Bulk vulnerability fix - Lockfile fix

[debricked]

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2020–8203

• Description

  Allocation of Resources Without Limits or Throttling

  The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

  NVD

  Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15.

• CVSS details - 7.4

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	High
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	High
  Availability	High

• References

      HackerOne
      CVE-2020-8203 Lodash Vulnerability in NetApp Products | NetApp Product Security
      CVE-2020-8203 is not modified in /.internal/baseSet.js · Issue #4874 · lodash/lodash · GitHub
      Oracle Critical Patch Update Advisory - April 2021

CVE–2020–28500

• Description

  NVD

  All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	Low

• References

      CONFIRM
      perf: improve performance of toNumber, trim and trimEnd on large input strings by falsyvalues · Pull Request #5065 · lodash/lodash · GitHub
      February 2021 Lodash Vulnerabilities in NetApp Products | NetApp Product Security

CVE–2021–23337

• Description

  Improper Neutralization of Special Elements used in a Command ('Command Injection')

  The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

  NVD

  All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

  GitHub

  Command Injection in lodash

  lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

• CVSS details - 7.2

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	High
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      MISC
      February 2021 Lodash Vulnerabilities in NetApp Products | NetApp Product Security
      lodash/lodash.js at ddfd9b11a0126db2302cb70ec9973b66baec0975 · lodash/lodash · GitHub
      NVD - CVE-2021-23337
      Prevent command injection through _.template's variable option · lodash/lodash@3469357 · GitHub
      Command Injection in lodash · CVE-2021-23337 · GitHub Advisory Database · GitHub

CVE–2020–7598

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  NVD

  minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

  GitHub

  Prototype Pollution in minimist

  Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
  Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
  This is exploitable if attackers have control over the arguments being passed to minimist.

  Recommendation

  Upgrade to versions 0.2.1, 1.2.3 or later.

• CVSS details - 5.6

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	High
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	Low
  Integrity	Low
  Availability	Low

• References

      [security-announce] openSUSE-SU-2020:0802-1: critical: Security update for nodejs8 - openSUSE Security Announce - openSUSE Mailing Lists
      NVD - CVE-2020-7598
      even more aggressive checks for protocol pollution · substack/minimist@38a4d1c · GitHub
      Prototype Pollution in minimist · CVE-2020-7598 · GitHub Advisory Database · GitHub
      don't assign onto proto · substack/minimist@63e7ed0 · GitHub

CVE–2020–28503

• Description

  NVD

  The package copy-props before 2.0.5 are vulnerable to Prototype Pollution via the main functionality.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      Fix: Avoids prototype pollution by sttk · Pull Request #7 · gulpjs/copy-props · GitHub

CVE–2021–23343

• Description

  NVD

  All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      ReDoS in path-parse · Issue #8 · jbgutierrez/path-parse · GitHub
      Pony Mail!

CVE–2021–23362

• Description

  NVD

  The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via shortcutMatch in fromUrl().

  GitHub

  Regular Expression Denial of Service in hosted-git-info

  The npm package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	Low

• References

      Commits · npm/hosted-git-info · GitHub
      fix: backport regex fix from #76 · npm/hosted-git-info@29adfe5 · GitHub
      chore(release): 2.8.9 · npm/hosted-git-info@8d4b369 · GitHub
      fix: simplify the regular expression for shortcut matching · npm/hosted-git-info@bede0dc · GitHub
      NVD - CVE-2021-23362
      Regular Expression Denial of Service in hosted-git-info · CVE-2021-23362 · GitHub Advisory Database · GitHub

CVE–2021–28918

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  GitHub

  Improper parsing of octal bytes

  Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.

  ❗ NOTE: The fix for this issue was incomplete. A subsequent fix was made in version 2.0.1 which was assigned CVE-2021-29418 / GHSA-pch5-whg9-qr2r. For complete protection from this vulnerability an upgrade to version 2.0.1 or later is recommended.

• CVSS details - 9.1

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	None

• References

      netmask npm package vulnerable to octal input data · CVE-2021-29418 · GitHub Advisory Database · GitHub
      GitHub - rs/node-netmask: Parse and lookup IP network blocks
      security/SICK-2021-011.md at master · sickcodes/security · GitHub
      Critical netmask networking bug impacts thousands of applications
      netmask - npm
      CVE-2021-28918 Node.js Vulnerability in NetApp Products | NetApp Product Security

CVE–2021–29418

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  NVD

  The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	Low
  Availability	None

• References

      CVE-2021-29418 Node.js Vulnerability in NetApp Products | NetApp Product Security
      Rewrite byte parsing in full JS without depending on parseInt · rs/node-netmask@3f19a05 · GitHub
      Advisory #6 - RyotaK's Vuln DB

CVE–2021–23364

• Description

  NVD

  The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

  GitHub

  Regular Expression Denial of Service in browserslist

  The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	Low

• References

      Fix unsafe regexp · browserslist/browserslist@c091916 · GitHub
      Fix ReDoS by yetingli · Pull Request #593 · browserslist/browserslist · GitHub
      MISC
      Regular Expression Denial of Service in browserslist · CVE-2021-23364 · GitHub Advisory Database · GitHub
      browserslist/index.js at e82f32d1d4100d6bc79ea0b6b6a2d281a561e33c · browserslist/browserslist · GitHub
      NVD - CVE-2021-23364

CVE–2021–23368

• Description

  NVD

  The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	Low

• References

      Fix unsafe regexp · postcss/postcss@8682b1e · GitHub
      Fix unsafe regexp in getAnnotationURL() too · postcss/postcss@b6f3e4d · GitHub
      Pony Mail!
      Pony Mail!
      Pony Mail!
      Pony Mail!
      Pony Mail!
      Pony Mail!

CVE–2020–8116

• Description

  Direct Request ('Forced Browsing')

  The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

  NVD

  Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

  GitHub

  Prototype Pollution in dot-prop

  Prototype pollution vulnerability in dot-prop npm package before versions 4.2.1 and 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

• CVSS details - 7.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	Low
  Integrity	Low
  Availability	Low

• References

      HackerOne
      Prototype Pollution in dot-prop · CVE-2020-8116 · GitHub Advisory Database · GitHub
      GitHub - sindresorhus/dot-prop at v4
      NVD - CVE-2020-8116
      Please backport CVE-2020-8116 security fix to 4.x. · Issue #63 · sindresorhus/dot-prop · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked