-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk] Security upgrade @reactioncommerce/api-plugin-files from 1.0.13 to 1.0.19 #7
base: trunk
Are you sure you want to change the base?
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
@@ -33,7 +33,7 @@ | |||
"@reactioncommerce/api-plugin-email": "~1.0.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Critical OSS Vulnerability:
pkg:npm/%40reactioncommerce/[email protected]
9 Critical, 2 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 9 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
SEVERE Vulnerabilities (1)
[CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-1169] Unknown
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-3918] CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-915
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-1736] Unknown
ramda - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2022-24785] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-22
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-4879] Unknown
minimatch - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2017-0655] Unknown
request - Weak Authentication Algorithm
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-310
MODERATE Vulnerabilities (1)
[sonatype-2021-0749] CWE-326: Inadequate Encryption Strength
request - Inadequate Encryption Strength
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CVSS Score: 3.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-326
pkg:npm/[email protected]
CRITICAL Vulnerabilities (2)
sonatype-2021-0509
[sonatype-2021-0509] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
validator - Regular Expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
sonatype-2021-0510
[sonatype-2021-0510] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
validator - Regular Expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
(at-me in a reply with help
or ignore
)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
@@ -33,7 +33,7 @@ | |||
"@reactioncommerce/api-plugin-email": "~1.0.1", | |||
"@reactioncommerce/api-plugin-email-smtp": "~1.0.1", | |||
"@reactioncommerce/api-plugin-email-templates": "~1.0.1", | |||
"@reactioncommerce/api-plugin-files": "~1.0.13", | |||
"@reactioncommerce/api-plugin-files": "~1.0.19", | |||
"@reactioncommerce/api-plugin-i18n": "~1.0.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Critical OSS Vulnerability:
pkg:npm/%40reactioncommerce/[email protected]
9 Critical, 2 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 9 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
SEVERE Vulnerabilities (1)
[CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-1169] Unknown
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-3918] CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-915
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-1736] Unknown
ramda - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2022-24785] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-22
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-4879] Unknown
minimatch - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2017-0655] Unknown
request - Weak Authentication Algorithm
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-310
MODERATE Vulnerabilities (1)
[sonatype-2021-0749] CWE-326: Inadequate Encryption Strength
request - Inadequate Encryption Strength
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CVSS Score: 3.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-326
pkg:npm/[email protected]
CRITICAL Vulnerabilities (2)
sonatype-2021-0509
[sonatype-2021-0509] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
validator - Regular Expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
sonatype-2021-0510
[sonatype-2021-0510] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
validator - Regular Expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
(at-me in a reply with help
or ignore
)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
@@ -33,7 +33,7 @@ | |||
"@reactioncommerce/api-plugin-email": "~1.0.1", | |||
"@reactioncommerce/api-plugin-email-smtp": "~1.0.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Critical OSS Vulnerability:
pkg:npm/%40reactioncommerce/[email protected]
12 Critical, 2 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 12 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
SEVERE Vulnerabilities (1)
[CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-1169] Unknown
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-3918] CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-915
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-1736] Unknown
ramda - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2022-24785] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-22
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-4879] Unknown
minimatch - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2017-0655] Unknown
request - Weak Authentication Algorithm
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-310
MODERATE Vulnerabilities (1)
[sonatype-2021-0749] CWE-326: Inadequate Encryption Strength
request - Inadequate Encryption Strength
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CVSS Score: 3.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-326
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2020-7742] This affects the package simpl-schema before 1.10.2.
This affects the package simpl-schema before 1.10.2.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1321
pkg:npm/[email protected]
CRITICAL Vulnerabilities (2)
sonatype-2021-0509
[sonatype-2021-0509] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
validator - Regular Expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
sonatype-2021-0510
[sonatype-2021-0510] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
validator - Regular Expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2020-7742] This affects the package simpl-schema before 1.10.2.
