vuln/detail/CVE-2023-30547", + "https://www.cve.org/CVERecord?id=CVE-2023-30547" + ], + "PublishedDate": "2023-04-17T22:15:10.487Z", + "LastModifiedDate": "2023-04-28T01:13:44.617Z" }, { - "VulnerabilityID": "CVE-2021-23440", - "PkgName": "set-value", - "PkgPath": "juice-shop/node_modules/set-value/package.json", - "InstalledVersion": "2.0.1", - "FixedVersion": "4.0.1", - "Layer": { + "VulnerabilityID": "CVE-2023-32314", + "PkgID": "vm2@3.9.3", + "PkgName": "vm2", + "PkgPath": "juice-shop/node_modules/vm2/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/vm2@3.9.3", + "UID": "8e293d2b1cfb2f05" + }, + "InstalledVersion": "3.9.3", + "FixedVersion": "3.9.18", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-32314", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "vm2: Sandbox Escape", + "Description": "vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-74" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23440", - "Title": "nodejs-set-value: type confusion allows bypass of CVE-2019-10747", - "Description": "This affects the package set-value before \u003c2.0.1, \u003e=3.0.0 \u003c4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.", - "Severity": "CRITICAL", - "CweIDs": [ - "CWE-843" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 7.5, - "V3Score": 9.8 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 10 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "V3Score": 7.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 } - }, - "References": [ - "https://github.com/advisories/GHSA-4jqc-8m5r-9rpr", - "https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452", - "https://github.com/jonschlinkert/set-value/pull/33", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23440", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212", - "https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541", - "https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/" - ], - "PublishedDate": "2021-09-12T13:15:00Z", - "LastModifiedDate": "2021-11-03T20:29:00Z" + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-32314", + "https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf", + "https://github.com/patriksimek/vm2/releases/tag/3.9.18", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5", + "https://nvd.nist.gov/vuln/detail/CVE-2023-32314", + "https://www.cve.org/CVERecord?id=CVE-2023-32314" + ], + "PublishedDate": "2023-05-15T20:15:09.177Z", + "LastModifiedDate": "2023-05-24T20:50:46.247Z" }, { - "VulnerabilityID": "CVE-2021-32803", - "PkgName": "tar", - "PkgPath": "juice-shop/node_modules/node-gyp/node_modules/tar/package.json", - "InstalledVersion": "2.2.2", - "FixedVersion": "6.1.2, 5.0.7, 4.4.15, 3.2.3", - "Layer": { + "VulnerabilityID": "CVE-2023-37466", + "PkgID": "vm2@3.9.3", + "PkgName": "vm2", + "PkgPath": "juice-shop/node_modules/vm2/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/vm2@3.9.3", + "UID": "8e293d2b1cfb2f05" + }, + "InstalledVersion": "3.9.3", + "Status": "affected", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-37466", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "vm2: Promise handler sanitization can be bypassed allowing attackers to escape the sandbox and run arbitrary code", + "Description": "vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-32803", - "Title": "nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite", - "Description": "The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-22" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", - "V2Score": 5.8, - "V3Score": 8.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 10 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", - "V3Score": 8.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 } - }, - "References": [ - "https://github.com/advisories/GHSA-r628-mhmh-qjhw", - "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", - "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw", - "https://linux.oracle.com/cve/CVE-2021-32803.html", - "https://linux.oracle.com/errata/ELSA-2021-3666.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", - "https://www.npmjs.com/advisories/1771", - "https://www.npmjs.com/package/tar", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2021-08-03T19:15:00Z", - "LastModifiedDate": "2021-10-20T11:16:00Z" + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-37466", + "https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5", + "https://nvd.nist.gov/vuln/detail/CVE-2023-37466", + "https://security.netapp.com/advisory/ntap-20230831-0007", + "https://www.cve.org/CVERecord?id=CVE-2023-37466" + ], + "PublishedDate": "2023-07-14T00:15:09.263Z", + "LastModifiedDate": "2024-02-01T14:05:45.75Z" }, { - "VulnerabilityID": "CVE-2021-32804", - "PkgName": "tar", - "PkgPath": "juice-shop/node_modules/node-gyp/node_modules/tar/package.json", - "InstalledVersion": "2.2.2", - "FixedVersion": "6.1.1, 5.0.6, 4.4.14, 3.2.2", - "Layer": { + "VulnerabilityID": "CVE-2023-37903", + "PkgID": "vm2@3.9.3", + "PkgName": "vm2", + "PkgPath": "juice-shop/node_modules/vm2/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/vm2@3.9.3", + "UID": "8e293d2b1cfb2f05" + }, + "InstalledVersion": "3.9.3", + "Status": "affected", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-37903", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code", + "Description": "vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-78" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-32804", - "Title": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", - "Description": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-22" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", - "V2Score": 5.8, - "V3Score": 8.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "V3Score": 10 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", - "V3Score": 8.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 } - }, - "References": [ - "https://github.com/advisories/GHSA-3jfq-g458-7qm9", - "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", - "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", - "https://linux.oracle.com/cve/CVE-2021-32804.html", - "https://linux.oracle.com/errata/ELSA-2021-3666.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", - "https://www.npmjs.com/advisories/1770", - "https://www.npmjs.com/package/tar", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2021-08-03T19:15:00Z", - "LastModifiedDate": "2021-10-20T11:16:00Z" + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-37903", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4", + "https://nvd.nist.gov/vuln/detail/CVE-2023-37903", + "https://security.netapp.com/advisory/ntap-20230831-0007", + "https://security.netapp.com/advisory/ntap-20230831-0007/", + "https://www.cve.org/CVERecord?id=CVE-2023-37903" + ], + "PublishedDate": "2023-07-21T20:15:16.057Z", + "LastModifiedDate": "2024-02-01T13:46:33.28Z" }, { - "VulnerabilityID": "CVE-2021-37701", - "PkgName": "tar", - "PkgPath": "juice-shop/node_modules/node-gyp/node_modules/tar/package.json", - "InstalledVersion": "2.2.2", - "FixedVersion": "6.1.7, 5.0.8, 4.4.16", - "Layer": { + "VulnerabilityID": "CVE-2023-32313", + "PkgID": "vm2@3.9.3", + "PkgName": "vm2", + "PkgPath": "juice-shop/node_modules/vm2/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/vm2@3.9.3", + "UID": "8e293d2b1cfb2f05" + }, + "InstalledVersion": "3.9.3", + "FixedVersion": "3.9.18", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-32313", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "vm2: Inspect Manipulation", + "Description": "vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-74" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-37701", - "Title": "nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", - "Description": "The npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-22", - "CWE-59" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", - "V2Score": 4.4, - "V3Score": 8.6 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", - "V3Score": 8.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 } - }, - "References": [ - "https://github.com/advisories/GHSA-9r2w-394v-53qc", - "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", - "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", - "https://www.npmjs.com/advisories/1779", - "https://www.npmjs.com/package/tar", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2021-08-31T17:15:00Z", - "LastModifiedDate": "2021-10-20T11:17:00Z" + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-32313", + "https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550", + "https://github.com/patriksimek/vm2", + "https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238", + "https://github.com/patriksimek/vm2/releases/tag/3.9.18", + "https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v", + "https://nvd.nist.gov/vuln/detail/CVE-2023-32313", + "https://www.cve.org/CVERecord?id=CVE-2023-32313" + ], + "PublishedDate": "2023-05-15T20:15:09.07Z", + "LastModifiedDate": "2023-05-24T20:43:19.08Z" }, { - "VulnerabilityID": "CVE-2021-37712", - "PkgName": "tar", - "PkgPath": "juice-shop/node_modules/node-gyp/node_modules/tar/package.json", - "InstalledVersion": "2.2.2", - "FixedVersion": "6.1.9, 5.0.10, 4.4.18", - "Layer": { + "VulnerabilityID": "CVE-2023-26115", + "PkgID": "word-wrap@1.2.3", + "PkgName": "word-wrap", + "PkgPath": "juice-shop/node_modules/word-wrap/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/word-wrap@1.2.3", + "UID": "d7caf042119092f3" + }, + "InstalledVersion": "1.2.3", + "FixedVersion": "1.2.4", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26115", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "word-wrap: ReDoS", + "Description": "All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.\r\r", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-37712", - "Title": "nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", - "Description": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \"short path\" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-22", - "CWE-59" - ], - "CVSS": { "nvd": { - "V2Vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", - "V2Score": 4.4, - "V3Score": 8.6 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", - "V3Score": 8.1 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 } - }, - "References": [ - "https://github.com/advisories/GHSA-qq89-hq3f-393p", - "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", - "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", - "https://www.npmjs.com/advisories/1780", - "https://www.npmjs.com/package/tar", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2021-08-31T17:15:00Z", - "LastModifiedDate": "2021-10-20T11:17:00Z" + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-26115", + "https://github.com/jonschlinkert/word-wrap", + "https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39", + "https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39", + "https://github.com/jonschlinkert/word-wrap/commit/420dce9a2412b21881202b73a3c34f0edc53cb2e", + "https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26115", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657", + "https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973", + "https://www.cve.org/CVERecord?id=CVE-2023-26115" + ], + "PublishedDate": "2023-06-22T05:15:09.157Z", + "LastModifiedDate": "2024-06-21T19:15:25.887Z" }, { - "VulnerabilityID": "CVE-2021-37713", - "PkgName": "tar", - "PkgPath": "juice-shop/node_modules/node-gyp/node_modules/tar/package.json", - "InstalledVersion": "2.2.2", - "FixedVersion": "6.1.9, 5.0.10, 4.4.18", - "Layer": { + "VulnerabilityID": "CVE-2024-37890", + "PkgID": "ws@7.4.6", + "PkgName": "ws", + "PkgPath": "juice-shop/node_modules/ws/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ws@7.4.6", + "UID": "cf983c016cf3f82d" + }, + "InstalledVersion": "7.4.6", + "FixedVersion": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "Status": "fixed", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-37890", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ws: denial of service when handling a request with many HTTP headers", + "Description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-37713", - "Title": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", - "Description": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\\path`. If the drive letter does not match the extraction target, for example `D:\\extraction\\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-22" - ], - "CVSS": { - "nvd": { - "V2Vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", - "V2Score": 4.4, - "V3Score": 8.6 + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 } - }, - "References": [ - "https://github.com/advisories/GHSA-5955-9wpr-37jh", - "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh", - "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", - "https://www.npmjs.com/package/tar", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2021-08-31T17:15:00Z", - "LastModifiedDate": "2021-10-20T11:17:00Z" + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-37890", + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", + "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", + "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", + "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", + "https://github.com/websockets/ws/issues/2230", + "https://github.com/websockets/ws/pull/2231", + "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + "https://nodejs.org/api/http.html#servermaxheaderscount", + "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "https://www.cve.org/CVERecord?id=CVE-2024-37890" + ], + "PublishedDate": "2024-06-17T20:15:13.203Z", + "LastModifiedDate": "2024-06-20T12:44:22.977Z" }, { - "VulnerabilityID": "CVE-2021-3765", - "PkgName": "validator", - "PkgPath": "juice-shop/node_modules/validator/package.json", - "InstalledVersion": "13.6.0", - "FixedVersion": "13.7.0", - "Layer": { + "VulnerabilityID": "CVE-2021-4435", + "PkgID": "yarn@1.22.5", + "PkgName": "yarn", + "PkgPath": "opt/yarn-v1.22.5/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/yarn@1.22.5", + "UID": "61e3da5f5baf402d" + }, + "InstalledVersion": "1.22.5", + "FixedVersion": "1.22.13", + "Status": "fixed", + "Layer": { + "Digest": "sha256:8a7ab7725978320093e26b86ae395a5b6e50ab2d4888b9e2a6c2ffd447598da8", + "DiffID": "sha256:b8f0e895f5208b04d533d013ddec6f12642fdd679ef70bc1497ffe733c97428b" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-4435", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "yarn: untrusted search path", + "Description": "An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-426" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "photon": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", + "V3Score": 7.8 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", + "V3Score": 7.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-4435", + "https://bugzilla.redhat.com/show_bug.cgi?id=2262284", + "https://github.com/yarnpkg/yarn", + "https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1", + "https://github.com/yarnpkg/yarn/releases/tag/v1.22.13", + "https://nvd.nist.gov/vuln/detail/CVE-2021-4435", + "https://www.cve.org/CVERecord?id=CVE-2021-4435" + ], + "PublishedDate": "2024-02-04T20:15:45.657Z", + "LastModifiedDate": "2024-02-13T00:38:56.303Z" + } + ] + }, + { + "Target": "/juice-shop/build/lib/insecurity.js", + "Class": "secret", + "Secrets": [ + { + "RuleID": "private-key", + "Category": "AsymmetricPrivateKey", + "Severity": "HIGH", + "Title": "Asymmetric Private Key", + "StartLine": 18, + "EndLine": 18, + "Code": { + "Lines": [ + { + "Number": 16, + "Content": "const publicKey = fs.readFileSync('encryptionkeys/jwt.pub', 'utf8');", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": "const publicKey = fs.readFileSync('encryptionkeys/jwt.pub', 'utf8');", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": "module.exports.publicKey = publicKey;", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": "module.exports.publicKey = publicKey;", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + "FirstCause": true, + "LastCause": true + }, + { + "Number": 19, + "Content": "exports.hash = data =\u003e crypto.createHash('md5').update(data).digest('hex');", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": "exports.hash = data =\u003e crypto.createHash('md5').update(data).digest('hex');", + "FirstCause": false, + "LastCause": false + } + ] + }, + "Match": "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" - }, - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3765", - "Title": "Inefficient Regular Expression Complexity in validator.js", - "Description": "validator.js is vulnerable to Inefficient Regular Expression Complexity", - "Severity": "MEDIUM", - "References": [ - "https://github.com/advisories/GHSA-qgmg-gppg-76g5", - "https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1", - "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3765" - ], - "PublishedDate": "2021-11-02T07:15:00Z", - "LastModifiedDate": "2021-11-02T11:31:00Z" - }, + } + } + ] + }, + { + "Target": "/juice-shop/frontend/src/app/app.guard.spec.ts", + "Class": "secret", + "Secrets": [ { - "VulnerabilityID": "CVE-2021-23449", - "PkgName": "vm2", - "PkgPath": "juice-shop/node_modules/vm2/package.json", - "InstalledVersion": "3.9.3", - "FixedVersion": "3.9.4", - "Layer": { + "RuleID": "jwt-token", + "Category": "JWT", + "Severity": "MEDIUM", + "Title": "JWT token", + "StartLine": 40, + "EndLine": 40, + "Code": { + "Lines": [ + { + "Number": 38, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " it('returns payload from decoding a valid JWT', inject([LoginGuard], (guard: LoginGuard) =\u003e {", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": " it('returns payload from decoding a valid JWT', inject([LoginGuard], (guard: LoginGuard) =\u003e {", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": "ocalStorage.setItem('token', '***********************************************************************************************************************************************************')", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "ocalStorage.setItem('token', '***********************************************************************************************************************************************************')", + "FirstCause": true, + "LastCause": true + }, + { + "Number": 41, + "Content": " expect(guard.tokenDecode()).toEqual({", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": " expect(guard.tokenDecode()).toEqual({", + "FirstCause": false, + "LastCause": false + } + ] + }, + "Match": "ocalStorage.setItem('token', '***********************************************************************************************************************************************************')", + "Layer": { "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" - }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23449", - "Title": "Prototype Pollution in vm2", - "Description": "This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.", - "Severity": "CRITICAL", - "CweIDs": [ - "CWE-915" - ], - "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "V2Score": 7.5, - "V3Score": 10 - } - }, - "References": [ - "https://github.com/advisories/GHSA-rjf2-j2r6-q8gr", - "https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886", - "https://github.com/patriksimek/vm2/issues/363", - "https://github.com/patriksimek/vm2/releases/tag/3.9.4", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23449", - "https://security.netapp.com/advisory/ntap-20211029-0010/", - "https://snyk.io/vuln/SNYK-JS-VM2-1585918" - ], - "PublishedDate": "2021-10-18T17:15:00Z", - "LastModifiedDate": "2021-10-29T13:15:00Z" + } } - ] + ] + }, + { + "Target": "/juice-shop/lib/insecurity.js", + "Class": "secret", + "Secrets": [ + { + "RuleID": "private-key", + "Category": "AsymmetricPrivateKey", + "Severity": "HIGH", + "Title": "Asymmetric Private Key", + "StartLine": 19, + "EndLine": 19, + "Code": { + "Lines": [ + { + "Number": 17, + "Content": "const publicKey = fs.readFileSync('encryptionkeys/jwt.pub', 'utf8')", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": "const publicKey = fs.readFileSync('encryptionkeys/jwt.pub', 'utf8')", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": "module.exports.publicKey = publicKey", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": "module.exports.publicKey = publicKey", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + "FirstCause": true, + "LastCause": true + }, + { + "Number": 20, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + } + ] + }, + "Match": "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + "Layer": { + "Digest": "sha256:d60b2707975852ac9893dd5f0b9ed98a222f5a8c5b80003dafe8cb2c419d7407", + "DiffID": "sha256:882c984cafed0fa20487f0b4f95474af7d46cff44d735d266633ebcea37e2bd1" + } + } + ] } - ] -} \ No newline at end of file + ] +} diff --git a/scanners/trivy/parser/__testFiles__/k8s-results_unexpected-attribute.json b/scanners/trivy/parser/__testFiles__/k8s-results_unexpected-attribute.json index 6a26dea6b5..32745b1c05 100644 --- a/scanners/trivy/parser/__testFiles__/k8s-results_unexpected-attribute.json +++ b/scanners/trivy/parser/__testFiles__/k8s-results_unexpected-attribute.json @@ -10,6 +10,7 @@ "Target": "docker.io/rancher/local-path-provisioner:v0.0.14 (alpine 3.12.0)", "Class": "os-pkgs", "Type": "alpine", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2021-36159", @@ -65,6 +66,7 @@ "Target": "docker.io/rancher/local-path-provisioner:v0.0.14 (alpine 3.12.0)", "Class": "os-pkgs", "Type": "alpine", + "Packages": [], "Secrets": [ { "VulnerabilityID": "CVE-a-dummy-secret-finding" diff --git a/scanners/trivy/parser/__testFiles__/local-k8s-scan-result.json b/scanners/trivy/parser/__testFiles__/local-k8s-scan-result.json index c571dcefb0..e66b98d728 100644 --- a/scanners/trivy/parser/__testFiles__/local-k8s-scan-result.json +++ b/scanners/trivy/parser/__testFiles__/local-k8s-scan-result.json @@ -10,6 +10,7 @@ "Target": "docker.io/rancher/local-path-provisioner:v0.0.14 (alpine 3.12.0)", "Class": "os-pkgs", "Type": "alpine", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2021-36159", @@ -2888,6 +2889,7 @@ "Target": "Deployment/local-path-provisioner", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 129, "Failures": 12, @@ -4335,6 +4337,7 @@ "Target": "metrics-sidecar", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2022-1996", @@ -4721,6 +4724,7 @@ "Target": "Deployment/dashboard-metrics-scraper", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 132, "Failures": 9, @@ -5810,12 +5814,14 @@ { "Target": "docker.io/securecodebox/operator:4.0.1 (debian 11.7)", "Class": "os-pkgs", - "Type": "debian" + "Type": "debian", + "Packages": [] }, { "Target": "manager", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2022-28948", @@ -5880,6 +5886,7 @@ "Target": "Deployment/securecodebox-controller-manager", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 137, "Failures": 4, @@ -6375,6 +6382,7 @@ "Target": "coredns", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2020-8911", @@ -7628,6 +7636,7 @@ "Target": "Deployment/coredns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 134, "Failures": 7, @@ -8480,6 +8489,7 @@ "Target": "k8s.gcr.io/kube-apiserver:v1.21.1 (debian 10.9)", "Class": "os-pkgs", "Type": "debian", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "DLA-3134-1", @@ -8578,6 +8588,7 @@ "Target": "Pod/kube-apiserver-kind-control-plane", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 118, "Failures": 23, @@ -11334,6 +11345,7 @@ "Target": "dashboard", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2023-2253", @@ -11699,6 +11711,7 @@ "Target": "Dockerfile", "Class": "config", "Type": "dockerfile", + "Packages": [], "MisconfSummary": { "Successes": 24, "Failures": 2, @@ -11788,6 +11801,7 @@ "Target": "Deployment/kubernetes-dashboard", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 132, "Failures": 9, @@ -12878,6 +12892,7 @@ "Target": "docker.io/bitnami/minio:2022.9.1-debian-11-r0 (debian 11.4)", "Class": "os-pkgs", "Type": "debian", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2011-3374", @@ -21052,6 +21067,7 @@ "Target": "opt/bitnami/common/bin/gosu", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2023-27561", @@ -21402,6 +21418,7 @@ "Target": "opt/bitnami/common/bin/wait-for-port", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2022-29526", @@ -21474,6 +21491,7 @@ "Target": "opt/bitnami/minio-client/bin/mc", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "GHSA-rm8v-mxj3-5rmq", @@ -21819,6 +21837,7 @@ "Target": "opt/bitnami/minio/bin/minio", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2022-2835", @@ -22297,6 +22316,7 @@ "Target": "Deployment/securecodebox-operator-minio", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 131, "Failures": 10, @@ -23506,6 +23526,7 @@ "Target": "k8s.gcr.io/kube-scheduler:v1.21.1 (debian 10.9)", "Class": "os-pkgs", "Type": "debian", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "DLA-3134-1", @@ -23604,6 +23625,7 @@ "Target": "Pod/kube-scheduler-kind-control-plane", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 127, "Failures": 14, @@ -25289,6 +25311,7 @@ "Target": "k8s.gcr.io/kube-controller-manager:v1.21.1 (debian 10.9)", "Class": "os-pkgs", "Type": "debian", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "DLA-3134-1", @@ -25387,6 +25410,7 @@ "Target": "Pod/kube-controller-manager-kind-control-plane", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 125, "Failures": 16, @@ -27310,6 +27334,7 @@ "Target": "Service/kubernetes", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27327,6 +27352,7 @@ "Target": "Service/kube-dns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27344,6 +27370,7 @@ "Target": "Service/dashboard-metrics-scraper", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27361,6 +27388,7 @@ "Target": "Service/kubernetes-dashboard", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27378,6 +27406,7 @@ "Target": "Service/controller-manager-metrics-service", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27395,6 +27424,7 @@ "Target": "Service/securecodebox-operator-minio", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27412,6 +27442,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27429,6 +27460,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27446,6 +27478,7 @@ "Target": "ServiceAccount/lurker", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27463,6 +27496,7 @@ "Target": "ServiceAccount/trivy-k8s", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27480,6 +27514,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27497,6 +27532,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27514,6 +27550,7 @@ "Target": "ServiceAccount/attachdetach-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27531,6 +27568,7 @@ "Target": "ServiceAccount/bootstrap-signer", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27548,6 +27586,7 @@ "Target": "ServiceAccount/certificate-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27565,6 +27604,7 @@ "Target": "ServiceAccount/clusterrole-aggregation-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27582,6 +27622,7 @@ "Target": "ServiceAccount/coredns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27599,6 +27640,7 @@ "Target": "ServiceAccount/cronjob-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27616,6 +27658,7 @@ "Target": "ServiceAccount/daemon-set-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27633,6 +27676,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27650,6 +27694,7 @@ "Target": "ServiceAccount/deployment-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27667,6 +27712,7 @@ "Target": "ServiceAccount/disruption-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -27684,6 +27730,7 @@ "Target": "docker.io/kindest/kindnetd:v20210326-1e038dc5 (debian 10.7)", "Class": "os-pkgs", "Type": "debian", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2011-3374", @@ -37180,6 +37227,7 @@ "Target": "bin/kindnetd", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2021-3121", @@ -37985,6 +38033,7 @@ "Target": "DaemonSet/kindnet", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 130, "Failures": 11, @@ -39313,6 +39362,7 @@ "Target": "ServiceAccount/endpointslice-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39330,6 +39380,7 @@ "Target": "ServiceAccount/endpoint-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39347,6 +39398,7 @@ "Target": "ServiceAccount/endpointslicemirroring-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39364,6 +39416,7 @@ "Target": "ServiceAccount/ephemeral-volume-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39381,6 +39434,7 @@ "Target": "ServiceAccount/expand-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39398,6 +39452,7 @@ "Target": "ServiceAccount/generic-garbage-collector", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39415,6 +39470,7 @@ "Target": "ServiceAccount/horizontal-pod-autoscaler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39432,6 +39488,7 @@ "Target": "ServiceAccount/job-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39449,6 +39506,7 @@ "Target": "ServiceAccount/kindnet", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39466,6 +39524,7 @@ "Target": "ServiceAccount/kube-proxy", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39483,6 +39542,7 @@ "Target": "ServiceAccount/namespace-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39500,6 +39560,7 @@ "Target": "ServiceAccount/node-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39517,6 +39578,7 @@ "Target": "ServiceAccount/persistent-volume-binder", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39534,6 +39596,7 @@ "Target": "ServiceAccount/pod-garbage-collector", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39551,6 +39614,7 @@ "Target": "ServiceAccount/pv-protection-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39568,6 +39632,7 @@ "Target": "ServiceAccount/pvc-protection-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39585,6 +39650,7 @@ "Target": "ServiceAccount/replicaset-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39602,6 +39668,7 @@ "Target": "ServiceAccount/replication-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39619,6 +39686,7 @@ "Target": "ServiceAccount/resourcequota-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39636,6 +39704,7 @@ "Target": "ServiceAccount/root-ca-cert-publisher", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39653,6 +39722,7 @@ "Target": "ServiceAccount/service-account-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39670,6 +39740,7 @@ "Target": "ServiceAccount/service-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39687,6 +39758,7 @@ "Target": "ServiceAccount/statefulset-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39704,6 +39776,7 @@ "Target": "ServiceAccount/token-cleaner", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39721,6 +39794,7 @@ "Target": "ServiceAccount/ttl-after-finished-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39738,6 +39812,7 @@ "Target": "ServiceAccount/ttl-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39755,6 +39830,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39772,6 +39848,7 @@ "Target": "ServiceAccount/admin-user", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39789,6 +39866,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39806,6 +39884,7 @@ "Target": "ServiceAccount/kubernetes-dashboard", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39823,6 +39902,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39840,6 +39920,7 @@ "Target": "ServiceAccount/local-path-provisioner-service-account", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39857,6 +39938,7 @@ "Target": "ServiceAccount/securecodebox-operator", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39874,6 +39956,7 @@ "Target": "ServiceAccount/securecodebox-operator-minio", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39891,6 +39974,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39908,6 +39992,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39925,6 +40010,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39942,6 +40028,7 @@ "Target": "ConfigMap/cluster-info", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39959,6 +40046,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39976,6 +40064,7 @@ "Target": "ConfigMap/coredns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39993,6 +40082,7 @@ "Target": "ConfigMap/extension-apiserver-authentication", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -40037,6 +40127,7 @@ "Target": "ConfigMap/kube-proxy", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -40054,6 +40145,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -40071,6 +40163,7 @@ "Target": "ConfigMap/kubeadm-config", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -40088,6 +40181,7 @@ "Target": "ConfigMap/kubelet-config-1.21", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -40105,6 +40199,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -40122,6 +40217,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -40139,6 +40235,7 @@ "Target": "ConfigMap/kubernetes-dashboard-settings", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -40156,6 +40253,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -40173,6 +40271,7 @@ "Target": "ConfigMap/local-path-config", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -40190,6 +40289,7 @@ "Target": "docker.io/aquasec/trivy:0.42.0 (alpine 3.18.0)", "Class": "os-pkgs", "Type": "alpine", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2023-2650", @@ -40307,6 +40407,7 @@ "Target": "usr/local/bin/trivy", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2020-8911", @@ -40428,12 +40529,14 @@ { "Target": "docker.io/securecodebox/lurker:4.0.1 (debian 11.7)", "Class": "os-pkgs", - "Type": "debian" + "Type": "debian", + "Packages": [] }, { "Target": "lurker", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2022-28948", @@ -40498,6 +40601,7 @@ "Target": "Job/scan-trivy-k8s-dnnfb", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 131, "Failures": 14, @@ -42183,6 +42287,7 @@ "Target": "Role/kubeadm:bootstrap-signer-clusterinfo", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42200,6 +42305,7 @@ "Target": "Role/lurker", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42217,6 +42323,7 @@ "Target": "Role/system:controller:bootstrap-signer", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -42337,6 +42444,7 @@ "Target": "Role/kube-proxy", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42354,6 +42462,7 @@ "Target": "Role/extension-apiserver-authentication-reader", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42371,6 +42480,7 @@ "Target": "Role/kubeadm:kubelet-config-1.21", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42388,6 +42498,7 @@ "Target": "Role/kubeadm:nodes-kubeadm-config", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42405,6 +42516,7 @@ "Target": "Role/system::leader-locking-kube-controller-manager", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -42534,6 +42646,7 @@ "Target": "Role/system::leader-locking-kube-scheduler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -42663,6 +42776,7 @@ "Target": "Role/system:controller:bootstrap-signer", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -42783,6 +42897,7 @@ "Target": "Role/system:controller:cloud-provider", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -42912,6 +43027,7 @@ "Target": "Role/system:controller:token-cleaner", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -43041,6 +43157,7 @@ "Target": "Role/kubernetes-dashboard", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 139, "Failures": 2, @@ -43289,6 +43406,7 @@ "Target": "Role/leader-election-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -43427,6 +43545,7 @@ "Target": "RoleBinding/lurker", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43444,6 +43563,7 @@ "Target": "RoleBinding/trivy-k8s-lurker", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43461,6 +43581,7 @@ "Target": "RoleBinding/kubeadm:bootstrap-signer-clusterinfo", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43478,6 +43599,7 @@ "Target": "RoleBinding/system:controller:bootstrap-signer", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43495,6 +43617,7 @@ "Target": "RoleBinding/kubeadm:kubelet-config-1.21", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43512,6 +43635,7 @@ "Target": "RoleBinding/kube-proxy", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43529,6 +43653,7 @@ "Target": "RoleBinding/kubeadm:nodes-kubeadm-config", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43546,6 +43671,7 @@ "Target": "RoleBinding/system::extension-apiserver-authentication-reader", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43563,6 +43689,7 @@ "Target": "RoleBinding/system::leader-locking-kube-controller-manager", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43580,6 +43707,7 @@ "Target": "RoleBinding/system::leader-locking-kube-scheduler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43597,6 +43725,7 @@ "Target": "RoleBinding/system:controller:bootstrap-signer", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43614,6 +43743,7 @@ "Target": "RoleBinding/system:controller:cloud-provider", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43631,6 +43761,7 @@ "Target": "RoleBinding/system:controller:token-cleaner", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43648,6 +43779,7 @@ "Target": "RoleBinding/kubernetes-dashboard", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43665,6 +43797,7 @@ "Target": "RoleBinding/leader-election-rolebinding", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43681,6 +43814,7 @@ "Target": "ClusterRole/cluster-admin", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 139, "Failures": 2, @@ -43865,6 +43999,7 @@ "Target": "ClusterRole/admin", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 136, "Failures": 11, @@ -45192,6 +45327,7 @@ "Target": "ClusterRole/edit", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 137, "Failures": 10, @@ -46400,6 +46536,7 @@ "Target": "ClusterRole/kindnet", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -46416,6 +46553,7 @@ "Target": "ClusterRole/kubeadm:get-nodes", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -46432,6 +46570,7 @@ "Target": "ClusterRole/kubernetes-dashboard", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -46448,6 +46587,7 @@ "Target": "ClusterRole/local-path-provisioner-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 139, "Failures": 2, @@ -46668,6 +46808,7 @@ "Target": "ClusterRole/manager-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 139, "Failures": 3, @@ -47034,6 +47175,7 @@ "Target": "ClusterRole/metrics-reader", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47050,6 +47192,7 @@ "Target": "ClusterRole/parsedefinition-editor-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47066,6 +47209,7 @@ "Target": "ClusterRole/parsedefinition-viewer-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47082,6 +47226,7 @@ "Target": "ClusterRole/proxy-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47098,6 +47243,7 @@ "Target": "ClusterRole/scan-editor-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47114,6 +47260,7 @@ "Target": "ClusterRole/scan-viewer-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47130,6 +47277,7 @@ "Target": "ClusterRole/scantype-editor-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47146,6 +47294,7 @@ "Target": "ClusterRole/scantype-viewer-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47162,6 +47311,7 @@ "Target": "ClusterRole/scheduledscan-editor-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47178,6 +47328,7 @@ "Target": "ClusterRole/scheduledscan-viewer-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47195,6 +47346,7 @@ "Target": "k8s.gcr.io/kube-proxy:v1.21.1 (debian 10.9)", "Class": "os-pkgs", "Type": "debian", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2011-3374", @@ -56275,6 +56427,7 @@ "Target": "DaemonSet/kube-proxy", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 126, "Failures": 15, @@ -58078,6 +58231,7 @@ "Target": "ClusterRole/system:aggregate-to-admin", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -58215,6 +58369,7 @@ "Target": "ClusterRole/system:aggregate-to-edit", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 137, "Failures": 10, @@ -59423,6 +59578,7 @@ "Target": "ClusterRole/system:aggregate-to-view", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -59439,6 +59595,7 @@ "Target": "ClusterRole/system:auth-delegator", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -59455,6 +59612,7 @@ "Target": "ClusterRole/system:basic-user", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -59471,6 +59629,7 @@ "Target": "ClusterRole/system:certificates.k8s.io:certificatesigningrequests:nodeclient", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -59487,6 +59646,7 @@ "Target": "ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -59503,6 +59663,7 @@ "Target": "ClusterRole/system:certificates.k8s.io:kube-apiserver-client-approver", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -59519,6 +59680,7 @@ "Target": "ClusterRole/system:certificates.k8s.io:kube-apiserver-client-kubelet-approver", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -59536,6 +59698,7 @@ "Target": "k8s.gcr.io/etcd:3.4.13-0 (debian 9.13)", "Class": "os-pkgs", "Type": "debian", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "DLA-2424-1", @@ -59676,6 +59839,7 @@ "Target": "Pod/etcd-kind-control-plane", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 129, "Failures": 12, @@ -61122,6 +61286,7 @@ "Target": "ClusterRole/system:certificates.k8s.io:kubelet-serving-approver", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -61138,6 +61303,7 @@ "Target": "ClusterRole/system:certificates.k8s.io:legacy-unknown-approver", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -61154,6 +61320,7 @@ "Target": "ClusterRole/system:controller:attachdetach-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -61170,6 +61337,7 @@ "Target": "ClusterRole/system:controller:certificate-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -61186,6 +61354,7 @@ "Target": "ClusterRole/system:controller:clusterrole-aggregation-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -61202,6 +61371,7 @@ "Target": "ClusterRole/system:controller:cronjob-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 2, @@ -61449,6 +61619,7 @@ "Target": "ClusterRole/system:controller:daemon-set-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -61465,6 +61636,7 @@ "Target": "ClusterRole/system:controller:deployment-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 2, @@ -61721,6 +61893,7 @@ "Target": "ClusterRole/system:controller:endpoint-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -61858,6 +62031,7 @@ "Target": "ClusterRole/system:controller:disruption-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -61874,6 +62048,7 @@ "Target": "ClusterRole/system:controller:endpointslice-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -62011,6 +62186,7 @@ "Target": "ClusterRole/system:controller:endpointslicemirroring-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -62148,6 +62324,7 @@ "Target": "ClusterRole/system:controller:ephemeral-volume-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -62164,6 +62341,7 @@ "Target": "ClusterRole/system:controller:generic-garbage-collector", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -62301,6 +62479,7 @@ "Target": "ClusterRole/system:controller:expand-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -62402,6 +62581,7 @@ "Target": "ClusterRole/system:controller:horizontal-pod-autoscaler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -62512,6 +62692,7 @@ "Target": "ClusterRole/system:controller:job-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -62640,6 +62821,7 @@ "Target": "ClusterRole/system:controller:namespace-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -62768,6 +62950,7 @@ "Target": "ClusterRole/system:controller:node-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -62784,6 +62967,7 @@ "Target": "ClusterRole/system:controller:persistent-volume-binder", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 139, "Failures": 3, @@ -63096,6 +63280,7 @@ "Target": "ClusterRole/system:controller:pod-garbage-collector", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -63112,6 +63297,7 @@ "Target": "ClusterRole/system:controller:pv-protection-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -63128,6 +63314,7 @@ "Target": "ClusterRole/system:controller:pvc-protection-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -63144,6 +63331,7 @@ "Target": "ClusterRole/system:controller:replicaset-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -63281,6 +63469,7 @@ "Target": "ClusterRole/system:controller:replication-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -63409,6 +63598,7 @@ "Target": "ClusterRole/system:controller:resourcequota-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -63519,6 +63709,7 @@ "Target": "ClusterRole/system:controller:root-ca-cert-publisher", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -63629,6 +63820,7 @@ "Target": "ClusterRole/system:controller:route-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -63645,6 +63837,7 @@ "Target": "ClusterRole/system:controller:service-account-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -63661,6 +63854,7 @@ "Target": "ClusterRole/system:controller:service-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -63677,6 +63871,7 @@ "Target": "ClusterRole/system:controller:statefulset-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -63693,6 +63888,7 @@ "Target": "ClusterRole/system:controller:ttl-after-finished-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -63709,6 +63905,7 @@ "Target": "ClusterRole/system:controller:ttl-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -63725,6 +63922,7 @@ "Target": "ClusterRole/system:coredns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -63741,6 +63939,7 @@ "Target": "ClusterRole/system:discovery", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -63757,6 +63956,7 @@ "Target": "ClusterRole/system:kube-aggregator", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -63773,6 +63973,7 @@ "Target": "ClusterRole/system:heapster", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -63789,6 +63990,7 @@ "Target": "ClusterRole/system:kube-dns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -63805,6 +64007,7 @@ "Target": "ClusterRole/system:kube-controller-manager", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 138, "Failures": 7, @@ -64485,6 +64688,7 @@ "Target": "ClusterRole/system:kubelet-api-admin", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -64501,6 +64705,7 @@ "Target": "ClusterRole/system:kube-scheduler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 2, @@ -64712,6 +64917,7 @@ "Target": "ClusterRole/system:monitoring", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -64728,6 +64934,7 @@ "Target": "ClusterRole/system:node-bootstrapper", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -64744,6 +64951,7 @@ "Target": "ClusterRole/system:node", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -64872,6 +65080,7 @@ "Target": "ClusterRole/system:node-problem-detector", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -64888,6 +65097,7 @@ "Target": "ClusterRole/system:persistent-volume-provisioner", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -64904,6 +65114,7 @@ "Target": "ClusterRole/system:node-proxier", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -64920,6 +65131,7 @@ "Target": "ClusterRole/system:public-info-viewer", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -64936,6 +65148,7 @@ "Target": "ClusterRole/system:service-account-issuer-discovery", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -64952,6 +65165,7 @@ "Target": "ClusterRole/system:volume-scheduler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -64968,6 +65182,7 @@ "Target": "ClusterRole/trivy-k8s", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -64984,6 +65199,7 @@ "Target": "ClusterRole/view", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65000,6 +65216,7 @@ "Target": "ClusterRoleBinding/admin-user", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -65137,6 +65354,7 @@ "Target": "ClusterRoleBinding/cluster-admin", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65153,6 +65371,7 @@ "Target": "ClusterRoleBinding/kubeadm:get-nodes", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65169,6 +65388,7 @@ "Target": "ClusterRoleBinding/kindnet", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65185,6 +65405,7 @@ "Target": "ClusterRoleBinding/kubeadm:kubelet-bootstrap", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65201,6 +65422,7 @@ "Target": "ClusterRoleBinding/kubeadm:node-autoapprove-bootstrap", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65217,6 +65439,7 @@ "Target": "ClusterRoleBinding/kubeadm:node-autoapprove-certificate-rotation", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65233,6 +65456,7 @@ "Target": "ClusterRoleBinding/kubeadm:node-proxier", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65249,6 +65473,7 @@ "Target": "ClusterRoleBinding/kubernetes-dashboard", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65265,6 +65490,7 @@ "Target": "ClusterRoleBinding/local-path-provisioner-bind", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65281,6 +65507,7 @@ "Target": "ClusterRoleBinding/manager-rolebinding", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65297,6 +65524,7 @@ "Target": "ClusterRoleBinding/proxy-rolebinding", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65313,6 +65541,7 @@ "Target": "ClusterRoleBinding/system:basic-user", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65329,6 +65558,7 @@ "Target": "ClusterRoleBinding/system:controller:attachdetach-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65345,6 +65575,7 @@ "Target": "ClusterRoleBinding/system:controller:certificate-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65361,6 +65592,7 @@ "Target": "ClusterRoleBinding/system:controller:clusterrole-aggregation-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65377,6 +65609,7 @@ "Target": "ClusterRoleBinding/system:controller:cronjob-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65393,6 +65626,7 @@ "Target": "ClusterRoleBinding/system:controller:daemon-set-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65409,6 +65643,7 @@ "Target": "ClusterRoleBinding/system:controller:deployment-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65425,6 +65660,7 @@ "Target": "ClusterRoleBinding/system:controller:disruption-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65441,6 +65677,7 @@ "Target": "ClusterRoleBinding/system:controller:endpoint-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65457,6 +65694,7 @@ "Target": "ClusterRoleBinding/system:controller:endpointslice-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65473,6 +65711,7 @@ "Target": "ClusterRoleBinding/system:controller:ephemeral-volume-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65489,6 +65728,7 @@ "Target": "ClusterRoleBinding/system:controller:endpointslicemirroring-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65505,6 +65745,7 @@ "Target": "ClusterRoleBinding/system:controller:expand-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65521,6 +65762,7 @@ "Target": "ClusterRoleBinding/system:controller:generic-garbage-collector", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65537,6 +65779,7 @@ "Target": "ClusterRoleBinding/system:controller:horizontal-pod-autoscaler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65553,6 +65796,7 @@ "Target": "ClusterRoleBinding/system:controller:namespace-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65569,6 +65813,7 @@ "Target": "ClusterRoleBinding/system:controller:job-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65585,6 +65830,7 @@ "Target": "ClusterRoleBinding/system:controller:node-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65601,6 +65847,7 @@ "Target": "ClusterRoleBinding/system:controller:persistent-volume-binder", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65617,6 +65864,7 @@ "Target": "ClusterRoleBinding/system:controller:pod-garbage-collector", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65633,6 +65881,7 @@ "Target": "ClusterRoleBinding/system:controller:pv-protection-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65649,6 +65898,7 @@ "Target": "ClusterRoleBinding/system:controller:pvc-protection-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65665,6 +65915,7 @@ "Target": "ClusterRoleBinding/system:controller:replicaset-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65681,6 +65932,7 @@ "Target": "ClusterRoleBinding/system:controller:replication-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65697,6 +65949,7 @@ "Target": "ClusterRoleBinding/system:controller:resourcequota-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65713,6 +65966,7 @@ "Target": "ClusterRoleBinding/system:controller:route-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65729,6 +65983,7 @@ "Target": "ClusterRoleBinding/system:controller:root-ca-cert-publisher", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65745,6 +66000,7 @@ "Target": "ClusterRoleBinding/system:controller:service-account-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65761,6 +66017,7 @@ "Target": "ClusterRoleBinding/system:controller:service-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65777,6 +66034,7 @@ "Target": "ClusterRoleBinding/system:controller:statefulset-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65793,6 +66051,7 @@ "Target": "ClusterRoleBinding/system:coredns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65809,6 +66068,7 @@ "Target": "ClusterRoleBinding/system:controller:ttl-after-finished-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65825,6 +66085,7 @@ "Target": "ClusterRoleBinding/system:controller:ttl-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65841,6 +66102,7 @@ "Target": "ClusterRoleBinding/system:discovery", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65857,6 +66119,7 @@ "Target": "ClusterRoleBinding/system:kube-controller-manager", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65873,6 +66136,7 @@ "Target": "ClusterRoleBinding/system:kube-dns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65889,6 +66153,7 @@ "Target": "ClusterRoleBinding/system:kube-scheduler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65905,6 +66170,7 @@ "Target": "ClusterRoleBinding/system:monitoring", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65921,6 +66187,7 @@ "Target": "ClusterRoleBinding/system:node", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65937,6 +66204,7 @@ "Target": "ClusterRoleBinding/system:node-proxier", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65953,6 +66221,7 @@ "Target": "ClusterRoleBinding/system:public-info-viewer", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65969,6 +66238,7 @@ "Target": "ClusterRoleBinding/system:service-account-issuer-discovery", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -65985,6 +66255,7 @@ "Target": "ClusterRoleBinding/system:volume-scheduler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -66001,6 +66272,7 @@ "Target": "ClusterRoleBinding/trivy-k8s", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -66138,6 +66410,7 @@ "Target": "NodeInfo/kind-control-plane", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 135, "Failures": 6, @@ -66312,6 +66585,7 @@ "Target": "Node/kind-control-plane", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, diff --git a/scanners/trivy/parser/__testFiles__/securecodebox-repo.json b/scanners/trivy/parser/__testFiles__/securecodebox-repo.json index 444e840c51..994c76016c 100644 --- a/scanners/trivy/parser/__testFiles__/securecodebox-repo.json +++ b/scanners/trivy/parser/__testFiles__/securecodebox-repo.json @@ -1,5 +1,6 @@ { "SchemaVersion": 2, + "CreatedAt": "2024-10-28T15:57:12.588540249Z", "ArtifactName": "https://github.com/secureCodeBox/secureCodeBox", "ArtifactType": "repository", "Metadata": { @@ -16,138 +17,352 @@ }, "Results": [ { - "Target": "auto-discovery/kubernetes/go.sum", + "Target": "auto-discovery/cloud-aws/go.mod", "Class": "lang-pkgs", - "Type": "gomod", + "Type": "gomod" + }, + { + "Target": "auto-discovery/kubernetes/go.mod", + "Class": "lang-pkgs", + "Type": "gomod" + }, + { + "Target": "auto-discovery/kubernetes/pull-secret-extractor/integration-test/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2023-28155", + "PkgID": "request@2.88.2", + "PkgName": "request", + "PkgIdentifier": { + "PURL": "pkg:npm/request@2.88.2", + "UID": "da66bf40b01ba9c5" + }, + "InstalledVersion": "2.88.2", + "Status": "affected", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-28155", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", + "Description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-918" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/" + ], + "PublishedDate": "2023-03-16T15:15:11.107Z", + "LastModifiedDate": "2024-08-02T13:15:37.183Z" + }, + { + "VulnerabilityID": "CVE-2023-26136", + "PkgID": "tough-cookie@2.5.0", + "PkgName": "tough-cookie", + "PkgIdentifier": { + "PURL": "pkg:npm/tough-cookie@2.5.0", + "UID": "bd6da816c9e0f468" + }, + "InstalledVersion": "2.5.0", + "FixedVersion": "4.1.3", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26136", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "tough-cookie: prototype pollution in cookie memstore", + "Description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 4, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136" + ], + "PublishedDate": "2023-07-01T05:15:16.103Z", + "LastModifiedDate": "2024-06-21T19:15:26.163Z" + } + ] + }, + { + "Target": "auto-discovery/kubernetes/pull-secret-extractor/requirements.txt", + "Class": "lang-pkgs", + "Type": "pip" + }, + { + "Target": "bin/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm" + }, + { + "Target": "documentation/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm", "Vulnerabilities": [ { - "VulnerabilityID": "CVE-2020-26160", - "PkgName": "github.com/dgrijalva/jwt-go", - "InstalledVersion": "3.2.0+incompatible", + "VulnerabilityID": "CVE-2024-45590", + "PkgID": "body-parser@1.20.2", + "PkgName": "body-parser", + "PkgIdentifier": { + "PURL": "pkg:npm/body-parser@1.20.2", + "UID": "c799827e3a8016cf" + }, + "InstalledVersion": "1.20.2", + "FixedVersion": "1.20.3", + "Status": "fixed", "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-26160", - "Title": "jwt-go: access restriction bypass vulnerability", - "Description": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\"aud\"] (which is allowed by the specification). Because the type assertion fails, \"\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45590", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "body-parser: Denial of Service Vulnerability in body-parser", + "Description": "body-parser is Node.js body parsing middleware. body-parser \u003c1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.", "Severity": "HIGH", "CweIDs": [ - "CWE-862" + "CWE-405" ], + "VendorSeverity": { + "azure": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "V2Score": 5, + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ - "https://github.com/dgrijalva/jwt-go/pull/426", - "https://nvd.nist.gov/vuln/detail/CVE-2020-26160", - "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515" + "https://access.redhat.com/security/cve/CVE-2024-45590", + "https://github.com/expressjs/body-parser", + "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", + "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45590", + "https://www.cve.org/CVERecord?id=CVE-2024-45590" ], - "PublishedDate": "2020-09-30T18:15:00Z", - "LastModifiedDate": "2021-07-21T11:39:00Z" + "PublishedDate": "2024-09-10T16:15:21.083Z", + "LastModifiedDate": "2024-09-20T16:26:44.977Z" }, { - "VulnerabilityID": "CVE-2021-3121", - "PkgName": "github.com/gogo/protobuf", - "InstalledVersion": "1.3.1", - "FixedVersion": "v1.3.2", + "VulnerabilityID": "CVE-2024-47764", + "PkgID": "cookie@0.6.0", + "PkgName": "cookie", + "PkgIdentifier": { + "PURL": "pkg:npm/cookie@0.6.0", + "UID": "1ca30e7803060e91" + }, + "InstalledVersion": "0.6.0", + "FixedVersion": "0.7.0", + "Status": "fixed", "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3121", - "Title": "gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation", - "Description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", - "Severity": "HIGH", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-47764", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", + "Description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", + "Severity": "LOW", "CweIDs": [ - "CWE-129" + "CWE-74" ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 1, + "redhat": 1 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", - "V2Score": 7.5, - "V3Score": 8.6 - }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", - "V3Score": 8.6 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 3.7 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121", - "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025", - "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc", - "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2", - "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", - "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3121", - "https://security.netapp.com/advisory/ntap-20210219-0006/" + "https://access.redhat.com/security/cve/CVE-2024-47764", + "https://github.com/jshttp/cookie", + "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", + "https://github.com/jshttp/cookie/pull/167", + "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + "https://www.cve.org/CVERecord?id=CVE-2024-47764" ], - "PublishedDate": "2021-01-11T06:15:00Z", - "LastModifiedDate": "2021-10-18T06:15:00Z" + "PublishedDate": "2024-10-04T20:15:07.31Z", + "LastModifiedDate": "2024-10-07T17:48:28.117Z" }, { - "VulnerabilityID": "CVE-2019-19794", - "PkgName": "github.com/miekg/dns", - "InstalledVersion": "1.0.14", - "FixedVersion": "v1.1.25-0.20191211073109-8ebf2e419df7", + "VulnerabilityID": "CVE-2024-43796", + "PkgID": "express@4.19.2", + "PkgName": "express", + "PkgIdentifier": { + "PURL": "pkg:npm/express@4.19.2", + "UID": "de0ddb585f46bea6" + }, + "InstalledVersion": "4.19.2", + "FixedVersion": "4.20.0, 5.0.0", + "Status": "fixed", "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19794", - "Title": "golang-github-miekg-dns: predictable TXID can lead to response forgeries", - "Description": "The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-43796", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "express: Improper Input Handling in Express Redirects", + "Description": "Express.js minimalist web framework for node. In express \u003c 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.", "Severity": "MEDIUM", "CweIDs": [ - "CWE-338" + "CWE-79" ], + "VendorSeverity": { + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 + }, "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", - "V2Score": 4.3, - "V3Score": 5.9 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 4.7 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", - "V3Score": 5.9 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 } }, "References": [ - "https://github.com/coredns/coredns/issues/3519", - "https://github.com/coredns/coredns/issues/3547", - "https://github.com/miekg/dns/compare/v1.1.24...v1.1.25", - "https://github.com/miekg/dns/issues/1043", - "https://github.com/miekg/dns/pull/1044" + "https://access.redhat.com/security/cve/CVE-2024-43796", + "https://github.com/expressjs/express", + "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", + "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", + "https://www.cve.org/CVERecord?id=CVE-2024-43796" ], - "PublishedDate": "2019-12-13T22:15:00Z", - "LastModifiedDate": "2020-01-02T17:36:00Z" + "PublishedDate": "2024-09-10T15:15:17.51Z", + "LastModifiedDate": "2024-09-20T16:07:47.997Z" }, { - "VulnerabilityID": "CVE-2020-29652", - "PkgName": "golang.org/x/crypto", - "InstalledVersion": "0.0.0-20201002170205-7f63de1d35b0", - "FixedVersion": "v0.0.0-20201216223049-8b5274cf687f", + "VulnerabilityID": "CVE-2024-21536", + "PkgID": "http-proxy-middleware@2.0.6", + "PkgName": "http-proxy-middleware", + "PkgIdentifier": { + "PURL": "pkg:npm/http-proxy-middleware@2.0.6", + "UID": "ecd0884d9376c311" + }, + "InstalledVersion": "2.0.6", + "FixedVersion": "2.0.7, 3.0.3", + "Status": "fixed", "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-29652", - "Title": "golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference", - "Description": "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-21536", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "http-proxy-middleware: Denial of Service", + "Description": "Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.", "Severity": "HIGH", "CweIDs": [ - "CWE-476" + "CWE-400" ], + "VendorSeverity": { + "ghsa": 3, + "redhat": 2 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 5, "V3Score": 7.5 }, "redhat": { @@ -156,340 +371,458 @@ } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29652", - "https://go-review.googlesource.com/c/crypto/+/278852", - "https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1", - "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2020-29652" + "https://access.redhat.com/security/cve/CVE-2024-21536", + "https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a", + "https://github.com/chimurai/http-proxy-middleware", + "https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5", + "https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21536", + "https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906", + "https://www.cve.org/CVERecord?id=CVE-2024-21536" ], - "PublishedDate": "2020-12-17T05:15:00Z", - "LastModifiedDate": "2021-10-18T06:15:00Z" - } - ] - }, - { - "Target": "hook-sdk/nodejs/package-lock.json", - "Class": "lang-pkgs", - "Type": "npm" - }, - { - "Target": "hooks/cascading-scans/hook/package-lock.json", - "Class": "lang-pkgs", - "Type": "npm" - }, - { - "Target": "hooks/finding-post-processing/hook/package-lock.json", - "Class": "lang-pkgs", - "Type": "npm" - }, - { - "Target": "hooks/generic-webhook/hook/package-lock.json", - "Class": "lang-pkgs", - "Type": "npm" - }, - { - "Target": "hooks/notification/hook/package-lock.json", - "Class": "lang-pkgs", - "Type": "npm" - }, - { - "Target": "hooks/package-lock.json", - "Class": "lang-pkgs", - "Type": "npm" - }, - { - "Target": "hooks/persistence-elastic/hook/package-lock.json", - "Class": "lang-pkgs", - "Type": "npm" - }, - { - "Target": "hooks/update-field/hook/package-lock.json", - "Class": "lang-pkgs", - "Type": "npm" - }, - { - "Target": "lurker/go.sum", - "Class": "lang-pkgs", - "Type": "gomod", - "Vulnerabilities": [ + "PublishedDate": "2024-10-19T05:15:13.097Z", + "LastModifiedDate": "2024-10-21T17:10:22.857Z" + }, { - "VulnerabilityID": "CVE-2020-26160", - "PkgName": "github.com/dgrijalva/jwt-go", - "InstalledVersion": "3.2.0+incompatible", + "VulnerabilityID": "CVE-2024-4067", + "PkgID": "micromatch@4.0.5", + "PkgName": "micromatch", + "PkgIdentifier": { + "PURL": "pkg:npm/micromatch@4.0.5", + "UID": "5f3564ae1df27645" + }, + "InstalledVersion": "4.0.5", + "FixedVersion": "4.0.8", + "Status": "fixed", "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-26160", - "Title": "jwt-go: access restriction bypass vulnerability", - "Description": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\"aud\"] (which is allowed by the specification). Because the type assertion fails, \"\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.", - "Severity": "HIGH", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-4067", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "micromatch: vulnerable to Regular Expression Denial of Service", + "Description": "The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.", + "Severity": "MEDIUM", "CweIDs": [ - "CWE-862" + "CWE-1333" ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 2, + "redhat": 2 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "V2Score": 5, - "V3Score": 7.5 + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ - "https://github.com/dgrijalva/jwt-go/pull/426", - "https://nvd.nist.gov/vuln/detail/CVE-2020-26160", - "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515" + "https://access.redhat.com/security/cve/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067/", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/", + "https://github.com/micromatch/micromatch", + "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", + "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", + "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", + "https://github.com/micromatch/micromatch/issues/243", + "https://github.com/micromatch/micromatch/pull/247", + "https://github.com/micromatch/micromatch/pull/266", + "https://github.com/micromatch/micromatch/releases/tag/4.0.8", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + "https://www.cve.org/CVERecord?id=CVE-2024-4067" ], - "PublishedDate": "2020-09-30T18:15:00Z", - "LastModifiedDate": "2021-07-21T11:39:00Z" + "PublishedDate": "2024-05-14T15:42:47.947Z", + "LastModifiedDate": "2024-08-28T00:15:04.13Z" }, { - "VulnerabilityID": "CVE-2021-3121", - "PkgName": "github.com/gogo/protobuf", - "InstalledVersion": "1.2.2-0.20190723190241-65acae22fc9d", - "FixedVersion": "v1.3.2", + "VulnerabilityID": "CVE-2024-45296", + "PkgID": "path-to-regexp@0.1.7", + "PkgName": "path-to-regexp", + "PkgIdentifier": { + "PURL": "pkg:npm/path-to-regexp@0.1.7", + "UID": "460f223cddc320b9" + }, + "InstalledVersion": "0.1.7", + "FixedVersion": "1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0", + "Status": "fixed", "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3121", - "Title": "gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation", - "Description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45296", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "path-to-regexp: Backtracking regular expressions cause ReDoS", + "Description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.", "Severity": "HIGH", "CweIDs": [ - "CWE-129" + "CWE-1333" ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", - "V2Score": 7.5, - "V3Score": 8.6 + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", - "V3Score": 8.6 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121", - "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025", - "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc", - "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2", - "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", - "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3121", - "https://security.netapp.com/advisory/ntap-20210219-0006/" + "https://access.redhat.com/security/cve/CVE-2024-45296", + "https://github.com/pillarjs/path-to-regexp", + "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", + "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", + "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", + "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", + "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", + "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", + "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", + "https://www.cve.org/CVERecord?id=CVE-2024-45296" ], - "PublishedDate": "2021-01-11T06:15:00Z", - "LastModifiedDate": "2021-10-18T06:15:00Z" + "PublishedDate": "2024-09-09T19:15:13.33Z", + "LastModifiedDate": "2024-09-10T12:09:50.377Z" }, { - "VulnerabilityID": "CVE-2020-29652", - "PkgName": "golang.org/x/crypto", - "InstalledVersion": "0.0.0-20190611184440-5c40567a22f8", - "FixedVersion": "v0.0.0-20201216223049-8b5274cf687f", + "VulnerabilityID": "CVE-2024-45296", + "PkgID": "path-to-regexp@1.8.0", + "PkgName": "path-to-regexp", + "PkgIdentifier": { + "PURL": "pkg:npm/path-to-regexp@1.8.0", + "UID": "ed3f3031b58d2831" + }, + "InstalledVersion": "1.8.0", + "FixedVersion": "1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0", + "Status": "fixed", "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-29652", - "Title": "golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference", - "Description": "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45296", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "path-to-regexp: Backtracking regular expressions cause ReDoS", + "Description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.", "Severity": "HIGH", "CweIDs": [ - "CWE-476" + "CWE-1333" ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 5, "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29652", - "https://go-review.googlesource.com/c/crypto/+/278852", - "https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1", - "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2020-29652" + "https://access.redhat.com/security/cve/CVE-2024-45296", + "https://github.com/pillarjs/path-to-regexp", + "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", + "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", + "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", + "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", + "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", + "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", + "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", + "https://www.cve.org/CVERecord?id=CVE-2024-45296" ], - "PublishedDate": "2020-12-17T05:15:00Z", - "LastModifiedDate": "2021-10-18T06:15:00Z" + "PublishedDate": "2024-09-09T19:15:13.33Z", + "LastModifiedDate": "2024-09-10T12:09:50.377Z" }, { - "VulnerabilityID": "CVE-2020-9283", - "PkgName": "golang.org/x/crypto", - "InstalledVersion": "0.0.0-20190611184440-5c40567a22f8", - "FixedVersion": "v0.0.0-20200220183623-bac4c82f6975", + "VulnerabilityID": "CVE-2024-45296", + "PkgID": "path-to-regexp@2.2.1", + "PkgName": "path-to-regexp", + "PkgIdentifier": { + "PURL": "pkg:npm/path-to-regexp@2.2.1", + "UID": "97ad1531f1fef39c" + }, + "InstalledVersion": "2.2.1", + "FixedVersion": "1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0", + "Status": "fixed", "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-9283", - "Title": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic", - "Description": "golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45296", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "path-to-regexp: Backtracking regular expressions cause ReDoS", + "Description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.", "Severity": "HIGH", "CweIDs": [ - "CWE-347" + "CWE-1333" ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 5, "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 } }, "References": [ - "http://packetstormsecurity.com/files/156480/Go-SSH-0.0.2-Denial-Of-Service.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9283", - "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY", - "https://lists.debian.org/debian-lts-announce/2020/10/msg00014.html", - "https://lists.debian.org/debian-lts-announce/2020/11/msg00027.html", - "https://lists.debian.org/debian-lts-announce/2020/11/msg00031.