From 5f9366bef7e0040c7a18fdb176d001aa5812c873 Mon Sep 17 00:00:00 2001 From: Raihan Rahman <134499230+Raihan-R@users.noreply.github.com> Date: Wed, 11 Oct 2023 09:58:46 +0100 Subject: [PATCH] em-5595: dependency check (#838) --- yarn-audit-known-issues | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index 2c28efa95..bdf0470af 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1 +1 @@ -{"actions":[],"advisories":{"1085674":{"findings":[{"version":"3.10.1","paths":["@hmcts/properties-volume>lodash","@angular/cli>inquirer>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-x5rq-j2xg-h7qm","cves":["CVE-2019-1010266"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:01:38.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085674,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm","created":"2019-07-19T16:13:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.","url":"https://github.com/advisories/GHSA-x5rq-j2xg-h7qm"},"1087627":{"findings":[{"version":"3.10.1","paths":["@hmcts/properties-volume>lodash","@angular/cli>inquirer>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-4xc9-xhrj-v574","cves":["CVE-2018-16487"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:02:32.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1087627,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2019-02-07T18:16:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.","url":"https://github.com/advisories/GHSA-4xc9-xhrj-v574"},"1087663":{"findings":[{"version":"3.10.1","paths":["@hmcts/properties-volume>lodash","@angular/cli>inquirer>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.5","module_name":"lodash","severity":"low","github_advisory_id":"GHSA-fvqr-27wr-82fm","cves":["CVE-2018-3721"],"access":"public","patched_versions":">=4.17.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:03:02.000Z","recommendation":"Upgrade to version 4.17.5 or later","cwe":["CWE-471"],"found_by":null,"deleted":null,"id":1087663,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2018-07-26T15:14:52.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.","url":"https://github.com/advisories/GHSA-fvqr-27wr-82fm"},"1088948":{"findings":[{"version":"6.7.1","paths":["nodemon>update-notifier>latest-version>package-json>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1091307":{"findings":[{"version":"3.10.1","paths":["@hmcts/properties-volume>lodash","@angular/cli>inquirer>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.20","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-p6mc-m468-83gw","cves":["CVE-2020-8203"],"access":"public","patched_versions":">=4.17.20","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-03-08T05:05:35.000Z","recommendation":"Upgrade to version 4.17.20 or later","cwe":["CWE-770","CWE-1321"],"found_by":null,"deleted":null,"id":1091307,"references":"- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://www.npmjs.com/advisories/1523\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/lodash/lodash/issues/4874\n- https://www.oracle.com/security-alerts/cpuApr2021.html\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-p6mc-m468-83gw","created":"2020-07-15T19:15:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.","url":"https://github.com/advisories/GHSA-p6mc-m468-83gw"},"1091832":{"findings":[{"version":"3.10.1","paths":["@hmcts/properties-volume>lodash","@angular/cli>inquirer>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-35jh-r3h4-6jhm","cves":["CVE-2021-23337"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":7.2,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-04-26T17:56:06.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-77","CWE-94"],"found_by":null,"deleted":null,"id":1091832,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm","created":"2021-05-06T16:05:51.000Z","reported_by":null,"title":"Command Injection in lodash","npm_advisory_id":null,"overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","url":"https://github.com/advisories/GHSA-35jh-r3h4-6jhm"},"1092174":{"findings":[{"version":"4.2.2","paths":["socket.io-client>socket.io-parser"]}],"metadata":null,"vulnerable_versions":">=4.0.4 <4.2.3","module_name":"socket.io-parser","severity":"high","github_advisory_id":"GHSA-cqmj-92xf-r6r9","cves":["CVE-2023-32695"],"access":"public","patched_versions":">=4.2.3","cvss":{"score":7.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-06-05T21:07:58.000Z","recommendation":"Upgrade to version 4.2.3 or later","cwe":["CWE-20","CWE-754"],"found_by":null,"deleted":null,"id":1092174,"references":"- https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3\n- https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9\n- https://nvd.nist.gov/vuln/detail/CVE-2023-32695\n- https://github.com/socketio/socket.io-parser/releases/tag/4.2.3\n- https://github.com/advisories/GHSA-cqmj-92xf-r6r9","created":"2023-05-23T19:55:13.000Z","reported_by":null,"title":"Insufficient validation when decoding a Socket.IO packet","npm_advisory_id":null,"overview":"### Impact\n\nA specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.