This affects the package simpl-schema before 1.10.2.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1321
(at-me in a reply with help
or ignore
)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
@@ -33,7 +33,7 @@ | |||
"@reactioncommerce/api-plugin-email": "~1.0.1", | |||
"@reactioncommerce/api-plugin-email-smtp": "~1.0.1", | |||
"@reactioncommerce/api-plugin-email-templates": "~1.0.1", | |||
"@reactioncommerce/api-plugin-files": "~1.0.13", | |||
"@reactioncommerce/api-plugin-files": "~1.0.19", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Critical OSS Vulnerability:
pkg:npm/%40reactioncommerce/[email protected]
21 Critical, 15 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 21 dependencies
Components
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[CVE-2022-29256] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at
npm install
time when installing versions ofsharp
prior to the latest v0.30.5. If an attacker has the ability to set the value of thePKG_CONFIG_PATH
environment variable in a build environment then they might be able to use this to inject an arbitrary command atnpm install
time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5.CVSS Score: 6.5
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-78
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
pkg:npm/[email protected]
SEVERE Vulnerabilities (2)
CVE-2022-0155
[CVE-2022-0155] CWE-359: Exposure of Private Information ('Privacy Violation')
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
CVSS Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-359
CVE-2022-0536
[CVE-2022-0536] CWE-200: Information Exposure
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-1169] Unknown
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-3918] CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-915
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-3749] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
axios is vulnerable to Inefficient Regular Expression Complexity
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
SEVERE Vulnerabilities (1)
[CVE-2020-28168] CWE-918: Server-Side Request Forgery (SSRF)
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-918
pkg:npm/[email protected]
CRITICAL Vulnerabilities (4)
CVE-2022-24771
[CVE-2022-24771] CWE-347: Improper Verification of Cryptographic Signature
Forge (also called
node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed innode-forge
version 1.3.0. There are currently no known workarounds.CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-347
CVE-2022-24772
[CVE-2022-24772] CWE-347: Improper Verification of Cryptographic Signature
Forge (also called
node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding aDigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed innode-forge
version 1.3.0. There are currently no known workarounds.CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-347
sonatype-2022-0218
[sonatype-2022-0218] Unknown
node-forge - Prototype Pollution
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-1321
CVE-2020-7720
[CVE-2020-7720] CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
CVSS Score: 7.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-915
SEVERE Vulnerabilities (2)
CVE-2022-0122
[CVE-2022-0122] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
forge is vulnerable to URL Redirection to Untrusted Site
CVSS Score: 6.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-601
CVE-2022-24773
[CVE-2022-24773] CWE-347: Improper Verification of Cryptographic Signature
Forge (also called
node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly checkDigestInfo
for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed innode-forge
version 1.3.0. There are currently no known workarounds.CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-347
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2017-0655] Unknown
request - Weak Authentication Algorithm
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-310
MODERATE Vulnerabilities (1)
[sonatype-2021-0749] CWE-326: Inadequate Encryption Strength
request - Inadequate Encryption Strength
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CVSS Score: 3.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-326
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2020-28472] CWE-471: Modification of Assumed-Immutable Data (MAID)
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-471
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2020-1214] CWE-471: Modification of Assumed-Immutable Data (MAID)
ini - Prototype Pollution [CVE-2020-7788]
The software does not properly protect an assumed-immutable element from being modified by an attacker.
CVSS Score: 7.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-471
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
SEVERE Vulnerabilities (1)
[CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/[email protected]
CRITICAL Vulnerabilities (2)
CVE-2022-0691
[CVE-2022-0691] CWE-639: Authorization Bypass Through User-Controlled Key
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-639
CVE-2022-0686
[CVE-2022-0686] CWE-639: Authorization Bypass Through User-Controlled Key
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
CVSS Score: 9.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-639
SEVERE Vulnerabilities (4)
CVE-2021-27515
[CVE-2021-27515] CWE-20: Improper Input Validation
url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-20
CVE-2021-3664
[CVE-2021-3664] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
url-parse is vulnerable to URL Redirection to Untrusted Site
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-601
CVE-2022-0512
[CVE-2022-0512] CWE-639: Authorization Bypass Through User-Controlled Key
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-639
CVE-2022-0639
[CVE-2022-0639] CWE-639: Authorization Bypass Through User-Controlled Key
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-639
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2019-0419] CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
https-proxy-agent - Man-in-the-Middle
The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
CVSS Score: 5.9
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-300
pkg:npm/[email protected]
SEVERE Vulnerabilities (2)
CVE-2022-0235
[CVE-2022-0235] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
CVSS Score: 6.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-601
CVE-2022-0645
[CVE-2022-0645] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Open redirect vulnerability via endpoint authorize_and_redirect/?redirect= in GitHub repository posthog/posthog prior to 1.34.1.
