AID icon indicating copy to clipboard operation
AID copied to clipboard

Published 20 hours ago verified publisher icon autoai-org

spectron-12.0.0.tgz: 9 vulnerabilities (highest severity is: 7.8)

Open mend-bolt-for-github[bot] opened this issue 3 years ago • 1 comments

Vulnerable Library - spectron-12.0.0.tgz

Path to dependency file: /components/dashboard/yarn.lock

Path to vulnerable library: /docs/node_modules/ua-parser-js/package.json,/components/dashboard/node_modules/ua-parser-js/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spectron version) Remediation Available
CVE-2021-43138 High 7.8 async-3.2.0.tgz Transitive 13.0.0
CVE-2021-27292 High 7.5 ua-parser-js-0.7.22.tgz Transitive 13.0.0
CVE-2022-3517 High 7.5 minimatch-3.0.4.tgz Transitive N/A*
CVE-2021-33502 High 7.5 normalize-url-4.5.0.tgz Transitive 13.0.0
CVE-2022-25881 High 7.5 http-cache-semantics-4.1.0.tgz Transitive N/A*
CVE-2020-7793 High 7.5 ua-parser-js-0.7.22.tgz Transitive 13.0.0
CVE-2023-28155 Medium 5.5 request-2.88.2.tgz Transitive N/A*
CVE-2021-32640 Medium 5.3 ws-7.3.1.tgz Transitive 13.0.0
CVE-2022-33987 Medium 5.3 detected in multiple dependencies Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2021-43138

Vulnerable Library - async-3.2.0.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-3.2.0.tgz

Path to dependency file: /components/dashboard/node_modules/async/package.json

Path to vulnerable library: /components/dashboard/node_modules/async/package.json

Dependency Hierarchy:

  • spectron-12.0.0.tgz (Root Library)
    • webdriverio-6.5.2.tgz
      • archiver-5.0.2.tgz
        • :x: async-3.2.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 3.2.2

Direct dependency fix Resolution (spectron): 13.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-27292

Vulnerable Library - ua-parser-js-0.7.22.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.22.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/ua-parser-js/package.json,/components/dashboard/node_modules/ua-parser-js/package.json

Dependency Hierarchy:

  • spectron-12.0.0.tgz (Root Library)
    • webdriverio-6.5.2.tgz
      • devtools-6.5.0.tgz
        • :x: ua-parser-js-0.7.22.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

Publish Date: 2021-03-17

URL: CVE-2021-27292

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-17

Fix Resolution (ua-parser-js): 0.7.25

Direct dependency fix Resolution (spectron): 13.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /components/dashboard/node_modules/minimatch/package.json

Path to vulnerable library: /components/dashboard/node_modules/minimatch/package.json,/components/discovery/yarn.lock,/docs/node_modules/minimatch/package.json

Dependency Hierarchy:

  • spectron-12.0.0.tgz (Root Library)
    • webdriverio-6.5.2.tgz
      • archiver-5.0.2.tgz
        • readdir-glob-1.0.0.tgz
          • :x: minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-33502

Vulnerable Library - normalize-url-4.5.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-4.5.0.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/cacheable-request/node_modules/normalize-url/package.json,/components/dashboard/node_modules/normalize-url/package.json

Dependency Hierarchy:

  • spectron-12.0.0.tgz (Root Library)
    • electron-chromedriver-10.0.0.tgz
      • get-1.12.2.tgz
        • got-9.6.0.tgz
          • cacheable-request-6.1.0.tgz
            • :x: normalize-url-4.5.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution (normalize-url): 4.5.1

Direct dependency fix Resolution (spectron): 13.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-25881

Vulnerable Library - http-cache-semantics-4.1.0.tgz

Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies

Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/http-cache-semantics/package.json,/components/dashboard/node_modules/http-cache-semantics/package.json

Dependency Hierarchy:

  • spectron-12.0.0.tgz (Root Library)
    • electron-chromedriver-10.0.0.tgz
      • get-1.12.2.tgz
        • got-9.6.0.tgz
          • cacheable-request-6.1.0.tgz
            • :x: http-cache-semantics-4.1.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Publish Date: 2023-01-31

URL: CVE-2022-25881

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-25881

Release Date: 2023-01-31

Fix Resolution: http-cache-semantics - 4.1.1

Step up your Open Source Security Game with Mend here

CVE-2020-7793

Vulnerable Library - ua-parser-js-0.7.22.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.22.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/ua-parser-js/package.json,/components/dashboard/node_modules/ua-parser-js/package.json

Dependency Hierarchy:

  • spectron-12.0.0.tgz (Root Library)
    • webdriverio-6.5.2.tgz
      • devtools-6.5.0.tgz
        • :x: ua-parser-js-0.7.22.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

Publish Date: 2020-12-11

URL: CVE-2020-7793

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-11

Fix Resolution (ua-parser-js): 0.7.23

Direct dependency fix Resolution (spectron): 13.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-28155

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /components/dashboard/node_modules/request/package.json

Path to vulnerable library: /components/dashboard/node_modules/request/package.json,/components/discovery/yarn.lock

Dependency Hierarchy:

  • spectron-12.0.0.tgz (Root Library)
    • :x: request-2.88.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2021-32640

Vulnerable Library - ws-7.3.1.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.3.1.tgz

Path to dependency file: /components/discovery/yarn.lock

Path to vulnerable library: /components/discovery/yarn.lock,/components/dashboard/node_modules/ws/package.json

Dependency Hierarchy:

  • spectron-12.0.0.tgz (Root Library)
    • webdriverio-6.5.2.tgz
      • puppeteer-core-5.3.0.tgz
        • :x: ws-7.3.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution (ws): 7.4.6

Direct dependency fix Resolution (spectron): 13.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-33987

Vulnerable Libraries - got-9.6.0.tgz, got-11.7.0.tgz

got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/got/package.json,/components/dashboard/node_modules/got/package.json

Dependency Hierarchy:

  • spectron-12.0.0.tgz (Root Library)
    • electron-chromedriver-10.0.0.tgz
      • get-1.12.2.tgz
        • :x: got-9.6.0.tgz (Vulnerable Library)

got-11.7.0.tgz

Human-friendly and powerful HTTP request library for Node.js

Library home page: https://registry.npmjs.org/got/-/got-11.7.0.tgz

Path to dependency file: /components/dashboard/node_modules/got/package.json

Path to vulnerable library: /components/dashboard/node_modules/got/package.json

Dependency Hierarchy:

  • spectron-12.0.0.tgz (Root Library)
    • webdriverio-6.5.2.tgz
      • webdriver-6.5.0.tgz
        • :x: got-11.7.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Feb 19 '22 01:02 mend-bolt-for-github[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Oct 01 '22 07:10 stale[bot]