\n\n```\nTypeError: Cannot convert object to primitive value\n at Socket.emit (node:events:507:25)\n at .../node_modules/socket.io/lib/socket.js:531:14\n```\n\n### Patches\n\nA fix has been released today (2023/05/22):\n\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in `socket.io-parser@4.2.3`\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in `socket.io-parser@3.4.3`\n\n| `socket.io` version | `socket.io-parser` version | Needs minor update? |\n|---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------|\n| `4.5.2...latest` | `~4.2.0` ([ref](https://github.com/socketio/socket.io/commit/9890b036cf942f6b6ad2afeb6a8361c32cd5d528)) | `npm audit fix` should be sufficient |\n| `4.1.3...4.5.1` | `~4.1.1` ([ref](https://github.com/socketio/socket.io/commit/7c44893d7878cd5bba1eff43150c3e664f88fb57)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.5...4.1.2` | `~4.0.3` ([ref](https://github.com/socketio/socket.io/commit/752dfe3b1e5fecda53dae899b4a39e6fed5a1a17)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.0...3.0.4` | `~4.0.1` ([ref](https://github.com/socketio/socket.io/commit/1af3267e3f5f7884214cf2ca4d5282d620092fb0)) | Please upgrade to `socket.io@4.6.x` |\n| `2.3.0...2.5.0` | `~3.4.0` ([ref](https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd)) | `npm audit fix` should be sufficient |\n\n\n### Workarounds\n\nThere is no known workaround except upgrading to a safe version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open a discussion [here](https://github.com/socketio/socket.io/discussions)\n\nThanks to [@rafax00](https://github.com/rafax00) for the responsible disclosure.\n","url":"https://github.com/advisories/GHSA-cqmj-92xf-r6r9"},"1092301":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"metadata":null,"vulnerable_versions":"<0.5.0","module_name":"xml2js","severity":"moderate","github_advisory_id":"GHSA-776f-qx25-q3cc","cves":["CVE-2023-0842"],"access":"public","patched_versions":">=0.5.0","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-06-21T18:11:17.000Z","recommendation":"Upgrade to version 0.5.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092301,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://fluidattacks.com/advisories/myers/\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1092316":{"findings":[{"version":"4.1.0","paths":["@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>http-cache-semantics","@angular/cli>@schematics/update>pacote>npm-registry-fetch>make-fetch-happen>http-cache-semantics"]}],"metadata":null,"vulnerable_versions":"<4.1.1","module_name":"http-cache-semantics","severity":"high","github_advisory_id":"GHSA-rc47-6667-2j5j","cves":["CVE-2022-25881"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-06-22T17:26:15.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092316,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25881\n- https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332\n- https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783\n- https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74\n- https://security.netapp.com/advisory/ntap-20230622-0008/\n- https://github.com/advisories/GHSA-rc47-6667-2j5j","created":"2023-01-31T06:30:26.000Z","reported_by":null,"title":"http-cache-semantics vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.","url":"https://github.com/advisories/GHSA-rc47-6667-2j5j"},"1092470":{"findings":[{"version":"2.5.0","paths":["request-promise-native>tough-cookie","@angular/cli>universal-analytics>request>tough-cookie","protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie","@angular/cli>pacote>@npmcli/run-script>node-gyp>request>tough-cookie","@angular/cli>@schematics/update>pacote>@npmcli/run-script>node-gyp>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092972":{"findings":[{"version":"2.88.2","paths":["@angular/cli>universal-analytics>request","protractor-screenshot-utils>protractor>webdriver-manager>request","@angular/cli>pacote>@npmcli/run-script>node-gyp>request","@angular/cli>@schematics/update>pacote>@npmcli/run-script>node-gyp>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1093264":{"findings":[{"version":"7.3.4","paths":["@angular/cli>semver","@angular/cli>npm-package-arg>semver","@angular/cli>@schematics/update>npm-package-arg>semver","@angular/cli>pacote>npm-pick-manifest>npm-package-arg>semver","@angular/cli>pacote>@npmcli/git>npm-pick-manifest>npm-package-arg>semver","@angular/cli>@schematics/update>pacote>@npmcli/git>npm-pick-manifest>npm-package-arg>semver"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=7.5.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-09-01T23:43:55.000Z","recommendation":"Upgrade to version 7.5.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1093264,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1093296":{"findings":[{"version":"3.10.1","paths":["@hmcts/properties-volume>lodash","@angular/cli>inquirer>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-29mw-wpgm-hmr9","cves":["CVE-2020-28500"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-09-05T22:58:26.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1093296,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9","created":"2022-01-06T20:30:46.