opentok-video-embed-demo icon indicating copy to clipboard operation
opentok-video-embed-demo copied to clipboard

Published 20 hours ago verified publisher icon opentok

express-4.15.3.tgz: 4 vulnerabilities (highest severity is: 7.5)

Open mend-for-github-com[bot] opened this issue 3 years ago • 0 comments

Vulnerable Library - express-4.15.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/fresh/package.json

Found in HEAD commit: 2a7d72a64b342ecfe265808c925630585eec496b

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (express version) Remediation Available
CVE-2017-16138 High 7.5 mime-1.3.4.tgz Transitive 4.16.0
CVE-2017-16118 High 7.5 forwarded-0.1.0.tgz Transitive 4.15.4
CVE-2017-16119 High 7.5 fresh-0.5.0.tgz Transitive 4.15.5
CVE-2017-16137 Medium 5.3 debug-2.6.8.tgz Transitive 4.15.5

Details

CVE-2017-16138

Vulnerable Library - mime-1.3.4.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mime/package.json

Dependency Hierarchy:

  • express-4.15.3.tgz (Root Library)
    • send-0.15.3.tgz
      • :x: mime-1.3.4.tgz (Vulnerable Library)

Found in HEAD commit: 2a7d72a64b342ecfe265808c925630585eec496b

Found in base branch: main

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-06-07

Fix Resolution (mime): 1.4.1

Direct dependency fix Resolution (express): 4.16.0

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2017-16118

Vulnerable Library - forwarded-0.1.0.tgz

Parse HTTP X-Forwarded-For header

Library home page: https://registry.npmjs.org/forwarded/-/forwarded-0.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/forwarded/package.json

Dependency Hierarchy:

  • express-4.15.3.tgz (Root Library)
    • proxy-addr-1.1.5.tgz
      • :x: forwarded-0.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 2a7d72a64b342ecfe265808c925630585eec496b

Found in base branch: main

Vulnerability Details

The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16118

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/527/versions

Release Date: 2018-06-07

Fix Resolution (forwarded): 0.1.2

Direct dependency fix Resolution (express): 4.15.4

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2017-16119

Vulnerable Library - fresh-0.5.0.tgz

HTTP response freshness testing

Library home page: https://registry.npmjs.org/fresh/-/fresh-0.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/fresh/package.json

Dependency Hierarchy:

  • express-4.15.3.tgz (Root Library)
    • :x: fresh-0.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 2a7d72a64b342ecfe265808c925630585eec496b

Found in base branch: main

Vulnerability Details

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16119

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/526

Release Date: 2018-06-07

Fix Resolution (fresh): 0.5.2

Direct dependency fix Resolution (express): 4.15.5

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2017-16137

Vulnerable Library - debug-2.6.8.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.6.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/finalhandler/node_modules/debug/package.json

Dependency Hierarchy:

  • express-4.15.3.tgz (Root Library)
    • finalhandler-1.0.4.tgz
      • :x: debug-2.6.8.tgz (Vulnerable Library)

Found in HEAD commit: 2a7d72a64b342ecfe265808c925630585eec496b

Found in base branch: main

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137

Release Date: 2018-06-07

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (express): 4.15.5

:rescue_worker_helmet: Automatic Remediation is available for this issue

:rescue_worker_helmet: Automatic Remediation is available for this issue.

mend-for-github-com[bot] avatar Aug 12 '22 09:08 mend-for-github-com[bot]