-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtmp.json
More file actions
113 lines (113 loc) · 36.2 KB
/
tmp.json
File metadata and controls
113 lines (113 loc) · 36.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
{"actions": [
{"action": "update", "resolves": [
{"id": 1067342, "path": "react-scripts>@babel/core>json5>minimist", "dev": false, "optional": false, "bundled": false
},
{"id": 1067342, "path": "package.json>package-json>registry-auth-token>rc>minimist", "dev": false, "optional": false, "bundled": false
},
{"id": 1067342, "path": "react-scripts>@svgr/webpack>@svgr/plugin-jsx>@babel/core>json5>minimist", "dev": false, "optional": false, "bundled": false
},
{"id": 1067342, "path": "react-scripts>@svgr/webpack>@svgr/core>@svgr/plugin-jsx>@babel/core>json5>minimist", "dev": false, "optional": false, "bundled": false
},
{"id": 1067342, "path": "react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist", "dev": false, "optional": false, "bundled": false
},
{"id": 1067342, "path": "react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist", "dev": false, "optional": false, "bundled": false
},
{"id": 1067342, "path": "react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist", "dev": false, "optional": false, "bundled": false
},
{"id": 1067342, "path": "react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist", "dev": false, "optional": false, "bundled": false
},
{"id": 1067342, "path": "react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist", "dev": false, "optional": false, "bundled": false
},
{"id": 1067342, "path": "react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist", "dev": false, "optional": false, "bundled": false
},
{"id": 1067342, "path": "react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist", "dev": false, "optional": false, "bundled": false
}
], "module": "minimist", "target": "1.2.6", "depth": 14
},
{"action": "update", "resolves": [
{"id": 1067407, "path": "axios>follow-redirects", "dev": false, "optional": false, "bundled": false
},
{"id": 1067407, "path": "localtunnel>axios>follow-redirects", "dev": false, "optional": false, "bundled": false
},
{"id": 1067407, "path": "react-scripts>webpack-dev-server>http-proxy-middleware>http-proxy>follow-redirects", "dev": false, "optional": false, "bundled": false
},
{"id": 1067459, "path": "axios>follow-redirects", "dev": false, "optional": false, "bundled": false
},
{"id": 1067459, "path": "localtunnel>axios>follow-redirects", "dev": false, "optional": false, "bundled": false
},
{"id": 1067459, "path": "react-scripts>webpack-dev-server>http-proxy-middleware>http-proxy>follow-redirects", "dev": false, "optional": false, "bundled": false
}
], "module": "follow-redirects", "target": "1.15.1", "depth": 5
},
{"action": "update", "resolves": [
{"id": 1067452, "path": "react-scripts>webpack-dev-server>selfsigned>node-forge", "dev": false, "optional": false, "bundled": false
},
{"id": 1067471, "path": "react-scripts>webpack-dev-server>selfsigned>node-forge", "dev": false, "optional": false, "bundled": false
},
{"id": 1070354, "path": "react-scripts>webpack-dev-server>selfsigned>node-forge", "dev": false, "optional": false, "bundled": false
},
{"id": 1070355, "path": "react-scripts>webpack-dev-server>selfsigned>node-forge", "dev": false, "optional": false, "bundled": false
},
{"id": 1070356, "path": "react-scripts>webpack-dev-server>selfsigned>node-forge", "dev": false, "optional": false, "bundled": false
},
{"id": 1081840, "path": "react-scripts>webpack-dev-server>selfsigned>node-forge", "dev": false, "optional": false, "bundled": false
}
], "module": "webpack-dev-server", "target": "4.9.3", "depth": 2
},
{"action": "update", "resolves": [
{"id": 1070412, "path": "react-scripts>workbox-webpack-plugin>workbox-build>@surma/rollup-plugin-off-main-thread>ejs", "dev": false, "optional": false, "bundled": false
}
], "module": "ejs", "target": "3.1.8", "depth": 5
},
{"action": "update", "resolves": [
{"id": 1070440, "path": "react-scripts>webpack-dev-server>portfinder>async", "dev": false, "optional": false, "bundled": false
}
], "module": "async", "target": "2.6.4", "depth": 4
},
{"action": "update", "resolves": [
{"id": 1081481, "path": "react-scripts>postcss>nanoid", "dev": false, "optional": false, "bundled": false
},
