opentok-web-samples icon indicating copy to clipboard operation
opentok-web-samples copied to clipboard

Published 20 hours ago verified publisher icon opentok

electron-2.0.2.tgz: 24 vulnerabilities (highest severity is: 9.9)

Open mend-for-github-com[bot] opened this issue 3 years ago • 0 comments

Vulnerable Library - electron-2.0.2.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-2.0.2.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/electron/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2020-4077 High 9.9 electron-2.0.2.tgz Direct 7.2.4
CVE-2021-3918 High 9.8 json-schema-0.2.3.tgz Transitive 2.0.3
CVE-2018-3750 High 9.8 deep-extend-0.4.2.tgz Transitive 2.0.3
CVE-2018-16492 High 9.8 extend-3.0.1.tgz Transitive 2.0.3
CVE-2022-29247 High 9.8 electron-2.0.2.tgz Direct 15.5.5
CVE-2021-44906 High 9.8 detected in multiple dependencies Transitive 19.0.7
CVE-2018-1000620 High 9.8 cryptiles-2.0.5.tgz Transitive 2.0.3
CVE-2020-4076 High 9.0 electron-2.0.2.tgz Direct 7.2.4
CVE-2018-3728 High 8.8 hoek-2.16.3.tgz Transitive 2.0.3
CVE-2021-33623 High 7.5 trim-newlines-1.0.0.tgz Transitive 2.0.3
CVE-2018-3737 High 7.5 sshpk-1.13.1.tgz Transitive 2.0.3
CVE-2020-4075 High 7.5 electron-2.0.2.tgz Direct 7.2.4
CVE-2022-29167 High 7.5 hawk-3.1.3.tgz Transitive N/A
CVE-2020-7788 High 7.3 ini-1.3.4.tgz Transitive 2.0.3
CVE-2022-29257 High 7.2 electron-2.0.2.tgz Direct 15.5.0
CVE-2020-15096 Medium 6.8 electron-2.0.2.tgz Direct 6.1.11
CVE-2018-21270 Medium 6.5 stringstream-0.0.5.tgz Transitive 2.0.3
CVE-2020-15366 Medium 5.6 ajv-4.11.8.tgz Transitive 2.0.3
CVE-2020-7598 Medium 5.6 detected in multiple dependencies Transitive 2.0.3
CVE-2017-15010 Medium 5.3 tough-cookie-2.3.2.tgz Transitive 2.0.3
CVE-2021-23362 Medium 5.3 hosted-git-info-2.5.0.tgz Transitive 2.0.3
CVE-2017-16137 Medium 5.3 detected in multiple dependencies Transitive 2.0.3
CVE-2022-21718 Medium 5.0 electron-2.0.2.tgz Direct 13.6.6
WS-2018-0103 Medium 4.8 stringstream-0.0.5.tgz Transitive 2.0.3

Details

CVE-2020-4077

Vulnerable Library - electron-2.0.2.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-2.0.2.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/electron/package.json

Dependency Hierarchy:

  • :x: electron-2.0.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both contextIsolation and contextBridge are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Publish Date: 2020-07-07

URL: CVE-2020-4077

CVSS 3 Score Details (9.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/electron/electron/security/advisories/GHSA-h9jc-284h-533g

Release Date: 2020-07-13

Fix Resolution: 7.2.4

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2021-3918

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/json-schema/package.json,/React-Basic-Video-Chat/node_modules/json-schema/package.json

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • nugget-2.0.1.tgz
        • request-2.81.0.tgz
          • http-signature-1.1.1.tgz
            • jsprim-1.4.1.tgz
              • :x: json-schema-0.2.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (electron): 2.0.3

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2018-3750

Vulnerable Library - deep-extend-0.4.2.tgz

Recursive object extending

Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.2.tgz

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • rc-1.2.1.tgz
        • :x: deep-extend-0.4.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

Publish Date: 2018-07-03

URL: CVE-2018-3750

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750

Release Date: 2018-07-03

Fix Resolution (deep-extend): 0.5.1

Direct dependency fix Resolution (electron): 2.0.3

CVE-2018-16492

Vulnerable Library - extend-3.0.1.tgz

Port of jQuery.extend for node.js and the browser

Library home page: https://registry.npmjs.org/extend/-/extend-3.0.1.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/extend/package.json,/React-Basic-Video-Chat/node_modules/extend/package.json

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • nugget-2.0.1.tgz
        • request-2.81.0.tgz
          • :x: extend-3.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16492

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/381185

Release Date: 2019-02-01

Fix Resolution (extend): 3.0.2

Direct dependency fix Resolution (electron): 2.0.3

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2022-29247

Vulnerable Library - electron-2.0.2.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-2.0.2.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/electron/package.json

Dependency Hierarchy:

  • :x: electron-2.0.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer. The nodeIntegrationInSubFrames option does not implicitly grant Node.js access. Rather, it depends on the existing sandbox setting. If an application is sandboxed, then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs, which include ipcRenderer. If the application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. As a workaround, ensure that all IPC message handlers appropriately validate senderFrame.

