New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bulk vulnerability fix - Lockfile fix #23

Closed

debricked wants to merge 1 commit into master from debricked-fix-bulk_fix-6abfafb7b54d53b7

Contributor

debricked bot commented Aug 27, 2021

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2021–23368

Description

NVD

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

GitHub

Regular Expression Denial of Service in postcss

The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
CVSS details - 5.3

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability Low
References

    Fix unsafe regexp · postcss/postcss@8682b1e · GitHub
    Fix unsafe regexp in getAnnotationURL() too · postcss/postcss@b6f3e4d · GitHub
    Pony Mail!
    Pony Mail!
    Pony Mail!
    Pony Mail!
    Pony Mail!
    Pony Mail!
    NVD - CVE-2021-23368
    Regular Expression Denial of Service in postcss · CVE-2021-23368 · GitHub Advisory Database · GitHub

CVE–2021–23343

Description

NVD

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    ReDoS in path-parse · Issue #8 · jbgutierrez/path-parse · GitHub
    Pony Mail!
    fixed regexes to avoid ReDoS attacks by jeffrey-pinyan-ithreat · Pull Request #10 · jbgutierrez/path-parse · GitHub

CVE–2021–33502

Description

GitHub

ReDoS in normalize-url

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

NVD

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    Release v6.0.1 · sindresorhus/normalize-url · GitHub
    NVD - CVE-2021-33502
    ReDoS in normalize-url · CVE-2021-33502 · GitHub Advisory Database · GitHub

CVE–2021–31597

Description

Improper Certificate Validation

The software does not validate, or incorrectly validates, a certificate.

GitHub

Improper Certificate Validation in xmlhttprequest-ssl

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

NVD

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVSS details - 9.4

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability Low
References

    MISC
    Fix issue where rejectUnauthorized would default to false instead of … · mjwwit/node-XMLHttpRequest@bf53329 · GitHub
    Comparing v1.6.0...1.6.1 · mjwwit/node-XMLHttpRequest · GitHub
    CVE-2021-31597 Node.js Vulnerability in NetApp Products | NetApp Product Security
    Improper Certificate Validation in xmlhttprequest-ssl · CVE-2021-31597 · GitHub Advisory Database · GitHub
    NVD - CVE-2021-31597

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked


          Bulk fix vulnerabilities

4521b3a

debricked bot closed this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet