request-2.88.2.tgz: 2 vulnerabilities (highest severity is: 9.8) unreachable
mend-for-github-com opened this issue · 3 comments
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /sample/SipInterconnect/package.json
Path to vulnerable library: /sample/SipInterconnect/node_modules/request/package.json,/node_modules/request/package.json
Found in HEAD commit: a7f0948738582b190c10062a408e10b28b6ec75d
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (request version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-24999 |  High |
7.5 | qs-6.5.2.tgz | Transitive | N/A* | |
| CVE-2023-28155 |  Medium |
6.1 | request-2.88.2.tgz | Direct | N/A |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-24999
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy:
- request-2.88.2.tgz (Root Library)
❌ qs-6.5.2.tgz (Vulnerable Library)
Found in HEAD commit: a7f0948738582b190c10062a408e10b28b6ec75d
Found in base branch: main
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3
CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /sample/SipInterconnect/package.json
Path to vulnerable library: /sample/SipInterconnect/node_modules/request/package.json,/node_modules/request/package.json
Dependency Hierarchy:
❌ request-2.88.2.tgz (Vulnerable Library)
Found in HEAD commit: a7f0948738582b190c10062a408e10b28b6ec75d
Found in base branch: main
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
This is a good replacement for request: https://github.com/tomas/needle