{"id": 1081481, "path": "react-scripts>css-loader>postcss>nanoid", "dev": false, "optional": false, "bundled": false
},
{"id": 1081481, "path": "react-scripts>tailwindcss>postcss-js>postcss>nanoid", "dev": false, "optional": false, "bundled": false
}
], "module": "nanoid", "target": "3.3.4", "depth": 5
},
{"action": "update", "resolves": [
{"id": 1081698, "path": "react-scripts>terser-webpack-plugin>terser", "dev": false, "optional": false, "bundled": false
},
{"id": 1081698, "path": "react-scripts>html-webpack-plugin>html-minifier-terser>terser", "dev": false, "optional": false, "bundled": false
},
{"id": 1081698, "path": "react-scripts>workbox-webpack-plugin>workbox-build>rollup-plugin-terser>terser", "dev": false, "optional": false, "bundled": false
}
], "module": "terser", "target": "5.14.2", "depth": 5
},
{"action": "review", "module": "nth-check", "resolves": [
{"id": 1070415, "path": "react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check", "dev": false, "optional": false, "bundled": false
}
]
},
{"action": "review", "module": "got", "resolves": [
{"id": 1080920, "path": "package.json>package-json>got", "dev": false, "optional": false, "bundled": false
}
]
},
{"action": "review", "module": "parse-url", "resolves": [
{"id": 1080970, "path": "package.json>git-source>git-url-parse>git-up>parse-url", "dev": false, "optional": false, "bundled": false
},
{"id": 1080971, "path": "package.json>git-source>git-url-parse>git-up>parse-url", "dev": false, "optional": false, "bundled": false
},
{"id": 1080972, "path": "package.json>git-source>git-url-parse>git-up>parse-url", "dev": false, "optional": false, "bundled": false
},
{"id": 1080973, "path": "package.json>git-source>git-url-parse>git-up>parse-url", "dev": false, "optional": false, "bundled": false
}
]
}
], "advisories": {"1067342": {"findings": [
{"version": "1.2.5", "paths": ["react-scripts>@babel/core>json5>minimist", "package.json>package-json>registry-auth-token>rc>minimist", "react-scripts>@svgr/webpack>@svgr/plugin-jsx>@babel/core>json5>minimist", "react-scripts>@svgr/webpack>@svgr/core>@svgr/plugin-jsx>@babel/core>json5>minimist", "react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist", "react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist", "react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist", "react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist", "react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist", "react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist", "react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist"
]
}
], "metadata": null, "vulnerable_versions": "<1.2.6", "module_name": "minimist", "severity": "critical", "github_advisory_id": "GHSA-xvch-5gv4-984h", "cves": ["CVE-2021-44906"
], "access": "public", "patched_versions": ">=1.2.6", "cvss": {"score": 9.8, "vectorString": "CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}, "updated": "2022-04-04T21: 39: 39.000Z", "recommendation": "Upgrade to version 1.2.6 or later", "cwe": ["CWE-1321"
], "found_by": null, "deleted": null, "id": 1067342, "references": "- https: //nvd.nist.gov/vuln/detail/CVE-2021-44906\n- https://github.com/substack/minimist/issues/164\n- https://github.com/substack/minimist/blob/master/index.js#L69\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068\n- https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip\n- https://github.com/advisories/GHSA-xvch-5gv4-984h", "created": "2022-03-18T00:01:09.000Z", "reported_by": null, "title": "Prototype Pollution in minimist", "npm_advisory_id": null, "overview": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"}, "1067407": {"findings": [{"version": "1.14.1", "paths": ["axios>follow-redirects", "localtunnel>axios>follow-redirects", "react-scripts>webpack-dev-server>http-proxy-middleware>http-proxy>follow-redirects"]}], "metadata": null, "vulnerable_versions": "<1.14.8", "module_name": "follow-redirects", "severity": "moderate", "github_advisory_id": "GHSA-pw2r-vq6v-hr8c", "cves": ["CVE-2022-0536"], "access": "public", "patched_versions": ">=1.14.8", "cvss": {"score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "updated": "2022-02-14T22:27:57.000Z", "recommendation": "Upgrade to version 1.14.8 or later", "cwe": ["CWE-200"], "found_by": null, "deleted": null, "id": 