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-9283" + "https://access.redhat.com/security/cve/CVE-2024-45296", + "https://github.com/pillarjs/path-to-regexp", + "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", + "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", + "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", + "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", + "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", + "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", + "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", + "https://www.cve.org/CVERecord?id=CVE-2024-45296" ], - "PublishedDate": "2020-02-20T20:15:00Z", - "LastModifiedDate": "2020-11-18T23:15:00Z" + "PublishedDate": "2024-09-09T19:15:13.33Z", + "LastModifiedDate": "2024-09-10T12:09:50.377Z" }, { - "VulnerabilityID": "CVE-2019-11254", - "PkgName": "gopkg.in/yaml.v2", - "InstalledVersion": "2.2.4", - "FixedVersion": "v2.2.8", + "VulnerabilityID": "CVE-2024-43799", + "PkgID": "send@0.18.0", + "PkgName": "send", + "PkgIdentifier": { + "PURL": "pkg:npm/send@0.18.0", + "UID": "b639822ce894189" + }, + "InstalledVersion": "0.18.0", + "FixedVersion": "0.19.0", + "Status": "fixed", "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11254", - "Title": "kubernetes: Denial of service in API server via crafted YAML payloads by authorized users", - "Description": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-43799", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "send: Code Execution Vulnerability in Send Library", + "Description": "Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.", "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 + }, "nvd": { - "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 4, - "V3Score": 6.5 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 4.7 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 6.5 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 } }, "References": [ - "https://github.com/kubernetes/kubernetes/issues/89535", - "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ", - "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wuwEwZigXBc", - "https://linux.oracle.com/cve/CVE-2019-11254.html", - "https://linux.oracle.com/errata/ELSA-2020-5653.html", - "https://security.netapp.com/advisory/ntap-20200413-0003/" + "https://access.redhat.com/security/cve/CVE-2024-43799", + "https://github.com/pillarjs/send", + "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", + "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", + "https://www.cve.org/CVERecord?id=CVE-2024-43799" ], - "PublishedDate": "2020-04-01T21:15:00Z", - "LastModifiedDate": "2020-10-02T17:37:00Z" + "PublishedDate": "2024-09-10T15:15:17.727Z", + "LastModifiedDate": "2024-09-20T16:57:14.687Z" }, { - "VulnerabilityID": "CVE-2019-11250", - "PkgName": "k8s.io/client-go", - "InstalledVersion": "0.0.0-20191114101535-6c5935290e33", - "FixedVersion": "v0.17.0", + "VulnerabilityID": "CVE-2024-43800", + "PkgID": "serve-static@1.15.0", + "PkgName": "serve-static", + "PkgIdentifier": { + "PURL": "pkg:npm/serve-static@1.15.0", + "UID": "5959ab2c89a04911" + }, + "InstalledVersion": "1.15.0", + "FixedVersion": "1.16.0, 2.1.0", + "Status": "fixed", "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11250", - "Title": "kubernetes: Bearer tokens written to logs at high verbosity levels (\u003e= 7)", - "Description": "The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-43800", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "serve-static: Improper Sanitization in serve-static", + "Description": "serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.", "Severity": "MEDIUM", "CweIDs": [ - "CWE-532" + "CWE-79" ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 + }, "nvd": { - "V2Vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "V2Score": 3.5, - "V3Score": 6.5 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 4.7 }, "redhat": { - "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", - "V3Score": 4.4 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5 } }, "References": [ - "http://www.openwall.com/lists/oss-security/2020/10/16/2", - "https://access.redhat.com/errata/RHSA-2019:4052", - "https://access.redhat.com/errata/RHSA-2019:4087", - "https://github.com/kubernetes/kubernetes/issues/81114", - "https://nvd.nist.gov/vuln/detail/CVE-2019-11250", - "https://security.netapp.com/advisory/ntap-20190919-0003/" + "https://access.redhat.com/security/cve/CVE-2024-43800", + "https://github.com/expressjs/serve-static", + "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", + "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", + "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", + "https://www.cve.org/CVERecord?id=CVE-2024-43800" ], - "PublishedDate": "2019-08-29T01:15:00Z", - "LastModifiedDate": "2020-10-16T09:15:00Z" + "PublishedDate": "2024-09-10T15:15:17.937Z", + "LastModifiedDate": "2024-09-20T17:36:30.313Z" }, { - "VulnerabilityID": "CVE-2020-8565", - "PkgName": "k8s.io/client-go", - "InstalledVersion": "0.0.0-20191114101535-6c5935290e33", - "FixedVersion": "v0.20.0-alpha.2", + "VulnerabilityID": "CVE-2024-43788", + "PkgID": "webpack@5.89.0", + "PkgName": "webpack", + "PkgIdentifier": { + "PURL": "pkg:npm/webpack@5.89.0", + "UID": "9250ac56a07283fe" + }, + "InstalledVersion": "5.89.0", + "FixedVersion": "5.94.0", + "Status": "fixed", "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8565", - "Title": "kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel \u003e= 9", - "Description": "In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects \u003c= v1.19.3, \u003c= v1.18.10, \u003c= v1.17.13, \u003c v1.20.0-alpha2.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-43788", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule", + "Description": "Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.", "Severity": "MEDIUM", "CweIDs": [ - "CWE-532" + "CWE-79" ], + "VendorSeverity": { + "azure": 2, + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", + "V3Score": 6.4 + }, "nvd": { - "V2Vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "V2Score": 2.1, - "V3Score": 5.5 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", - "V3Score": 5.3 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 } }, "References": [ - "https://github.com/kubernetes/kubernetes/issues/95623", - "https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk", - "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8565" + "https://access.redhat.com/security/cve/CVE-2024-43788", + "https://github.com/webpack/webpack", + "https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61", + "https://github.com/webpack/webpack/issues/18718#issuecomment-2326296270", + "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986", + "https://nvd.nist.gov/vuln/detail/CVE-2024-43788", + "https://research.securitum.com/xss-in-amp4email-dom-clobbering", + "https://scnps.co/papers/sp23_domclob.pdf", + "https://www.cve.org/CVERecord?id=CVE-2024-43788" ], - "PublishedDate": "2020-12-07T22:15:00Z", - "LastModifiedDate": "2020-12-08T19:51:00Z" + "PublishedDate": "2024-08-27T17:15:07.967Z", + "LastModifiedDate": "2024-09-03T15:15:15.937Z" } ] }, { - "Target": "operator/go.sum", + "Target": "hook-sdk/nodejs/package-lock.json", "Class": "lang-pkgs", - "Type": "gomod", + "Type": "npm", "Vulnerabilities": [ { - "VulnerabilityID": "CVE-2020-26160", - "PkgName": "github.com/dgrijalva/jwt-go", - "InstalledVersion": "3.2.0+incompatible", + "VulnerabilityID": "CVE-2024-39338", + "PkgID": "axios@1.6.0", + "PkgName": "axios", + "PkgIdentifier": { + "PURL": "pkg:npm/axios@1.6.0", + "UID": "efb06667c4571c71" + }, + "InstalledVersion": "1.6.0", + "FixedVersion": "1.7.4", + "Status": "fixed", "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-26160", - "Title": "jwt-go: access restriction bypass vulnerability", - "Description": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\"aud\"] (which is allowed by the specification). Because the type assertion fails, \"\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-39338", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "axios: axios: Server-Side Request Forgery", + "Description": "axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.", "Severity": "HIGH", "CweIDs": [ - "CWE-862" + "CWE-918" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, "CVSS": { "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "V2Score": 5, "V3Score": 7.5 }, "redhat": { @@ -498,164 +831,1660 @@ } }, "References": [ - "https://github.com/dgrijalva/jwt-go/pull/426", - "https://nvd.nist.gov/vuln/detail/CVE-2020-26160", - "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515" + "https://access.redhat.com/security/cve/CVE-2024-39338", + "https://github.com/axios/axios", + "https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a", + "https://github.com/axios/axios/issues/6463", + "https://github.com/axios/axios/pull/6539", + "https://github.com/axios/axios/pull/6543", + "https://github.com/axios/axios/releases", + "https://github.com/axios/axios/releases/tag/v1.7.4", + "https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", + "https://www.cve.org/CVERecord?id=CVE-2024-39338" ], - "PublishedDate": "2020-09-30T18:15:00Z", - "LastModifiedDate": "2021-07-21T11:39:00Z" + "PublishedDate": "2024-08-12T13:38:24.487Z", + "LastModifiedDate": "2024-08-23T18:35:36.313Z" }, { - "VulnerabilityID": "CVE-2021-3121", - "PkgName": "github.com/gogo/protobuf", - "InstalledVersion": "1.3.1", - "FixedVersion": "v1.3.2", + "VulnerabilityID": "CVE-2024-21534", + "PkgID": "jsonpath-plus@7.2.0", + "PkgName": "jsonpath-plus", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonpath-plus@7.2.0", + "UID": "4f332f2d78ed8f2a" + }, + "InstalledVersion": "7.2.0", + "FixedVersion": "10.0.0", + "Status": "fixed", "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3121", - "Title": "gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation", - "Description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", - "Severity": "HIGH", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-21534", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", + "Description": "Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.\r\r**Note:**\r\rThere was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", + "Severity": "CRITICAL", "CweIDs": [ - "CWE-129" + "CWE-94" ], + "VendorSeverity": { + "ghsa": 4, + "redhat": 4 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", - "V2Score": 7.5, - "V3Score": 8.6 + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", - "V3Score": 8.6 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-21534", + "https://github.com/JSONPath-Plus/JSONPath", + "https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3", + "https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72", + "https://github.com/JSONPath-Plus/JSONPath/issues/226", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019", + "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884", + "https://www.cve.org/CVERecord?id=CVE-2024-21534" + ], + "PublishedDate": "2024-10-11T13:15:15.667Z", + "LastModifiedDate": "2024-10-20T12:15:02.757Z" + }, + { + "VulnerabilityID": "CVE-2023-28155", + "PkgID": "request@2.88.2", + "PkgName": "request", + "PkgIdentifier": { + "PURL": "pkg:npm/request@2.88.2", + "UID": "bfac9a85e49edbbd" + }, + "InstalledVersion": "2.88.2", + "Status": "affected", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-28155", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", + "Description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-918" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121", - "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025", - "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc", - "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2", - "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", - "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3121", - "https://security.netapp.com/advisory/ntap-20210219-0006/" + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/" ], - "PublishedDate": "2021-01-11T06:15:00Z", - "LastModifiedDate": "2021-10-18T06:15:00Z" + "PublishedDate": "2023-03-16T15:15:11.107Z", + "LastModifiedDate": "2024-08-02T13:15:37.183Z" }, { - "VulnerabilityID": "CVE-2019-19794", - "PkgName": "github.com/miekg/dns", - "InstalledVersion": "1.0.14", - "FixedVersion": "v1.1.25-0.20191211073109-8ebf2e419df7", + "VulnerabilityID": "CVE-2023-26136", + "PkgID": "tough-cookie@2.5.0", + "PkgName": "tough-cookie", + "PkgIdentifier": { + "PURL": "pkg:npm/tough-cookie@2.5.0", + "UID": "bd285d224cfda1bd" + }, + "InstalledVersion": "2.5.0", + "FixedVersion": "4.1.3", + "Status": "fixed", "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19794", - "Title": "golang-github-miekg-dns: predictable TXID can lead to response forgeries", - "Description": "The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26136", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "tough-cookie: prototype pollution in cookie memstore", + "Description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", "Severity": "MEDIUM", "CweIDs": [ - "CWE-338" + "CWE-1321" ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 4, + "redhat": 2 + }, "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + }, "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", - "V2Score": 4.3, - "V3Score": 5.9 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", - "V3Score": 5.9 + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 } }, "References": [ - "https://github.com/coredns/coredns/issues/3519", - "https://github.com/coredns/coredns/issues/3547", - "https://github.com/miekg/dns/compare/v1.1.24...v1.1.25", - "https://github.com/miekg/dns/issues/1043", - "https://github.com/miekg/dns/pull/1044" + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136" ], - "PublishedDate": "2019-12-13T22:15:00Z", - "LastModifiedDate": "2020-01-02T17:36:00Z" + "PublishedDate": "2023-07-01T05:15:16.103Z", + "LastModifiedDate": "2024-06-21T19:15:26.163Z" }, { - "VulnerabilityID": "CVE-2020-29652", - "PkgName": "golang.org/x/crypto", - "InstalledVersion": "0.0.0-20201002170205-7f63de1d35b0", - "FixedVersion": "v0.0.0-20201216223049-8b5274cf687f", + "VulnerabilityID": "CVE-2024-37890", + "PkgID": "ws@8.13.0", + "PkgName": "ws", + "PkgIdentifier": { + "PURL": "pkg:npm/ws@8.13.0", + "UID": "2e626fd95dbd8ec5" + }, + "InstalledVersion": "8.13.0", + "FixedVersion": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "Status": "fixed", "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-29652", - "Title": "golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference", - "Description": "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.", + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-37890", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ws: denial of service when handling a request with many HTTP headers", + "Description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", "Severity": "HIGH", "CweIDs": [ "CWE-476" ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 5, "V3Score": 7.5 }, "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 } }, "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29652", - "https://go-review.googlesource.com/c/crypto/+/278852", - "https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1", - "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2020-29652" + "https://access.redhat.com/security/cve/CVE-2024-37890", + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", + "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", + "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", + "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", + "https://github.com/websockets/ws/issues/2230", + "https://github.com/websockets/ws/pull/2231", + "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + "https://nodejs.org/api/http.html#servermaxheaderscount", + "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "https://www.cve.org/CVERecord?id=CVE-2024-37890" ], - "PublishedDate": "2020-12-17T05:15:00Z", - "LastModifiedDate": "2021-10-18T06:15:00Z" + "PublishedDate": "2024-06-17T20:15:13.203Z", + "LastModifiedDate": "2024-06-20T12:44:22.977Z" } ] }, { - "Target": "parser-sdk/nodejs/package-lock.json", - "Class": "lang-pkgs", - "Type": "npm" - }, - { - "Target": "scanners/git-repo-scanner/scanner/requirements.txt", - "Class": "lang-pkgs", - "Type": "pip" - }, - { - "Target": "scanners/gitleaks/parser/package-lock.json", - "Class": "lang-pkgs", - "Type": "npm" - }, - { - "Target": "scanners/ncrack/parser/package-lock.json", - "Class": "lang-pkgs", - "Type": "npm" - }, - { - "Target": "scanners/nmap/parser/package-lock.json", - "Class": "lang-pkgs", - "Type": "npm" - }, - { - "Target": "scanners/package-lock.json", - "Class": "lang-pkgs", - "Type": "npm" - }, - { - "Target": "scanners/semgrep/parser/package-lock.json", - "Class": "lang-pkgs", - "Type": "npm" - }, - { - "Target": "scanners/sslyze/parser/package-lock.json", + "Target": "hooks/cascading-scans/hook/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-21534", + "PkgID": "jsonpath-plus@7.2.0", + "PkgName": "jsonpath-plus", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonpath-plus@7.2.0", + "UID": "8cbb0f12d48703a" + }, + "InstalledVersion": "7.2.0", + "FixedVersion": "10.0.0", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-21534", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", + "Description": "Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.\r\r**Note:**\r\rThere was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 4, + "redhat": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-21534", + "https://github.com/JSONPath-Plus/JSONPath", + "https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3", + "https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72", + "https://github.com/JSONPath-Plus/JSONPath/issues/226", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019", + "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884", + "https://www.cve.org/CVERecord?id=CVE-2024-21534" + ], + "PublishedDate": "2024-10-11T13:15:15.667Z", + "LastModifiedDate": "2024-10-20T12:15:02.757Z" + }, + { + "VulnerabilityID": "CVE-2023-28155", + "PkgID": "request@2.88.2", + "PkgName": "request", + "PkgIdentifier": { + "PURL": "pkg:npm/request@2.88.2", + "UID": "6c6989f7207454f3" + }, + "InstalledVersion": "2.88.2", + "Status": "affected", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-28155", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", + "Description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-918" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/" + ], + "PublishedDate": "2023-03-16T15:15:11.107Z", + "LastModifiedDate": "2024-08-02T13:15:37.183Z" + }, + { + "VulnerabilityID": "CVE-2023-26136", + "PkgID": "tough-cookie@2.5.0", + "PkgName": "tough-cookie", + "PkgIdentifier": { + "PURL": "pkg:npm/tough-cookie@2.5.0", + "UID": "22ac4fba0750dd45" + }, + "InstalledVersion": "2.5.0", + "FixedVersion": "4.1.3", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26136", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "tough-cookie: prototype pollution in cookie memstore", + "Description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 4, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136" + ], + "PublishedDate": "2023-07-01T05:15:16.103Z", + "LastModifiedDate": "2024-06-21T19:15:26.163Z" + } + ] + }, + { + "Target": "hooks/finding-post-processing/hook/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm" + }, + { + "Target": "hooks/generic-webhook/hook/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-39338", + "PkgID": "axios@1.6.0", + "PkgName": "axios", + "PkgIdentifier": { + "PURL": "pkg:npm/axios@1.6.0", + "UID": "5a862eefb3de832e" + }, + "InstalledVersion": "1.6.0", + "FixedVersion": "1.7.4", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-39338", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "axios: axios: Server-Side Request Forgery", + "Description": "axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-918" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-39338", + "https://github.com/axios/axios", + "https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a", + "https://github.com/axios/axios/issues/6463", + "https://github.com/axios/axios/pull/6539", + "https://github.com/axios/axios/pull/6543", + "https://github.com/axios/axios/releases", + "https://github.com/axios/axios/releases/tag/v1.7.4", + "https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", + "https://www.cve.org/CVERecord?id=CVE-2024-39338" + ], + "PublishedDate": "2024-08-12T13:38:24.487Z", + "LastModifiedDate": "2024-08-23T18:35:36.313Z" + } + ] + }, + { + "Target": "hooks/notification/hook/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-39338", + "PkgID": "axios@1.6.0", + "PkgName": "axios", + "PkgIdentifier": { + "PURL": "pkg:npm/axios@1.6.0", + "UID": "cc631ada2c929230" + }, + "InstalledVersion": "1.6.0", + "FixedVersion": "1.7.4", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-39338", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "axios: axios: Server-Side Request Forgery", + "Description": "axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-918" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-39338", + "https://github.com/axios/axios", + "https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a", + "https://github.com/axios/axios/issues/6463", + "https://github.com/axios/axios/pull/6539", + "https://github.com/axios/axios/pull/6543", + "https://github.com/axios/axios/releases", + "https://github.com/axios/axios/releases/tag/v1.7.4", + "https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", + "https://www.cve.org/CVERecord?id=CVE-2024-39338" + ], + "PublishedDate": "2024-08-12T13:38:24.487Z", + "LastModifiedDate": "2024-08-23T18:35:36.313Z" + }, + { + "VulnerabilityID": "CVE-2024-21534", + "PkgID": "jsonpath-plus@7.2.0", + "PkgName": "jsonpath-plus", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonpath-plus@7.2.0", + "UID": "61f1a6af2c23a45b" + }, + "InstalledVersion": "7.2.0", + "FixedVersion": "10.0.0", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-21534", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", + "Description": "Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.