Publish Date: 2022-06-13

URL: CVE-2022-29247

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29247

Release Date: 2022-06-13

Fix Resolution: 15.5.5

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2021-44906

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/minimist/package.json,/React-Basic-Video-Chat/node_modules/rc/node_modules/minimist/package.json,/React-Basic-Video-Chat/node_modules/cosmiconfig/node_modules/minimist/package.json,/React-Basic-Video-Chat/node_modules/sane/node_modules/minimist/package.json,/React-Basic-Video-Chat/node_modules/meow/node_modules/minimist/package.json

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • :x: minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /React-Basic-Video-Chat/package.json

Path to vulnerable library: /React-Basic-Video-Chat/node_modules/minimist/package.json,/Electron-Basic-Video-Chat/node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • extract-zip-1.6.5.tgz
      • mkdirp-0.5.0.tgz
        • :x: minimist-0.0.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (electron): 19.0.7

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (electron): 19.0.7

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2018-1000620

Vulnerable Library - cryptiles-2.0.5.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/cryptiles/package.json

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • nugget-2.0.1.tgz
        • request-2.81.0.tgz
          • hawk-3.1.3.tgz
            • :x: cryptiles-2.0.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (electron): 2.0.3

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2020-4076

Vulnerable Library - electron-2.0.2.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-2.0.2.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/electron/package.json

Dependency Hierarchy:

  • :x: electron-2.0.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Publish Date: 2020-07-07

URL: CVE-2020-4076

CVSS 3 Score Details (9.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79

Release Date: 2020-07-13

Fix Resolution: 7.2.4

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2018-3728

Vulnerable Library - hoek-2.16.3.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/hoek/package.json

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • nugget-2.0.1.tgz
        • request-2.81.0.tgz
          • hawk-3.1.3.tgz
            • :x: hoek-2.16.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2018-03-30

Fix Resolution (hoek): 4.2.0

Direct dependency fix Resolution (electron): 2.0.3

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2021-33623

Vulnerable Library - trim-newlines-1.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/trim-newlines/package.json,/React-Basic-Video-Chat/node_modules/trim-newlines/package.json

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • nugget-2.0.1.tgz
        • pretty-bytes-1.0.4.tgz
          • meow-3.7.0.tgz
            • :x: trim-newlines-1.0.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Publish Date: 2021-05-28

URL: CVE-2021-33623

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623

Release Date: 2021-05-28

Fix Resolution (trim-newlines): 3.0.1

Direct dependency fix Resolution (electron): 2.0.3

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2018-3737

Vulnerable Library - sshpk-1.13.1.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/sshpk/package.json,/React-Basic-Video-Chat/node_modules/sshpk/package.json

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • nugget-2.0.1.tgz
        • request-2.81.0.tgz
          • http-signature-1.1.1.tgz
            • :x: sshpk-1.13.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

Publish Date: 2018-06-07

URL: CVE-2018-3737

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/319593

Release Date: 2018-06-07

Fix Resolution (sshpk): 1.13.2

Direct dependency fix Resolution (electron): 2.0.3

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2020-4075

Vulnerable Library - electron-2.0.2.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-2.0.2.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/electron/package.json

Dependency Hierarchy:

  • :x: electron-2.0.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Publish Date: 2020-07-07

URL: CVE-2020-4075

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/electron/electron/security/advisories/GHSA-f9mq-jph6-9mhm

Release Date: 2020-07-13

Fix Resolution: 7.2.4

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2022-29167

Vulnerable Library - hawk-3.1.3.tgz

HTTP Hawk Authentication Scheme

Library home page: https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • nugget-2.0.1.tgz
        • request-2.81.0.tgz
          • :x: hawk-3.1.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. parseHost() was patched in 9.0.1 to use built-in URL class to parse hostname instead. Hawk.authenticate() accepts options argument. If that contains host and port, those would be used instead of a call to utils.parseHost().

Publish Date: 2022-05-05

URL: CVE-2022-29167

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq

Release Date: 2022-05-05

Fix Resolution: hawk - 9.0.1

CVE-2020-7788

Vulnerable Library - ini-1.3.4.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.4.tgz

Path to dependency file: /React-Basic-Video-Chat/package.json

Path to vulnerable library: /React-Basic-Video-Chat/node_modules/ini/package.json,/Electron-Basic-Video-Chat/node_modules/ini/package.json

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • rc-1.2.1.tgz
        • :x: ini-1.3.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (electron): 2.0.3

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2022-29257

Vulnerable Library - electron-2.0.2.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-2.0.2.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/electron/package.json

Dependency Hierarchy:

  • :x: electron-2.0.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components. This kind of attack would require significant privileges in a potential victim's own auto updating infrastructure and the ease of that attack entirely depends on the potential victim's infrastructure security. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. There are no known workarounds.

Publish Date: 2022-06-13

URL: CVE-2022-29257

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/electron/electron/security/advisories/GHSA-77xc-hjv8-ww97

Release Date: 2022-06-13

Fix Resolution: 15.5.0

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2020-15096

Vulnerable Library - electron-2.0.2.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-2.0.2.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/electron/package.json

Dependency Hierarchy:

  • :x: electron-2.0.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.