1067407, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0536\n- https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445\n- https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db\n- https://github.com/advisories/GHSA-pw2r-vq6v-hr8c", "created": "2022-02-10T00:00:31.000Z", "reported_by": null, "title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects", "npm_advisory_id": null, "overview": "Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.", "url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c"}, "1067452": {"findings": [{"version": "0.10.0", "paths": ["react-scripts>webpack-dev-server>selfsigned>node-forge"]}], "metadata": null, "vulnerable_versions": "<1.0.0", "module_name": "node-forge", "severity": "moderate", "github_advisory_id": "GHSA-8fr3-hfg3-gpgp", "cves": ["CVE-2022-0122"], "access": "public", "patched_versions": ">=1.0.0", "cvss": {"score": 0, "vectorString": null}, "updated": "2022-01-21T23:36:19.000Z", "recommendation": "Upgrade to version 1.0.0 or later", "cwe": ["CWE-601"], "found_by": null, "deleted": null, "id": 1067452, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0122\n- https://github.com/digitalbazaar/forge/commit/db8016c805371e72b06d8e2edfe0ace0df934a5e\n- https://huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae\n- https://github.com/advisories/GHSA-8fr3-hfg3-gpgp", "created": "2022-01-21T23:36:19.000Z", "reported_by": null, "title": "Open Redirect in node-forge", "npm_advisory_id": null, "overview": "parseUrl functionality in node-forge mishandles certain uses of backslash such as https:/\\/\\/\\ and interprets the URI as a relative path. ", "url": "https://github.com/advisories/GHSA-8fr3-hfg3-gpgp"}, "1067459": {"findings": [{"version": "1.14.1", "paths": ["axios>follow-redirects", "localtunnel>axios>follow-redirects", "react-scripts>webpack-dev-server>http-proxy-middleware>http-proxy>follow-redirects"]}], "metadata": null, "vulnerable_versions": "<1.14.7", "module_name": "follow-redirects", "severity": "high", "github_advisory_id": "GHSA-74fj-2j2h-c42q", "cves": ["CVE-2022-0155"], "access": "public", "patched_versions": ">=1.14.7", "cvss": {"score": 8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}, "updated": "2022-01-20T15:34:49.000Z", "recommendation": "Upgrade to version 1.14.7 or later", "cwe": ["CWE-359"], "found_by": null, "deleted": null, "id": 1067459, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0155\n- https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22\n- https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406\n- https://github.com/advisories/GHSA-74fj-2j2h-c42q", "created": "2022-01-12T22:46:26.000Z", "reported_by": null, "title": "Exposure of sensitive information in follow-redirects", "npm_advisory_id": null, "overview": "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor", "url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q"}, "1067471": {"findings": [{"version": "0.10.0", "paths": ["react-scripts>webpack-dev-server>selfsigned>node-forge"]}], "metadata": null, "vulnerable_versions": "<1.0.0", "module_name": "node-forge", "severity": "low", "github_advisory_id": "GHSA-5rrq-pxf6-6jx5", "cves": [], "access": "public", "patched_versions": ">=1.0.0", "cvss": {"score": 0, "vectorString": null}, "updated": "2022-01-08T00:22:42.000Z", "recommendation": "Upgrade to version 1.0.0 or later", "cwe": ["CWE-1321"], "found_by": null, "deleted": null, "id": 1067471, "references": "- https://github.com/digitalbazaar/forge/security/advisories/GHSA-5rrq-pxf6-6jx5\n- https://github.com/advisories/GHSA-5rrq-pxf6-6jx5", "created": "2022-01-08T00:22:42.000Z", "reported_by": null, "title": "Prototype Pollution in node-forge debug API.", "npm_advisory_id": null, "overview": "### Impact\nThe `forge.debug` API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.\n\n### Patches\nThe `forge.debug` API and related functions were removed in 1.0.0.\n\n### Workarounds\nDon"t use the `forge.debug` API directly or indirectly with untrusted input.\n\n### References\n- https://www.huntr.dev/bounties/1-npm-node-forge/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge).\n* Email us at support@digitalbazaar.com.", "url": "https://github.com/advisories/GHSA-5rrq-pxf6-6jx5"}, "1070354": {"findings": [{"version": "0.10.0", "paths": ["react-scripts>webpack-dev-server>selfsigned>node-forge"]}], "metadata": null, "vulnerable_versions": "<1.3.0", "module_name": "node-forge", "severity": "moderate", "github_advisory_id": "GHSA-2r2c-g63r-vccr", "cves": ["CVE-2022-24773"], "access": "public", "patched_versions": ">=1.3.0", "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "updated": "2022-05-13T18:50:27.000Z", "recommendation": "Upgrade to version 1.3.0 or later", "cwe": ["CWE-347"], "found_by": null, "deleted": null, "id": 1070354, "references": "- https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24773\n- https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1\n- https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2\n- https://github.com/advisories/GHSA-2r2c-g63r-vccr", "created": "2022-03-18T23:10:48.000Z", "reported_by": null, "title": "Improper Verification of Cryptographic Signature in `node-forge`", "npm_advisory_id": null, "overview": "### Impact\n\nRSA PKCS#1 v1.5 signature verification code is not properly checking `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.\n\n### Patches\n\nThe issue has been addressed in `node-forge` `1.3.0`.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\n* Email us at [example email address](mailto:security@digitalbazaar.com)", "url": "https://github.com/advisories/GHSA-2r2c-g63r-vccr"}, "1070355": {"findings": [{"version": "0.10.0", "paths": ["react-scripts>webpack-dev-server>selfsigned>node-forge"]}], "metadata": null, "vulnerable_versions": "<1.3.0", "module_name": "node-forge", "severity": "high", "github_advisory_id": "GHSA-x4jg-mjrx-434g", "cves": ["CVE-2022-24772"], "access": "public", "patched_versions": ">=1.3.0", "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "updated": "2022-05-13T18:50:27.000Z", "recommendation": "Upgrade to version 1.3.0 or later", "cwe": ["CWE-347"], "found_by": null, "deleted": null, "id": 1070355, "references": "- https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24772\n- https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1\n- https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2\n- https://github.com/advisories/GHSA-x4jg-mjrx-434g", "created": "2022-03-18T23:10:28.000Z", "reported_by": null, "title": "Improper Verification of Cryptographic Signature in node-forge", "npm_advisory_id": null, "overview": "### Impact\n\nRSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used.\n\n### Patches\n\nThe issue has been addressed in `node-forge` `1.3.0`.\n\n### References\n\nFor more information, please see\n["Bleichenbacher\"s RSA signature forgery based on implementation error"](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/)\nby Hal Finney.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\n* Email us at [example email address](mailto:security@digitalbazaar.com)", "url": "https://github.com/advisories/GHSA-x4jg-mjrx-434g"}, "1070356": {"findings": [{"version": "0.10.0", "paths": ["react-scripts>webpack-dev-server>selfsigned>node-forge"]}], "metadata": null, "vulnerable_versions": "<1.3.0", "module_name": "node-forge", "severity": "high", "github_advisory_id": "GHSA-cfm4-qjh2-4765", "cves": ["CVE-2022-24771"], "access": "public", "patched_versions": ">=1.3.0", "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "updated": "2022-05-13T18:50:27.000Z", "recommendation": "Upgrade to version 1.3.0 or later", "cwe": ["CWE-347"], "found_by": null, "deleted": null, "id": 1070356, "references": "- https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24771\n- https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1\n- https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2\n- https://github.com/advisories/GHSA-cfm4-qjh2-4765", "created": "2022-03-18T23:09:54.000Z", "reported_by": null, "title": "Improper Verification of Cryptographic Signature in node-forge", "npm_advisory_id": null, "overview": "### Impact\n\nRSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used.\n\n### Patches\n\nThe issue has been addressed in `node-forge` `1.3.0`.\n\n### References\n\nFor more information, please see\n["Bleichenbacher\"s RSA signature forgery based on implementation error"](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/)\nby Hal Finney.