\r\r**Note:**\r\rThere was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 4, + "redhat": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-21534", + "https://github.com/JSONPath-Plus/JSONPath", + "https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3", + "https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72", + "https://github.com/JSONPath-Plus/JSONPath/issues/226", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019", + "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884", + "https://www.cve.org/CVERecord?id=CVE-2024-21534" + ], + "PublishedDate": "2024-10-11T13:15:15.667Z", + "LastModifiedDate": "2024-10-20T12:15:02.757Z" + }, + { + "VulnerabilityID": "CVE-2023-28155", + "PkgID": "request@2.88.2", + "PkgName": "request", + "PkgIdentifier": { + "PURL": "pkg:npm/request@2.88.2", + "UID": "904b4b564397768e" + }, + "InstalledVersion": "2.88.2", + "Status": "affected", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-28155", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", + "Description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-918" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/" + ], + "PublishedDate": "2023-03-16T15:15:11.107Z", + "LastModifiedDate": "2024-08-02T13:15:37.183Z" + }, + { + "VulnerabilityID": "CVE-2023-26136", + "PkgID": "tough-cookie@2.5.0", + "PkgName": "tough-cookie", + "PkgIdentifier": { + "PURL": "pkg:npm/tough-cookie@2.5.0", + "UID": "9e1992906bb70548" + }, + "InstalledVersion": "2.5.0", + "FixedVersion": "4.1.3", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26136", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "tough-cookie: prototype pollution in cookie memstore", + "Description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 4, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136" + ], + "PublishedDate": "2023-07-01T05:15:16.103Z", + "LastModifiedDate": "2024-06-21T19:15:26.163Z" + }, + { + "VulnerabilityID": "CVE-2024-37890", + "PkgID": "ws@8.12.0", + "PkgName": "ws", + "PkgIdentifier": { + "PURL": "pkg:npm/ws@8.12.0", + "UID": "22b7b41fca316da" + }, + "InstalledVersion": "8.12.0", + "FixedVersion": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-37890", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ws: denial of service when handling a request with many HTTP headers", + "Description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-37890", + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", + "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", + "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", + "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", + "https://github.com/websockets/ws/issues/2230", + "https://github.com/websockets/ws/pull/2231", + "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + "https://nodejs.org/api/http.html#servermaxheaderscount", + "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "https://www.cve.org/CVERecord?id=CVE-2024-37890" + ], + "PublishedDate": "2024-06-17T20:15:13.203Z", + "LastModifiedDate": "2024-06-20T12:44:22.977Z" + } + ] + }, + { + "Target": "hooks/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-21534", + "PkgID": "jsonpath-plus@7.2.0", + "PkgName": "jsonpath-plus", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonpath-plus@7.2.0", + "UID": "2493a063c3978fce" + }, + "InstalledVersion": "7.2.0", + "FixedVersion": "10.0.0", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-21534", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", + "Description": "Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.\r\r**Note:**\r\rThere was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 4, + "redhat": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-21534", + "https://github.com/JSONPath-Plus/JSONPath", + "https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3", + "https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72", + "https://github.com/JSONPath-Plus/JSONPath/issues/226", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019", + "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884", + "https://www.cve.org/CVERecord?id=CVE-2024-21534" + ], + "PublishedDate": "2024-10-11T13:15:15.667Z", + "LastModifiedDate": "2024-10-20T12:15:02.757Z" + }, + { + "VulnerabilityID": "CVE-2023-28155", + "PkgID": "request@2.88.2", + "PkgName": "request", + "PkgIdentifier": { + "PURL": "pkg:npm/request@2.88.2", + "UID": "84dede0f5c381dcf" + }, + "InstalledVersion": "2.88.2", + "Status": "affected", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-28155", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", + "Description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-918" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/" + ], + "PublishedDate": "2023-03-16T15:15:11.107Z", + "LastModifiedDate": "2024-08-02T13:15:37.183Z" + }, + { + "VulnerabilityID": "CVE-2023-26136", + "PkgID": "tough-cookie@2.5.0", + "PkgName": "tough-cookie", + "PkgIdentifier": { + "PURL": "pkg:npm/tough-cookie@2.5.0", + "UID": "91a742ce803d4a14" + }, + "InstalledVersion": "2.5.0", + "FixedVersion": "4.1.3", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26136", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "tough-cookie: prototype pollution in cookie memstore", + "Description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 4, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136" + ], + "PublishedDate": "2023-07-01T05:15:16.103Z", + "LastModifiedDate": "2024-06-21T19:15:26.163Z" + } + ] + }, + { + "Target": "hooks/persistence-elastic/hook/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm" + }, + { + "Target": "hooks/update-field-hook/hook/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2020-8203", + "PkgID": "lodash.set@4.3.2", + "PkgName": "lodash.set", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash.set@4.3.2", + "UID": "63ea1a6aaf5d59c5" + }, + "InstalledVersion": "4.3.2", + "Status": "affected", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8203", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "Description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1321", + "CWE-770" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 7.4 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V2Score": 5.8, + "V3Score": 7.4 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 7.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-8203", + "https://github.com/github/advisory-database/pull/2884", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + "https://github.com/lodash/lodash/issues/4744", + "https://github.com/lodash/lodash/issues/4874", + "https://github.com/lodash/lodash/wiki/Changelog#v41719", + "https://hackerone.com/reports/712065", + "https://hackerone.com/reports/864701", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "https://security.netapp.com/advisory/ntap-20200724-0006", + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + "https://www.cve.org/CVERecord?id=CVE-2020-8203", + "https://www.npmjs.com/advisories/1523", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2020-07-15T17:15:11.797Z", + "LastModifiedDate": "2024-01-21T02:37:13.193Z" + } + ] + }, + { + "Target": "lurker/go.mod", + "Class": "lang-pkgs", + "Type": "gomod", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2023-45288", + "PkgID": "golang.org/x/net@v0.17.0", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@0.17.0", + "UID": "ce8fa95a094c902d" + }, + "InstalledVersion": "0.17.0", + "FixedVersion": "0.23.0", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-45288", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS", + "Description": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "amazon": 2, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 2, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/04/03/16", + "http://www.openwall.com/lists/oss-security/2024/04/05/4", + "https://access.redhat.com/errata/RHSA-2024:2724", + "https://access.redhat.com/security/cve/CVE-2023-45288", + "https://bugzilla.redhat.com/2268017", + "https://bugzilla.redhat.com/2268018", + "https://bugzilla.redhat.com/2268019", + "https://bugzilla.redhat.com/2268273", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268017", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268018", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268019", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268273", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45289", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24783", + "https://errata.almalinux.org/9/ALSA-2024-2724.html", + "https://errata.rockylinux.org/RLSA-2024:2724", + "https://go.dev/cl/576155", + "https://go.dev/issue/65051", + "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M", + "https://kb.cert.org/vuls/id/421644", + "https://linux.oracle.com/cve/CVE-2023-45288.html", + "https://linux.oracle.com/errata/ELSA-2024-3346.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/", + "https://nowotarski.info/http2-continuation-flood-technical-details", + "https://nowotarski.info/http2-continuation-flood/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-45288", + "https://pkg.go.dev/vuln/GO-2024-2687", + "https://security.netapp.com/advisory/ntap-20240419-0009", + "https://security.netapp.com/advisory/ntap-20240419-0009/", + "https://ubuntu.com/security/notices/USN-6886-1", + "https://www.cve.org/CVERecord?id=CVE-2023-45288", + "https://www.kb.cert.org/vuls/id/421644" + ], + "PublishedDate": "2024-04-04T21:15:16.113Z", + "LastModifiedDate": "2024-08-26T21:35:02.457Z" + } + ] + }, + { + "Target": "operator/go.mod", + "Class": "lang-pkgs", + "Type": "gomod" + }, + { + "Target": "package-lock.json", + "Class": "lang-pkgs", + "Type": "npm", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2023-28155", + "PkgID": "request@2.88.2", + "PkgName": "request", + "PkgIdentifier": { + "PURL": "pkg:npm/request@2.88.2", + "UID": "106532a08919ef70" + }, + "InstalledVersion": "2.88.2", + "Status": "affected", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-28155", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", + "Description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-918" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/" + ], + "PublishedDate": "2023-03-16T15:15:11.107Z", + "LastModifiedDate": "2024-08-02T13:15:37.183Z" + }, + { + "VulnerabilityID": "CVE-2023-26136", + "PkgID": "tough-cookie@2.5.0", + "PkgName": "tough-cookie", + "PkgIdentifier": { + "PURL": "pkg:npm/tough-cookie@2.5.0", + "UID": "98b5ba94ff1352be" + }, + "InstalledVersion": "2.5.0", + "FixedVersion": "4.1.3", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26136", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "tough-cookie: prototype pollution in cookie memstore", + "Description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 4, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136" + ], + "PublishedDate": "2023-07-01T05:15:16.103Z", + "LastModifiedDate": "2024-06-21T19:15:26.163Z" + } + ] + }, + { + "Target": "parser-sdk/nodejs/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-39338", + "PkgID": "axios@1.6.0", + "PkgName": "axios", + "PkgIdentifier": { + "PURL": "pkg:npm/axios@1.6.0", + "UID": "d62c1b8df85bd809" + }, + "InstalledVersion": "1.6.0", + "FixedVersion": "1.7.4", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-39338", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "axios: axios: Server-Side Request Forgery", + "Description": "axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-918" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-39338", + "https://github.com/axios/axios", + "https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a", + "https://github.com/axios/axios/issues/6463", + "https://github.com/axios/axios/pull/6539", + "https://github.com/axios/axios/pull/6543", + "https://github.com/axios/axios/releases", + "https://github.com/axios/axios/releases/tag/v1.7.4", + "https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-39338", + "https://www.cve.org/CVERecord?id=CVE-2024-39338" + ], + "PublishedDate": "2024-08-12T13:38:24.487Z", + "LastModifiedDate": "2024-08-23T18:35:36.313Z" + }, + { + "VulnerabilityID": "CVE-2024-21534", + "PkgID": "jsonpath-plus@7.2.0", + "PkgName": "jsonpath-plus", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonpath-plus@7.2.0", + "UID": "25acc5c2ef93a750" + }, + "InstalledVersion": "7.2.0", + "FixedVersion": "10.0.0", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-21534", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", + "Description": "Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.\r\r**Note:**\r\rThere was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 4, + "redhat": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-21534", + "https://github.com/JSONPath-Plus/JSONPath", + "https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3", + "https://github.com/JSONPath-Plus/JSONPath/commit/b70aa713553caf838a63bac923195a5bc541fd72", + "https://github.com/JSONPath-Plus/JSONPath/issues/226", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21534", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019", + "https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884", + "https://www.cve.org/CVERecord?id=CVE-2024-21534" + ], + "PublishedDate": "2024-10-11T13:15:15.667Z", + "LastModifiedDate": "2024-10-20T12:15:02.757Z" + }, + { + "VulnerabilityID": "CVE-2023-28155", + "PkgID": "request@2.88.2", + "PkgName": "request", + "PkgIdentifier": { + "PURL": "pkg:npm/request@2.88.2", + "UID": "7bbcabf6b71a294b" + }, + "InstalledVersion": "2.88.2", + "Status": "affected", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-28155", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", + "Description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-918" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", + "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", + "https://github.com/cypress-io/request/pull/28", + "https://github.com/cypress-io/request/releases/tag/v3.0.0", + "https://github.com/github/advisory-database/pull/2500", + "https://github.com/request/request", + "https://github.com/request/request/blob/master/lib/redirect.js#L111", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444", + "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "https://security.netapp.com/advisory/ntap-20230413-0007", + "https://security.netapp.com/advisory/ntap-20230413-0007/" + ], + "PublishedDate": "2023-03-16T15:15:11.107Z", + "LastModifiedDate": "2024-08-02T13:15:37.183Z" + }, + { + "VulnerabilityID": "CVE-2023-26136", + "PkgID": "tough-cookie@2.5.0", + "PkgName": "tough-cookie", + "PkgIdentifier": { + "PURL": "pkg:npm/tough-cookie@2.5.0", + "UID": "670fbdf8fd5ab3f5" + }, + "InstalledVersion": "2.5.0", + "FixedVersion": "4.1.3", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26136", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "tough-cookie: prototype pollution in cookie memstore", + "Description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 4, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-26136", + "https://github.com/salesforce/tough-cookie", + "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", + "https://github.com/salesforce/tough-cookie/issues/282", + "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", + "https://www.cve.org/CVERecord?id=CVE-2023-26136" + ], + "PublishedDate": "2023-07-01T05:15:16.103Z", + "LastModifiedDate": "2024-06-21T19:15:26.163Z" + }, + { + "VulnerabilityID": "CVE-2024-37890", + "PkgID": "ws@8.13.0", + "PkgName": "ws", + "PkgIdentifier": { + "PURL": "pkg:npm/ws@8.13.0", + "UID": "d2f3e38884fe28e1" + }, + "InstalledVersion": "8.13.0", + "FixedVersion": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-37890", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "nodejs-ws: denial of service when handling a request with many HTTP headers", + "Description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-37890", + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", + "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", + "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", + "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", + "https://github.com/websockets/ws/issues/2230", + "https://github.com/websockets/ws/pull/2231", + "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + "https://nodejs.org/api/http.html#servermaxheaderscount", + "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "https://www.cve.org/CVERecord?id=CVE-2024-37890" + ], + "PublishedDate": "2024-06-17T20:15:13.203Z", + "LastModifiedDate": "2024-06-20T12:44:22.977Z" + } + ] + }, + { + "Target": "scanners/amass/parser/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-29415", + "PkgID": "ip@2.0.1", + "PkgName": "ip", + "PkgIdentifier": { + "PURL": "pkg:npm/ip@2.0.1", + "UID": "f05a4e12c8d5eeec" + }, + "InstalledVersion": "2.0.1", + "Status": "affected", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-29415", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "node-ip: Incomplete fix for