Publish Date: 2020-07-07

URL: CVE-2020-15096

CVSS 3 Score Details (6.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrg

Release Date: 2020-07-10

Fix Resolution: 6.1.11

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2018-21270

Vulnerable Library - stringstream-0.0.5.tgz

Encode and decode streams into string streams

Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • nugget-2.0.1.tgz
        • request-2.81.0.tgz
          • :x: stringstream-0.0.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).

Publish Date: 2020-12-03

URL: CVE-2018-21270

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21270

Release Date: 2020-12-03

Fix Resolution (stringstream): 0.0.6

Direct dependency fix Resolution (electron): 2.0.3

CVE-2020-15366

Vulnerable Library - ajv-4.11.8.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-4.11.8.tgz

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • nugget-2.0.1.tgz
        • request-2.81.0.tgz
          • har-validator-4.2.1.tgz
            • :x: ajv-4.11.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-15

Fix Resolution (ajv): 6.12.3

Direct dependency fix Resolution (electron): 2.0.3

CVE-2020-7598

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/minimist/package.json,/React-Basic-Video-Chat/node_modules/rc/node_modules/minimist/package.json,/React-Basic-Video-Chat/node_modules/cosmiconfig/node_modules/minimist/package.json,/React-Basic-Video-Chat/node_modules/sane/node_modules/minimist/package.json,/React-Basic-Video-Chat/node_modules/meow/node_modules/minimist/package.json

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • :x: minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /React-Basic-Video-Chat/package.json

Path to vulnerable library: /React-Basic-Video-Chat/node_modules/minimist/package.json,/Electron-Basic-Video-Chat/node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • extract-zip-1.6.5.tgz
      • mkdirp-0.5.0.tgz
        • :x: minimist-0.0.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 1.2.3

Direct dependency fix Resolution (electron): 2.0.3

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (electron): 2.0.3

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2017-15010

Vulnerable Library - tough-cookie-2.3.2.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.2.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • nugget-2.0.1.tgz
        • request-2.81.0.tgz
          • :x: tough-cookie-2.3.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

Publish Date: 2017-10-04

URL: CVE-2017-15010

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15010

Release Date: 2017-10-04

Fix Resolution (tough-cookie): 2.3.3

Direct dependency fix Resolution (electron): 2.0.3

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2021-23362

Vulnerable Library - hosted-git-info-2.5.0.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.5.0.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/hosted-git-info/package.json,/React-Basic-Video-Chat/node_modules/hosted-git-info/package.json

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • nugget-2.0.1.tgz
        • pretty-bytes-1.0.4.tgz
          • meow-3.7.0.tgz
            • normalize-package-data-2.4.0.tgz
              • :x: hosted-git-info-2.5.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution (hosted-git-info): 2.8.9

Direct dependency fix Resolution (electron): 2.0.3

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2017-16137

Vulnerable Libraries - debug-2.2.0.tgz, debug-2.6.8.tgz

debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/extract-zip/node_modules/debug/package.json

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • extract-zip-1.6.5.tgz
      • :x: debug-2.2.0.tgz (Vulnerable Library)

debug-2.6.8.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.6.8.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/debug/package.json

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • :x: debug-2.6.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137

Release Date: 2018-06-07

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (electron): 2.0.3

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (electron): 2.0.3

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2022-21718

Vulnerable Library - electron-2.0.2.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-2.0.2.tgz

Path to dependency file: /Electron-Basic-Video-Chat/package.json

Path to vulnerable library: /Electron-Basic-Video-Chat/node_modules/electron/package.json

Dependency Hierarchy:

  • :x: electron-2.0.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 17.0.0-alpha.6, 16.0.6, 15.3.5, 14.2.4, and 13.6.6 allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. This has been patched and Electron versions 17.0.0-alpha.6, 16.0.6, 15.3.5, 14.2.4, and 13.6.6 contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.

Publish Date: 2022-03-22

URL: CVE-2022-21718

CVSS 3 Score Details (5.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21718

Release Date: 2022-03-22

Fix Resolution: 13.6.6

:rescue_worker_helmet: Automatic Remediation is available for this issue

WS-2018-0103

Vulnerable Library - stringstream-0.0.5.tgz

Encode and decode streams into string streams

Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz

Dependency Hierarchy:

  • electron-2.0.2.tgz (Root Library)
    • electron-download-3.3.0.tgz
      • nugget-2.0.1.tgz
        • request-2.81.0.tgz
          • :x: stringstream-0.0.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

All versions of stringstream are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below.

Publish Date: 2018-05-16

URL: WS-2018-0103

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/664

Release Date: 2018-01-27

Fix Resolution (stringstream): 0.0.6

Direct dependency fix Resolution (electron): 2.0.3

:rescue_worker_helmet: Automatic Remediation is available for this issue.

mend-for-github-com[bot] avatar Jun 07 '22 01:06 mend-for-github-com[bot]