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\n* Email us at [example email address](mailto:security@digitalbazaar.com)", "url": "https://github.com/advisories/GHSA-cfm4-qjh2-4765"}, "1070412": {"findings": [{"version": "3.1.6", "paths": ["react-scripts>workbox-webpack-plugin>workbox-build>@surma/rollup-plugin-off-main-thread>ejs"]}], "metadata": null, "vulnerable_versions": "<3.1.7", "module_name": "ejs", "severity": "critical", "github_advisory_id": "GHSA-phwq-j96m-2c2q", "cves": ["CVE-2022-29078"], "access": "public", "patched_versions": ">=3.1.7", "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "updated": "2022-05-26T19:38:41.000Z", "recommendation": "Upgrade to version 3.1.7 or later", "cwe": ["CWE-74"], "found_by": null, "deleted": null, "id": 1070412, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q", "created": "2022-04-26T00:00:40.000Z", "reported_by": null, "title": "Template injection in ejs", "npm_advisory_id": null, "overview": "The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).", "url": "https://github.com/advisories/GHSA-phwq-j96m-2c2q"}, "1070415": {"findings": [{"version": "1.0.2", "paths": ["react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check"]}], "metadata": null, "vulnerable_versions": "<2.0.1", "module_name": "nth-check", "severity": "high", "github_advisory_id": "GHSA-rp65-9cf3-cjxr", "cves": ["CVE-2021-3803"], "access": "public", "patched_versions": ">=2.0.1", "cvss": {"score": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "updated": "2022-05-26T19:57:03.000Z", "recommendation": "Upgrade to version 2.0.1 or later", "cwe": ["CWE-1333"], "found_by": null, "deleted": null, "id": 1070415, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3803\n- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726\n- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0\n- https://github.com/advisories/GHSA-rp65-9cf3-cjxr", "created": "2021-09-20T20:47:31.000Z", "reported_by": null, "title": "Inefficient Regular Expression Complexity in nth-check", "npm_advisory_id": null, "overview": "nth-check is vulnerable to Inefficient Regular Expression Complexity", "url": "https://github.com/advisories/GHSA-rp65-9cf3-cjxr"}, "1070440": {"findings": [{"version": "2.6.3", "paths": ["react-scripts>webpack-dev-server>portfinder>async"]}], "metadata": null, "vulnerable_versions": ">=2.0.0 <2.6.4", "module_name": "async", "severity": "high", "github_advisory_id": "GHSA-fwr7-v2mv-hh25", "cves": ["CVE-2021-43138"], "access": "public", "patched_versions": ">=2.6.4", "cvss": {"score": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "updated": "2022-06-02T17:28:57.000Z", "recommendation": "Upgrade to version 2.6.4 or later", "cwe": ["CWE-1321"], "found_by": null, "deleted": null, "id": 1070440, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-43138\n- https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d\n- https://github.com/caolan/async/blob/master/lib/internal/iterator.js\n- https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js\n- https://jsfiddle.net/oz5twjd9/\n- https://github.com/caolan/async/pull/1828\n- https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2\n- https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264\n- https://github.com/advisories/GHSA-fwr7-v2mv-hh25", "created": "2022-04-07T00:00:17.000Z", "reported_by": null, "title": "Prototype Pollution in async", "npm_advisory_id": null, "overview": "A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the `mapValues()` method.", "url": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25"}, "1080920": {"findings": [{"version": "5.6.0", "paths": ["package.json>package-json>got"]}], "metadata": null, "vulnerable_versions": "<11.8.5", "module_name": "got", "severity": "moderate", "github_advisory_id": "GHSA-pfrx-2q88-qq97", "cves": ["CVE-2022-33987"], "access": "public", "patched_versions": ">=11.8.5", "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "updated": "2022-07-05T21:24:52.000Z", "recommendation": "Upgrade to version 11.8.5 or later", "cwe": [], "found_by": null, "deleted": null, "id": 1080920, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97", "created": "2022-06-19T00:00:21.000Z", "reported_by": null, "title": "Got allows a redirect to a UNIX