CVE-2023-42282", + "Description": "The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-918", + "CWE-941" + ], + "VendorSeverity": { + "ghsa": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-29415", + "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", + "https://github.com/indutny/node-ip", + "https://github.com/indutny/node-ip/issues/150", + "https://github.com/indutny/node-ip/pull/143", + "https://github.com/indutny/node-ip/pull/144", + "https://nvd.nist.gov/vuln/detail/CVE-2024-29415", + "https://www.cve.org/CVERecord?id=CVE-2024-29415" + ], + "PublishedDate": "2024-05-27T20:15:08.97Z", + "LastModifiedDate": "2024-08-16T14:35:01.26Z" + } + ] + }, + { + "Target": "scanners/git-repo-scanner/scanner/requirements.txt", + "Class": "lang-pkgs", + "Type": "pip" + }, + { + "Target": "scanners/ncrack/parser/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm" + }, + { + "Target": "scanners/nmap/parser/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm" + }, + { + "Target": "scanners/sslyze/parser/package-lock.json", "Class": "lang-pkgs", "Type": "npm" }, @@ -664,10 +2493,183 @@ "Class": "lang-pkgs", "Type": "pip" }, + { + "Target": "scanners/zap-automation-framework/parser/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm" + }, { "Target": "scanners/zap/parser/package-lock.json", "Class": "lang-pkgs", "Type": "npm" + }, + { + "Target": "scbctl/go.mod", + "Class": "lang-pkgs", + "Type": "gomod" + }, + { + "Target": "tests/integration/package-lock.json", + "Class": "lang-pkgs", + "Type": "npm", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-4068", + "PkgID": "braces@3.0.2", + "PkgName": "braces", + "PkgIdentifier": { + "PURL": "pkg:npm/braces@3.0.2", + "UID": "e8271e58ed0af80e" + }, + "InstalledVersion": "3.0.2", + "FixedVersion": "3.0.3", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-4068", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "braces: fails to limit the number of characters it can handle", + "Description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1050", + "CWE-400" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", + "https://github.com/micromatch/braces", + "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", + "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", + "https://github.com/micromatch/braces/issues/35", + "https://github.com/micromatch/braces/pull/37", + "https://github.com/micromatch/braces/pull/40", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "https://www.cve.org/CVERecord?id=CVE-2024-4068" + ], + "PublishedDate": "2024-05-14T15:42:48.66Z", + "LastModifiedDate": "2024-07-03T02:07:03.943Z" + }, + { + "VulnerabilityID": "CVE-2024-4067", + "PkgID": "micromatch@4.0.5", + "PkgName": "micromatch", + "PkgIdentifier": { + "PURL": "pkg:npm/micromatch@4.0.5", + "UID": "b4ea741f58081b09" + }, + "InstalledVersion": "4.0.5", + "FixedVersion": "4.0.8", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-4067", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Title": "micromatch: vulnerable to Regular Expression Denial of Service", + "Description": "The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067", + "https://advisory.checkmarx.net/advisory/CVE-2024-4067/", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", + "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/", + "https://github.com/micromatch/micromatch", + "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", + "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", + "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", + "https://github.com/micromatch/micromatch/issues/243", + "https://github.com/micromatch/micromatch/pull/247", + "https://github.com/micromatch/micromatch/pull/266", + "https://github.com/micromatch/micromatch/releases/tag/4.0.8", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4067", + "https://www.cve.org/CVERecord?id=CVE-2024-4067" + ], + "PublishedDate": "2024-05-14T15:42:47.947Z", + "LastModifiedDate": "2024-08-28T00:15:04.13Z" + } + ] + }, + { + "Target": "demo-targets/unsafe-https/container/site.key", + "Class": "secret", + "Secrets": [ + { + "RuleID": "private-key", + "Category": "AsymmetricPrivateKey", + "Severity": "HIGH", + "Title": "Asymmetric Private Key", + "StartLine": 1, + "EndLine": 1, + "Code": { + "Lines": [ + { + "Number": 1, + "Content": "-----BEGIN PRIVATE KEY-----***********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "-----BEGIN PRIVATE KEY-----***********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY", + "FirstCause": true, + "LastCause": true + }, + { + "Number": 2, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + } + ] + }, + "Match": "-----BEGIN PRIVATE KEY-----***********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY", + "Layer": {} + } + ] } ] -} \ No newline at end of file +} diff --git a/scanners/trivy/parser/__testFiles__/trivy--k8s-scan-results.json b/scanners/trivy/parser/__testFiles__/trivy--k8s-scan-results.json index 418f2eeac6..3c602b4f9f 100644 --- a/scanners/trivy/parser/__testFiles__/trivy--k8s-scan-results.json +++ b/scanners/trivy/parser/__testFiles__/trivy--k8s-scan-results.json @@ -16,6 +16,7 @@ "Target": "Deployment/securecodebox-controller-manager", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 137, "Failures": 4, @@ -511,6 +512,7 @@ "Target": "coredns", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2020-8911", @@ -1371,6 +1373,7 @@ "Target": "Deployment/coredns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 134, "Failures": 7, @@ -2223,6 +2226,7 @@ "Target": "docker.io/kindest/local-path-provisioner:v0.0.22-kind.0 (debian 11.6)", "Class": "os-pkgs", "Type": "debian", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2010-4756", @@ -3159,6 +3163,7 @@ "Target": "usr/local/bin/local-path-provisioner", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2022-21698", @@ -4081,6 +4086,7 @@ "Target": "Deployment/local-path-provisioner", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 129, "Failures": 12, @@ -5527,7 +5533,8 @@ { "Target": "k8s.gcr.io/kube-scheduler:v1.24.0 (debian 11.3)", "Class": "os-pkgs", - "Type": "debian" + "Type": "debian", + "Packages": [] } ] }, @@ -5540,6 +5547,7 @@ "Target": "Pod/kube-scheduler-kind-control-plane", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 128, "Failures": 13, @@ -7105,7 +7113,8 @@ { "Target": "k8s.gcr.io/kube-apiserver:v1.24.0 (debian 11.3)", "Class": "os-pkgs", - "Type": "debian" + "Type": "debian", + "Packages": [] } ] }, @@ -7118,6 +7127,7 @@ "Target": "Pod/kube-apiserver-kind-control-plane", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 119, "Failures": 22, @@ -9754,7 +9764,8 @@ { "Target": "k8s.gcr.io/kube-controller-manager:v1.24.0 (debian 11.3)", "Class": "os-pkgs", - "Type": "debian" + "Type": "debian", + "Packages": [] } ] }, @@ -9767,6 +9778,7 @@ "Target": "Pod/kube-controller-manager-kind-control-plane", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 126, "Failures": 15, @@ -11571,6 +11583,7 @@ "Target": "docker.io/bitnami/minio:2022.9.1-debian-11-r0 (debian 11.4)", "Class": "os-pkgs", "Type": "debian", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2011-3374", @@ -19510,6 +19523,7 @@ "Target": "opt/bitnami/common/bin/gosu", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2023-27561", @@ -19860,6 +19874,7 @@ "Target": "opt/bitnami/common/bin/wait-for-port", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2022-29526", @@ -19932,6 +19947,7 @@ "Target": "opt/bitnami/minio-client/bin/mc", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2022-27664", @@ -20247,6 +20263,7 @@ "Target": "opt/bitnami/minio/bin/minio", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2022-2835", @@ -20695,6 +20712,7 @@ "Target": "Deployment/securecodebox-operator-minio", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 131, "Failures": 10, @@ -21904,6 +21922,7 @@ "Target": "Service/kubernetes", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -21921,6 +21940,7 @@ "Target": "Service/kube-dns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -21937,12 +21957,14 @@ { "Target": "k8s.gcr.io/etcd:3.5.3-0 (debian 11.3)", "Class": "os-pkgs", - "Type": "debian" + "Type": "debian", + "Packages": [] }, { "Target": "usr/local/bin/etcd", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2022-27191", @@ -22469,6 +22491,7 @@ "Target": "usr/local/bin/etcd-3.5.3", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2022-27191", @@ -22995,6 +23018,7 @@ "Target": "usr/local/bin/etcdctl", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2022-27191", @@ -23521,6 +23545,7 @@ "Target": "usr/local/bin/etcdctl-3.5.3", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2022-27191", @@ -24054,6 +24079,7 @@ "Target": "Pod/etcd-kind-control-plane", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 130, "Failures": 11, @@ -25382,6 +25408,7 @@ "Target": "Service/controller-manager-metrics-service", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -25399,6 +25426,7 @@ "Target": "Service/securecodebox-operator-minio", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -25416,6 +25444,7 @@ "Target": "k8s.gcr.io/kube-proxy:v1.24.0 (debian 11.3)", "Class": "os-pkgs", "Type": "debian", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2011-3374", @@ -30782,6 +30811,7 @@ "Target": "DaemonSet/kube-proxy", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 126, "Failures": 15, @@ -32586,6 +32616,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -32603,6 +32634,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -32620,6 +32652,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -32637,6 +32670,7 @@ "Target": "ServiceAccount/lurker", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -32654,6 +32688,7 @@ "Target": "docker.io/kindest/kindnetd:v20220510-4929dd75 (debian 11.3)", "Class": "os-pkgs", "Type": "debian", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2011-3374", @@ -38013,6 +38048,7 @@ "Target": "bin/kindnetd", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2022-1996", @@ -38464,6 +38500,7 @@ "Target": "DaemonSet/kindnet", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 130, "Failures": 11, @@ -39792,6 +39829,7 @@ "Target": "ServiceAccount/parser", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39809,6 +39847,7 @@ "Target": "ServiceAccount/trivy-k8s", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39826,6 +39865,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39843,6 +39883,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39860,6 +39901,7 @@ "Target": "ServiceAccount/attachdetach-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39877,6 +39919,7 @@ "Target": "ServiceAccount/certificate-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39894,6 +39937,7 @@ "Target": "ServiceAccount/clusterrole-aggregation-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39911,6 +39955,7 @@ "Target": "ServiceAccount/bootstrap-signer", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39928,6 +39973,7 @@ "Target": "ServiceAccount/coredns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39945,6 +39991,7 @@ "Target": "ServiceAccount/daemon-set-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39962,6 +40009,7 @@ "Target": "ServiceAccount/cronjob-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39979,6 +40027,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -39996,6 +40045,7 @@ "Target": "ServiceAccount/deployment-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -40013,6 +40063,7 @@ "Target": "ServiceAccount/endpointslice-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -40030,6 +40081,7 @@ "Target": "ServiceAccount/disruption-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -40047,6 +40099,7 @@ "Target": "ServiceAccount/endpoint-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -40064,6 +40117,7 @@ "Target": "ServiceAccount/endpointslicemirroring-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -40081,6 +40135,7 @@ "Target": "docker.io/aquasec/trivy:0.42.0 (alpine 3.18.0)", "Class": "os-pkgs", "Type": "alpine", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2023-2650", @@ -40192,6 +40247,7 @@ "Target": "usr/local/bin/trivy", "Class": "lang-pkgs", "Type": "gobinary", + "Packages": [], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2020-8911", @@ -40320,6 +40376,7 @@ "Target": "Job/scan-trivy-k8s-kvmnm", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 131, "Failures": 14, @@ -42005,6 +42062,7 @@ "Target": "ServiceAccount/ephemeral-volume-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42022,6 +42080,7 @@ "Target": "ServiceAccount/generic-garbage-collector", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42039,6 +42098,7 @@ "Target": "ServiceAccount/expand-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42056,6 +42116,7 @@ "Target": "ServiceAccount/horizontal-pod-autoscaler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42073,6 +42134,7 @@ "Target": "ServiceAccount/job-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42090,6 +42152,7 @@ "Target": "ServiceAccount/kindnet", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42107,6 +42170,7 @@ "Target": "ServiceAccount/kube-proxy", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42124,6 +42188,7 @@ "Target": "ServiceAccount/node-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42141,6 +42206,7 @@ "Target": "ServiceAccount/namespace-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42158,6 +42224,7 @@ "Target": "ServiceAccount/persistent-volume-binder", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42175,6 +42242,7 @@ "Target": "ServiceAccount/pod-garbage-collector", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42192,6 +42260,7 @@ "Target": "ServiceAccount/pv-protection-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42209,6 +42278,7 @@ "Target": "ServiceAccount/pvc-protection-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42226,6 +42296,7 @@ "Target": "ServiceAccount/replicaset-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42243,6 +42314,7 @@ "Target": "ServiceAccount/replication-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42260,6 +42332,7 @@ "Target": "ServiceAccount/root-ca-cert-publisher", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42277,6 +42350,7 @@ "Target": "ServiceAccount/resourcequota-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42294,6 +42368,7 @@ "Target": "ServiceAccount/service-account-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42311,6 +42386,7 @@ "Target": "ServiceAccount/service-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42328,6 +42404,7 @@ "Target": "ServiceAccount/statefulset-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42345,6 +42422,7 @@ "Target": "ServiceAccount/token-cleaner", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42362,6 +42440,7 @@ "Target": "ServiceAccount/ttl-after-finished-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42379,6 +42458,7 @@ "Target": "ServiceAccount/ttl-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42396,6 +42476,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42413,6 +42494,7 @@ "Target": "ServiceAccount/local-path-provisioner-service-account", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42430,6 +42512,7 @@ "Target": "ServiceAccount/default", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42447,6 +42530,7 @@ "Target": "ServiceAccount/securecodebox-operator", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42464,6 +42548,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42481,6 +42566,7 @@ "Target": "ServiceAccount/securecodebox-operator-minio", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42498,6 +42584,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42515,6 +42602,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42532,6 +42620,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42549,6 +42638,7 @@ "Target": "ConfigMap/cluster-info", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42566,6 +42656,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42583,6 +42674,7 @@ "Target": "ConfigMap/coredns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42600,6 +42692,7 @@ "Target": "ConfigMap/extension-apiserver-authentication", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -42644,6 +42737,7 @@ "Target": "ConfigMap/kube-proxy", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42661,6 +42755,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42678,6 +42773,7 @@ "Target": "ConfigMap/kubeadm-config", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42695,6 +42791,7 @@ "Target": "ConfigMap/kubelet-config", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42712,6 +42809,7 @@ "Target": "ConfigMap/local-path-config", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42729,6 +42827,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42746,6 +42845,7 @@ "Target": "Role/lurker", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42763,6 +42863,7 @@ "Target": "ConfigMap/kube-root-ca.crt", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42780,6 +42881,7 @@ "Target": "Role/parser", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42797,6 +42899,7 @@ "Target": "Role/kubeadm:bootstrap-signer-clusterinfo", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42814,6 +42917,7 @@ "Target": "Role/system:controller:bootstrap-signer", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -42934,6 +43038,7 @@ "Target": "Role/kubeadm:kubelet-config", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42951,6 +43056,7 @@ "Target": "Role/extension-apiserver-authentication-reader", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42968,6 +43074,7 @@ "Target": "Role/kube-proxy", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -42985,6 +43092,7 @@ "Target": "Role/kubeadm:nodes-kubeadm-config", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43002,6 +43110,7 @@ "Target": "Role/system::leader-locking-kube-controller-manager", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -43131,6 +43240,7 @@ "Target": "Role/system::leader-locking-kube-scheduler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -43260,6 +43370,7 @@ "Target": "Role/system:controller:cloud-provider", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -43389,6 +43500,7 @@ "Target": "Role/system:controller:bootstrap-signer", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -43509,6 +43621,7 @@ "Target": "Role/leader-election-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -43647,6 +43760,7 @@ "Target": "Role/system:controller:token-cleaner", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -43776,6 +43890,7 @@ "Target": "RoleBinding/lurker", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43793,6 +43908,7 @@ "Target": "RoleBinding/parser", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43810,6 +43926,7 @@ "Target": "RoleBinding/trivy-k8s-lurker", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43827,6 +43944,7 @@ "Target": "RoleBinding/kubeadm:bootstrap-signer-clusterinfo", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43844,6 +43962,7 @@ "Target": "RoleBinding/system:controller:bootstrap-signer", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43861,6 +43980,7 @@ "Target": "RoleBinding/kube-proxy", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43878,6 +43998,7 @@ "Target": "RoleBinding/kubeadm:kubelet-config", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43895,6 +44016,7 @@ "Target": "RoleBinding/kubeadm:nodes-kubeadm-config", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43912,6 +44034,7 @@ "Target": "RoleBinding/system::extension-apiserver-authentication-reader", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43929,6 +44052,7 @@ "Target": "RoleBinding/system::leader-locking-kube-controller-manager", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43946,6 +44070,7 @@ "Target": "RoleBinding/system::leader-locking-kube-scheduler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43963,6 +44088,7 @@ "Target": "RoleBinding/system:controller:bootstrap-signer", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43980,6 +44106,7 @@ "Target": "RoleBinding/system:controller:cloud-provider", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -43997,6 +44124,7 @@ "Target": "RoleBinding/leader-election-rolebinding", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -44014,6 +44142,7 @@ "Target": "RoleBinding/system:controller:token-cleaner", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -44030,6 +44159,7 @@ "Target": "ClusterRole/cluster-admin", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 139, "Failures": 2, @@ -44214,6 +44344,7 @@ "Target": "ClusterRole/admin", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 136, "Failures": 11, @@ -45541,6 +45672,7 @@ "Target": "ClusterRole/edit", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 137, "Failures": 10, @@ -46749,6 +46881,7 @@ "Target": "ClusterRole/kubeadm:get-nodes", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -46765,6 +46898,7 @@ "Target": "ClusterRole/kindnet", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -46781,6 +46915,7 @@ "Target": "ClusterRole/manager-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 139, "Failures": 3, @@ -47147,6 +47282,7 @@ "Target": "ClusterRole/local-path-provisioner-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 139, "Failures": 2, @@ -47367,6 +47503,7 @@ "Target": "ClusterRole/parsedefinition-viewer-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47383,6 +47520,7 @@ "Target": "ClusterRole/parsedefinition-editor-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47399,6 +47537,7 @@ "Target": "ClusterRole/metrics-reader", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47415,6 +47554,7 @@ "Target": "ClusterRole/proxy-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47431,6 +47571,7 @@ "Target": "ClusterRole/scan-viewer-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47447,6 +47588,7 @@ "Target": "ClusterRole/scantype-editor-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47463,6 +47605,7 @@ "Target": "ClusterRole/scan-editor-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47479,6 +47622,7 @@ "Target": "ClusterRole/scantype-viewer-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47495,6 +47639,7 @@ "Target": "ClusterRole/scheduledscan-editor-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47511,6 +47656,7 @@ "Target": "ClusterRole/system:aggregate-to-admin", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -47648,6 +47794,7 @@ "Target": "ClusterRole/scheduledscan-viewer-role", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -47664,6 +47811,7 @@ "Target": "ClusterRole/system:aggregate-to-edit", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 137, "Failures": 10, @@ -48872,6 +49020,7 @@ "Target": "ClusterRole/system:aggregate-to-view", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -48888,6 +49037,7 @@ "Target": "ClusterRole/system:auth-delegator", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -48904,6 +49054,7 @@ "Target": "ClusterRole/system:basic-user", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -48920,6 +49071,7 @@ "Target": "ClusterRole/system:certificates.k8s.io:certificatesigningrequests:nodeclient", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -48936,6 +49088,7 @@ "Target": "ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -48952,6 +49105,7 @@ "Target": "ClusterRole/system:certificates.k8s.io:kube-apiserver-client-approver", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -48968,6 +49122,7 @@ "Target": "ClusterRole/system:certificates.k8s.io:kube-apiserver-client-kubelet-approver", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -48984,6 +49139,7 @@ "Target": "ClusterRole/system:certificates.k8s.io:kubelet-serving-approver", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -49000,6 +49156,7 @@ "Target": "ClusterRole/system:certificates.k8s.io:legacy-unknown-approver", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -49016,6 +49173,7 @@ "Target": "ClusterRole/system:controller:attachdetach-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -49032,6 +49190,7 @@ "Target": "ClusterRole/system:controller:certificate-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -49048,6 +49207,7 @@ "Target": "ClusterRole/system:controller:clusterrole-aggregation-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -49064,6 +49224,7 @@ "Target": "ClusterRole/system:controller:daemon-set-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -49080,6 +49241,7 @@ "Target": "ClusterRole/system:controller:cronjob-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 2, @@ -49327,6 +49489,7 @@ "Target": "ClusterRole/system:controller:deployment-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 2, @@ -49583,6 +49746,7 @@ "Target": "ClusterRole/system:controller:endpoint-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -49720,6 +49884,7 @@ "Target": "ClusterRole/system:controller:disruption-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -49736,6 +49901,7 @@ "Target": "ClusterRole/system:controller:endpointslice-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -49873,6 +50039,7 @@ "Target": "ClusterRole/system:controller:endpointslicemirroring-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -50010,6 +50177,7 @@ "Target": "ClusterRole/system:controller:ephemeral-volume-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -50026,6 +50194,7 @@ "Target": "ClusterRole/system:controller:generic-garbage-collector", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -50163,6 +50332,7 @@ "Target": "ClusterRole/system:controller:expand-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -50264,6 +50434,7 @@ "Target": "ClusterRole/system:controller:horizontal-pod-autoscaler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 2, @@ -50466,6 +50637,7 @@ "Target": "ClusterRole/system:controller:job-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -50603,6 +50775,7 @@ "Target": "ClusterRole/system:controller:namespace-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -50731,6 +50904,7 @@ "Target": "ClusterRole/system:controller:pod-garbage-collector", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -50747,6 +50921,7 @@ "Target": "ClusterRole/system:controller:node-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -50763,6 +50938,7 @@ "Target": "ClusterRole/system:controller:persistent-volume-binder", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 139, "Failures": 3, @@ -51075,6 +51251,7 @@ "Target": "ClusterRole/system:controller:pv-protection-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -51091,6 +51268,7 @@ "Target": "ClusterRole/system:controller:pvc-protection-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -51107,6 +51285,7 @@ "Target": "ClusterRole/system:controller:replicaset-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -51244,6 +51423,7 @@ "Target": "ClusterRole/system:controller:resourcequota-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -51354,6 +51534,7 @@ "Target": "ClusterRole/system:controller:replication-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -51482,6 +51663,7 @@ "Target": "ClusterRole/system:controller:root-ca-cert-publisher", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -51592,6 +51774,7 @@ "Target": "ClusterRole/system:controller:service-account-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -51608,6 +51791,7 @@ "Target": "ClusterRole/system:controller:route-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -51624,6 +51808,7 @@ "Target": "ClusterRole/system:controller:service-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -51640,6 +51825,7 @@ "Target": "ClusterRole/system:controller:ttl-after-finished-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -51656,6 +51842,7 @@ "Target": "ClusterRole/system:controller:statefulset-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -51672,6 +51859,7 @@ "Target": "ClusterRole/system:controller:ttl-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -51688,6 +51876,7 @@ "Target": "ClusterRole/system:coredns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -51704,6 +51893,7 @@ "Target": "ClusterRole/system:discovery", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -51720,6 +51910,7 @@ "Target": "ClusterRole/system:heapster", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -51736,6 +51927,7 @@ "Target": "ClusterRole/system:kube-aggregator", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -51752,6 +51944,7 @@ "Target": "ClusterRole/system:kube-controller-manager", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 138, "Failures": 7, @@ -52432,6 +52625,7 @@ "Target": "ClusterRole/system:kube-scheduler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 2, @@ -52643,6 +52837,7 @@ "Target": "ClusterRole/system:kube-dns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -52659,6 +52854,7 @@ "Target": "ClusterRole/system:kubelet-api-admin", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -52675,6 +52871,7 @@ "Target": "ClusterRole/system:monitoring", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -52691,6 +52888,7 @@ "Target": "ClusterRole/system:node-bootstrapper", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -52707,6 +52905,7 @@ "Target": "ClusterRole/system:node-proxier", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -52723,6 +52922,7 @@ "Target": "ClusterRole/system:node-problem-detector", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -52739,6 +52939,7 @@ "Target": "ClusterRole/system:node", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -52867,6 +53068,7 @@ "Target": "ClusterRole/system:persistent-volume-provisioner", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -52883,6 +53085,7 @@ "Target": "ClusterRole/system:public-info-viewer", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -52899,6 +53102,7 @@ "Target": "ClusterRole/system:service-account-issuer-discovery", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -52915,6 +53119,7 @@ "Target": "ClusterRole/system:volume-scheduler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -52931,6 +53136,7 @@ "Target": "ClusterRole/trivy-k8s", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -52947,6 +53153,7 @@ "Target": "ClusterRole/view", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -52963,6 +53170,7 @@ "Target": "ClusterRoleBinding/cluster-admin", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -52979,6 +53187,7 @@ "Target": "ClusterRoleBinding/kindnet", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -52995,6 +53204,7 @@ "Target": "ClusterRoleBinding/kubeadm:kubelet-bootstrap", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53011,6 +53221,7 @@ "Target": "ClusterRoleBinding/kubeadm:get-nodes", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53027,6 +53238,7 @@ "Target": "ClusterRoleBinding/kubeadm:node-autoapprove-bootstrap", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53043,6 +53255,7 @@ "Target": "ClusterRoleBinding/kubeadm:node-autoapprove-certificate-rotation", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53059,6 +53272,7 @@ "Target": "ClusterRoleBinding/kubeadm:node-proxier", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53075,6 +53289,7 @@ "Target": "ClusterRoleBinding/local-path-provisioner-bind", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53091,6 +53306,7 @@ "Target": "ClusterRoleBinding/manager-rolebinding", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53107,6 +53323,7 @@ "Target": "ClusterRoleBinding/proxy-rolebinding", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53123,6 +53340,7 @@ "Target": "ClusterRoleBinding/system:basic-user", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53139,6 +53357,7 @@ "Target": "ClusterRoleBinding/system:controller:attachdetach-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53155,6 +53374,7 @@ "Target": "ClusterRoleBinding/system:controller:certificate-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53171,6 +53391,7 @@ "Target": "ClusterRoleBinding/system:controller:clusterrole-aggregation-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53187,6 +53408,7 @@ "Target": "ClusterRoleBinding/system:controller:cronjob-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53203,6 +53425,7 @@ "Target": "ClusterRoleBinding/system:controller:daemon-set-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53219,6 +53442,7 @@ "Target": "ClusterRoleBinding/system:controller:deployment-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53235,6 +53459,7 @@ "Target": "ClusterRoleBinding/system:controller:disruption-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53251,6 +53476,7 @@ "Target": "ClusterRoleBinding/system:controller:endpoint-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53267,6 +53493,7 @@ "Target": "ClusterRoleBinding/system:controller:endpointslice-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53283,6 +53510,7 @@ "Target": "ClusterRoleBinding/system:controller:endpointslicemirroring-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53299,6 +53527,7 @@ "Target": "ClusterRoleBinding/system:controller:expand-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53315,6 +53544,7 @@ "Target": "ClusterRoleBinding/system:controller:ephemeral-volume-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53331,6 +53561,7 @@ "Target": "ClusterRoleBinding/system:controller:generic-garbage-collector", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53347,6 +53578,7 @@ "Target": "ClusterRoleBinding/system:controller:namespace-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53363,6 +53595,7 @@ "Target": "ClusterRoleBinding/system:controller:horizontal-pod-autoscaler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53379,6 +53612,7 @@ "Target": "ClusterRoleBinding/system:controller:job-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53395,6 +53629,7 @@ "Target": "ClusterRoleBinding/system:controller:node-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53411,6 +53646,7 @@ "Target": "ClusterRoleBinding/system:controller:persistent-volume-binder", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53427,6 +53663,7 @@ "Target": "ClusterRoleBinding/system:controller:pod-garbage-collector", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53443,6 +53680,7 @@ "Target": "ClusterRoleBinding/system:controller:replicaset-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53459,6 +53697,7 @@ "Target": "ClusterRoleBinding/system:controller:pvc-protection-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53475,6 +53714,7 @@ "Target": "ClusterRoleBinding/system:controller:pv-protection-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53491,6 +53731,7 @@ "Target": "ClusterRoleBinding/system:controller:replication-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53507,6 +53748,7 @@ "Target": "ClusterRoleBinding/system:controller:resourcequota-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53523,6 +53765,7 @@ "Target": "ClusterRoleBinding/system:controller:route-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53539,6 +53782,7 @@ "Target": "ClusterRoleBinding/system:controller:service-account-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53555,6 +53799,7 @@ "Target": "ClusterRoleBinding/system:controller:root-ca-cert-publisher", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53571,6 +53816,7 @@ "Target": "ClusterRoleBinding/system:controller:service-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53587,6 +53833,7 @@ "Target": "ClusterRoleBinding/system:controller:statefulset-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53603,6 +53850,7 @@ "Target": "ClusterRoleBinding/system:coredns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53619,6 +53867,7 @@ "Target": "ClusterRoleBinding/system:controller:ttl-after-finished-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53635,6 +53884,7 @@ "Target": "ClusterRoleBinding/system:controller:ttl-controller", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53651,6 +53901,7 @@ "Target": "ClusterRoleBinding/system:discovery", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53667,6 +53918,7 @@ "Target": "ClusterRoleBinding/system:kube-controller-manager", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53683,6 +53935,7 @@ "Target": "ClusterRoleBinding/system:kube-dns", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53699,6 +53952,7 @@ "Target": "ClusterRoleBinding/system:monitoring", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53715,6 +53969,7 @@ "Target": "ClusterRoleBinding/system:kube-scheduler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53731,6 +53986,7 @@ "Target": "ClusterRoleBinding/system:node", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53747,6 +54003,7 @@ "Target": "ClusterRoleBinding/system:node-proxier", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53763,6 +54020,7 @@ "Target": "ClusterRoleBinding/system:public-info-viewer", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53779,6 +54037,7 @@ "Target": "ClusterRoleBinding/system:volume-scheduler", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53795,6 +54054,7 @@ "Target": "ClusterRoleBinding/system:service-account-issuer-discovery", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53811,6 +54071,7 @@ "Target": "ClusterRoleBinding/trivy-k8s", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 140, "Failures": 1, @@ -53948,6 +54209,7 @@ "Target": "Node/kind-control-plane", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 141, "Failures": 0, @@ -53964,6 +54226,7 @@ "Target": "NodeInfo/kind-control-plane", "Class": "config", "Type": "kubernetes", + "Packages": [], "MisconfSummary": { "Successes": 135, "Failures": 6, diff --git a/scanners/trivy/parser/parser.js b/scanners/trivy/parser/parser.js index e8e4c6b507..56b4134aec 100644 --- a/scanners/trivy/parser/parser.js +++ b/scanners/trivy/parser/parser.js @@ -129,8 +129,9 @@ function parseK8sScanResultResource(clusterName, resourceItem, reject) { for (const aResult of results) { const {Target: target, Class: clazz, Type: type} = aResult; - var keys = Object.keys(aResult); - const expectedAttributes = ["Target", "Class", "Type", "Misconfigurations", "Vulnerabilities", "MisconfSummary"]; + const keys = Object.keys(aResult); + const expectedAttributes = ["Target", "Class", "Type", "Misconfigurations", "Vulnerabilities", "MisconfSummary", "Packages"]; + // The "Packages" attribute is now included in the scan report by default starting with Trivy 0.56.0 (https://github.com/aquasecurity/trivy/pull/6765) const found = keys.find(key => !expectedAttributes.includes(key)); if (found !== undefined) { reject(new Error("Unexpected attribute '" + found + "' on resource-item"));