CVSS Score: 6.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-601
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-1736] Unknown
ramda - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-43138] In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
CVSS Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-1321
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-0509] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
validator - Regular Expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2022-24785] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-22
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-4879] Unknown
minimatch - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
CRITICAL Vulnerabilities (2)
sonatype-2021-0509
[sonatype-2021-0509] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
validator - Regular Expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
sonatype-2021-0510
[sonatype-2021-0510] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
validator - Regular Expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
(at-me in a reply with help
or ignore
)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
@@ -33,7 +33,7 @@ | |||
"@reactioncommerce/api-plugin-email": "~1.0.1", | |||
"@reactioncommerce/api-plugin-email-smtp": "~1.0.1", | |||
"@reactioncommerce/api-plugin-email-templates": "~1.0.1", | |||
"@reactioncommerce/api-plugin-files": "~1.0.13", | |||
"@reactioncommerce/api-plugin-files": "~1.0.19", | |||
"@reactioncommerce/api-plugin-i18n": "~1.0.0", | |||
"@reactioncommerce/api-plugin-inventory": "~1.0.2", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Critical OSS Vulnerability:
pkg:npm/%40reactioncommerce/[email protected]
9 Critical, 2 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 9 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
SEVERE Vulnerabilities (1)
[CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-1169] Unknown
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-3918] CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-915
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-1736] Unknown
ramda - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2022-24785] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-22
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-4879] Unknown
minimatch - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2017-0655] Unknown
request - Weak Authentication Algorithm
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-310
MODERATE Vulnerabilities (1)
[sonatype-2021-0749] CWE-326: Inadequate Encryption Strength
request - Inadequate Encryption Strength
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CVSS Score: 3.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-326
pkg:npm/[email protected]
CRITICAL Vulnerabilities (2)
sonatype-2021-0509
[sonatype-2021-0509] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
validator - Regular Expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
sonatype-2021-0510
[sonatype-2021-0510] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
validator - Regular Expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
(at-me in a reply with help
or ignore
)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
@@ -33,7 +33,7 @@ | |||
"@reactioncommerce/api-plugin-email": "~1.0.1", | |||
"@reactioncommerce/api-plugin-email-smtp": "~1.0.1", | |||
"@reactioncommerce/api-plugin-email-templates": "~1.0.1", | |||
"@reactioncommerce/api-plugin-files": "~1.0.13", | |||
"@reactioncommerce/api-plugin-files": "~1.0.19", | |||
"@reactioncommerce/api-plugin-i18n": "~1.0.0", | |||
"@reactioncommerce/api-plugin-inventory": "~1.0.2", | |||
"@reactioncommerce/api-plugin-inventory-simple": "~1.0.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Critical OSS Vulnerability:
pkg:npm/%40reactioncommerce/[email protected]
11 Critical, 2 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 11 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
SEVERE Vulnerabilities (1)
[CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-1169] Unknown
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-3918] CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-915
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-1736] Unknown
ramda - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2022-24785] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-22
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-4879] Unknown
minimatch - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2017-0655] Unknown
request - Weak Authentication Algorithm
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-310
MODERATE Vulnerabilities (1)
[sonatype-2021-0749] CWE-326: Inadequate Encryption Strength
request - Inadequate Encryption Strength
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CVSS Score: 3.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-326
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2020-7742] This affects the package simpl-schema before 1.10.2.
This affects the package simpl-schema before 1.10.2.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1321
pkg:npm/[email protected]
CRITICAL Vulnerabilities (2)
sonatype-2021-0509
[sonatype-2021-0509] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
validator - Regular Expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
sonatype-2021-0510
[sonatype-2021-0510] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
validator - Regular Expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
(at-me in a reply with help
or ignore
)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
SNYK-JS-ANSIREGEX-1583908
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: @reactioncommerce/api-plugin-files
The new version differs by 47 commits.See the full diff
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.