socket", "npm_advisory_id": null, "overview": "The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.", "url": "https://github.com/advisories/GHSA-pfrx-2q88-qq97"}, "1080970": {"findings": [{"version": "1.3.11", "paths": ["package.json>git-source>git-url-parse>git-up>parse-url"]}], "metadata": null, "vulnerable_versions": "<6.0.1", "module_name": "parse-url", "severity": "moderate", "github_advisory_id": "GHSA-q6wq-5p59-983w", "cves": ["CVE-2022-2217"], "access": "public", "patched_versions": ">=6.0.1", "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "updated": "2022-07-07T17:15:33.000Z", "recommendation": "Upgrade to version 6.0.1 or later", "cwe": ["CWE-79"], "found_by": null, "deleted": null, "id": 1080970, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-2217\n- https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3\n- https://huntr.dev/bounties/4e046c63-b1ca-4bcc-b418-29796918a71b\n- https://github.com/advisories/GHSA-q6wq-5p59-983w", "created": "2022-06-28T00:01:02.000Z", "reported_by": null, "title": "Cross site scripting in parse-url", "npm_advisory_id": null, "overview": "Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 6.0.1", "url": "https://github.com/advisories/GHSA-q6wq-5p59-983w"}, "1080971": {"findings": [{"version": "1.3.11", "paths": ["package.json>git-source>git-url-parse>git-up>parse-url"]}], "metadata": null, "vulnerable_versions": "<6.0.1", "module_name": "parse-url", "severity": "critical", "github_advisory_id": "GHSA-7f3x-x4pr-wqhj", "cves": ["CVE-2022-2216"], "access": "public", "patched_versions": ">=6.0.1", "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "updated": "2022-07-07T17:15:42.000Z", "recommendation": "Upgrade to version 6.0.1 or later", "cwe": ["CWE-918"], "found_by": null, "deleted": null, "id": 1080971, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-2216\n- https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3\n- https://huntr.dev/bounties/505a3d39-2723-4a06-b1f7-9b2d133c92e1\n- https://github.com/advisories/GHSA-7f3x-x4pr-wqhj", "created": "2022-06-28T00:01:02.000Z", "reported_by": null, "title": "Server-Side Request Forgery in parse-url", "npm_advisory_id": null, "overview": "Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.", "url": "https://github.com/advisories/GHSA-7f3x-x4pr-wqhj"}, "1080972": {"findings": [{"version": "1.3.11", "paths": ["package.json>git-source>git-url-parse>git-up>parse-url"]}], "metadata": null, "vulnerable_versions": "<6.0.1", "module_name": "parse-url", "severity": "moderate", "github_advisory_id": "GHSA-jpp7-7chh-cf67", "cves": ["CVE-2022-2218"], "access": "public", "patched_versions": ">=6.0.1", "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "updated": "2022-07-07T17:16:00.000Z", "recommendation": "Upgrade to version 6.0.1 or later", "cwe": ["CWE-79"], "found_by": null, "deleted": null, "id": 1080972, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-2218\n- https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3\n- https://huntr.dev/bounties/024912d3-f103-4daf-a1d0-567f4d9f2bf5\n- https://github.com/advisories/GHSA-jpp7-7chh-cf67", "created": "2022-06-28T00:01:01.000Z", "reported_by": null, "title": "Cross site scripting in parse-url", "npm_advisory_id": null, "overview": "Cross-site Scripting (XSS) - Stored in GitHub repository ionicabizau/parse-url prior to 7.0.0.", "url": "https://github.com/advisories/GHSA-jpp7-7chh-cf67"}, "1080973": {"findings": [{"version": "1.3.11", "paths": ["package.json>git-source>git-url-parse>git-up>parse-url"]}], "metadata": null, "vulnerable_versions": "<6.0.1", "module_name": "parse-url", "severity": "high", "github_advisory_id": "GHSA-4p35-cfcx-8653", "cves": ["CVE-2022-0722"], "access": "public", "patched_versions": ">=6.0.1", "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "updated": "2022-07-07T17:15:51.000Z", "recommendation": "Upgrade to version 6.0.1 or later", "cwe": ["CWE-200"], "found_by": null, "deleted": null, "id": 1080973, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0722\n- https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3\n- https://huntr.dev/bounties/2490ef6d-5577-4714-a4dd-9608251b4226\n- https://github.com/advisories/GHSA-4p35-cfcx-8653", "created": "2022-06-28T00:01:01.000Z", "reported_by": null, "title": "Hostname confusion in parse-url", "npm_advisory_id": null, "overview": "Exposure of Sensitive Information to an Unauthorized Actor via hostname confusion in GitHub repository ionicabizau/parse-url prior to 6.0.1", "url": "https://github.com/advisories/GHSA-4p35-cfcx-8653"}, "1081481": {"findings": [{"version": "3.1.30", "paths": ["react-scripts>postcss>nanoid", "react-scripts>css-loader>postcss>nanoid", "react-scripts>tailwindcss>postcss-js>postcss>nanoid"]}], "metadata": null, "vulnerable_versions": ">=3.0.0 <3.1.31", "module_name": "nanoid", "severity": "moderate", "github_advisory_id": "GHSA-qrpm-p2h7-hrv2", "cves": ["CVE-2021-23566"], "access": "public", "patched_versions": ">=3.1.31", "cvss": {"score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "updated": "2022-03-18T13:15:56.000Z", "recommendation": "Upgrade to version 3.1.31 or later", "cwe": ["CWE-200"], "found_by": null, "deleted": null, "id": 1081481, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23566\n- https://github.com/ai/nanoid/pull/328\n- https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575\n- https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444\n- https://snyk.io/vuln/SNYK-JS-NANOID-2332193\n- https://github.com/advisories/GHSA-qrpm-p2h7-hrv2", "created": "2022-01-21T23:57:06.000Z", "reported_by": null, "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "npm_advisory_id": null, "overview": "The package nanoid from 3.0.0, before 3.1.31, are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.", "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2"}, "1081698": {"findings": [{"version": "5.10.0", "paths": ["react-scripts>terser-webpack-plugin>terser", "react-scripts>html-webpack-plugin>html-minifier-terser>terser", "react-scripts>workbox-webpack-plugin>workbox-build>rollup-plugin-terser>terser"]}], "metadata": null, "vulnerable_versions": ">=5.0.0 <5.14.2", "module_name": "terser", "severity": "high", "github_advisory_id": "GHSA-4wf5-vphf-c2xc", "cves": ["CVE-2022-25858"], "access": "public", "patched_versions": ">=5.14.2", "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "updated": "2022-07-22T16:30:35.000Z", "recommendation": "Upgrade to version 5.14.2 or later", "cwe": [], "found_by": null, "deleted": null, "id": 1081698, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-25858\n- https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b\n- https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012\n- https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722\n- https://snyk.io/vuln/SNYK-JS-TERSER-2806366\n- https://github.com/advisories/GHSA-4wf5-vphf-c2xc", "created": "2022-07-16T00:00:20.000Z", "reported_by": null, "title": "Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS", "npm_advisory_id": null, "overview": "The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.", "url": "https://github.com/advisories/GHSA-4wf5-vphf-c2xc"}, "1081840": {"findings": [{"version": "0.10.0", "paths": ["react-scripts>webpack-dev-server>selfsigned>node-forge"]}], "metadata": null, "vulnerable_versions": "<1.0.0", "module_name": "node-forge", "severity": "low", "github_advisory_id": "GHSA-gf8q-jrpm-jvxq", "cves": [], "access": "public", "patched_versions": ">=1.0.0", "cvss": {"score": 0, "vectorString": null}, "updated": "2022-07-28T20:10:17.000Z", "recommendation": "Upgrade to version 1.0.0 or later", "cwe": ["CWE-601"], "found_by": null, "deleted": null, "id": 1081840, "references": "- https://github.com/digitalbazaar/forge/security/advisories/GHSA-gf8q-jrpm-jvxq\n- https://nvd.nist.gov/vuln/detail/CVE-2022-0122\n- https://www.huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae\n- https://github.com/advisories/GHSA-gf8q-jrpm-jvxq", "created": "2022-01-08T00:22:02.000Z", "reported_by": null, "title": "URL parsing in node-forge could lead to undesired behavior.", "npm_advisory_id": null, "overview": "### Impact\nThe regex used for the `forge.util.parseUrl` API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior.\n\n### Patches\n`forge.util.parseUrl` and other very old related URL APIs were removed in 1.0.0 in favor of letting applications use the more modern WHATWG URL Standard API.\n\n### Workarounds\nEnsure code does not directly or indirectly call `forge.util.parseUrl` with untrusted input.\n\n### References\n- https://www.huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\n* Email us at support@digitalbazaar.com\n", "url": "https://github.com/advisories/GHSA-gf8q-jrpm-jvxq"}}, "muted": [], "metadata": {"vulnerabilities": {"info": 0, "low": 2, "moderate": 11, "high": 11, "critical": 13}, "dependencies": 1669, "devDependencies": 0, "optionalDependencies": 2, "totalDependencies": 1671}}