swagger-boilerplate-0.1.6.tgz: 4 vulnerabilities (highest severity is: 7.5) - autoclosed
mend-for-github-com opened this issue · 1 comments
Vulnerable Library - swagger-boilerplate-0.1.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Found in HEAD commit: 7c898c0839317ea7989d15935972aa4dc520b907
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-24434 |  High |
7.5 | dicer-0.2.5.tgz | Transitive | N/A | |
| CVE-2022-0155 |  Medium |
6.5 | follow-redirects-1.13.0.tgz | Transitive | 0.1.7 | |
| CVE-2022-0536 | Medium |
5.9 | follow-redirects-1.13.0.tgz | Transitive | 0.1.7 | |
| CVE-2017-16137 | Medium |
5.3 | debug-2.2.0.tgz | Transitive | N/A |
Details
CVE-2022-24434
Vulnerable Library - dicer-0.2.5.tgz
A very fast streaming multipart parser for node.js
Library home page: https://registry.npmjs.org/dicer/-/dicer-0.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dicer/package.json
Dependency Hierarchy:
- swagger-boilerplate-0.1.6.tgz (Root Library)
- multer-1.4.2.tgz
- busboy-0.2.14.tgz
❌ dicer-0.2.5.tgz (Vulnerable Library)
- busboy-0.2.14.tgz
- multer-1.4.2.tgz
Found in HEAD commit: 7c898c0839317ea7989d15935972aa4dc520b907
Found in base branch: master
Vulnerability Details
This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.
Publish Date: 2022-05-20
URL: CVE-2022-24434
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2022-0155
Vulnerable Library - follow-redirects-1.13.0.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy:
- swagger-boilerplate-0.1.6.tgz (Root Library)
- node-rest-client-3.1.0.tgz
❌ follow-redirects-1.13.0.tgz (Vulnerable Library)
- node-rest-client-3.1.0.tgz
Found in HEAD commit: 7c898c0839317ea7989d15935972aa4dc520b907
Found in base branch: master
Vulnerability Details
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (swagger-boilerplate): 0.1.7
CVE-2022-0536
Vulnerable Library - follow-redirects-1.13.0.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy:
- swagger-boilerplate-0.1.6.tgz (Root Library)
- node-rest-client-3.1.0.tgz
❌ follow-redirects-1.13.0.tgz (Vulnerable Library)
- node-rest-client-3.1.0.tgz
Found in HEAD commit: 7c898c0839317ea7989d15935972aa4dc520b907
Found in base branch: master
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (swagger-boilerplate): 0.1.7
CVE-2017-16137
Vulnerable Library - debug-2.2.0.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-rest-client/node_modules/debug/package.json
Dependency Hierarchy:
- swagger-boilerplate-0.1.6.tgz (Root Library)
- node-rest-client-3.1.0.tgz
❌ debug-2.2.0.tgz (Vulnerable Library)
- node-rest-client-3.1.0.tgz
Found in HEAD commit: 7c898c0839317ea7989d15935972aa4dc520b907
Found in base branch: master
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-06-07
Fix Resolution: 2.6.9