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. \n\nSteps to reproduce (provided by reporter Liyuan Chen):\n```js\nvar lo = require('lodash');\n\nfunction build_blank(n) {\n var ret = \"1\"\n for (var i = 0; i < n; i++) {\n ret += \" \"\n }\n return ret + \"1\";\n}\nvar s = build_blank(50000) var time0 = Date.now();\nlo.trim(s) var time_cost0 = Date.now() - time0;\nconsole.log(\"time_cost0: \" + time_cost0) var time1 = Date.now();\nlo.toNumber(s) var time_cost1 = Date.now() - time1;\nconsole.log(\"time_cost1: \" + time_cost1) var time2 = Date.now();\nlo.trimEnd(s) var time_cost2 = Date.now() - time2;\nconsole.log(\"time_cost2: \" + time_cost2)\n```","url":"https://github.com/advisories/GHSA-29mw-wpgm-hmr9"},"1093314":{"findings":[{"version":"3.10.1","paths":["@hmcts/properties-volume>lodash","@angular/cli>inquirer>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.12","module_name":"lodash","severity":"critical","github_advisory_id":"GHSA-jf85-cpcp-j695","cves":["CVE-2019-10744"],"access":"public","patched_versions":">=4.17.12","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-09-05T22:24:56.000Z","recommendation":"Upgrade to version 4.17.12 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1093314,"references":"- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://github.com/advisories/GHSA-jf85-cpcp-j695","created":"2019-07-10T19:45:23.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.","url":"https://github.com/advisories/GHSA-jf85-cpcp-j695"},"1093882":{"findings":[{"version":"1.0.2","paths":["@nguniversal/express-engine>@nguniversal/common>critters>css-select>nth-check"]}],"metadata":null,"vulnerable_versions":"<2.0.1","module_name":"nth-check","severity":"high","github_advisory_id":"GHSA-rp65-9cf3-cjxr","cves":["CVE-2021-3803"],"access":"public","patched_versions":">=2.0.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-09-13T21:49:55.000Z","recommendation":"Upgrade to version 2.0.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1093882,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3803\n- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726\n- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0\n- https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html\n- https://github.com/advisories/GHSA-rp65-9cf3-cjxr","created":"2021-09-20T20:47:31.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in nth-check","npm_advisory_id":null,"overview":"There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.\n\nThe ReDoS vulnerabilities of the regex are mainly due to the sub-pattern `\\s*(?:([+-]?)\\s*(\\d+))?` with quantified overlapping adjacency and can be exploited with the following code.\n\n**Proof of Concept**\n```js\n// PoC.js\nvar nthCheck = require(\"nth-check\")\nfor(var i = 1; i <= 50000; i++) {\n var time = Date.now();\n var attack_str = '2n' + ' '.repeat(i*10000)+\"!\";\n try {\n nthCheck.parse(attack_str) \n }\n catch(err) {\n var time_cost = Date.now() - time;\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n }\n}\n```\n\n**The Output**\n```\nattack_str.length: 10003: 174 ms\nattack_str.length: 20003: 1427 ms\nattack_str.length: 30003: 2602 ms\nattack_str.length: 40003: 4378 ms\nattack_str.length: 50003: 7473 ms\n```","url":"https://github.com/advisories/GHSA-rp65-9cf3-cjxr"},"1094219":{"findings":[{"version":"4.1.1","paths":["@angular/cli>debug","@angular/cli>universal-analytics>debug","protractor-screenshot-utils>protractor>browserstack>https-proxy-agent>debug","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>agentkeepalive>debug","@angular/cli>@schematics/update>pacote>npm-registry-fetch>make-fetch-happen>agentkeepalive>debug","scss-bundle>sass>chokidar>anymatch>micromatch>braces>snapdragon>debug","protractor-screenshot-utils>protractor>webdriver-manager>del>globby>fast-glob>micromatch>braces>snapdragon>debug"]}],"metadata":null,"vulnerable_versions":">=4.0.0 <4.3.1","module_name":"debug","severity":"moderate","github_advisory_id":"GHSA-gxpj-cx7g-858c","cves":["CVE-2017-16137"],"access":"public","patched_versions":">=4.3.1","cvss":{"score":5.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-10-02T17:59:03.000Z","recommendation":"Upgrade to version 4.3.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1094219,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2017-16137\n- https://github.com/visionmedia/debug/issues/501\n- https://github.com/visionmedia/debug/pull/504\n- https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E\n- https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E\n- https://github.com/debug-js/debug/issues/797\n- https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020\n- https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290\n- https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac\n- https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a\n- https://github.com/advisories/GHSA-gxpj-cx7g-858c","created":"2018-08-09T20:18:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service in debug","npm_advisory_id":null,"overview":"Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.\n\nThis was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.\n\n## Recommendation\n\nVersion 2.x.x: Update to version 2.6.9 or later.\nVersion 3.1.x: Update to version 3.1.0 or later.\nVersion 3.2.x: Update to version 3.2.7 or later.\nVersion 4.x.x: Update to version 4.3.1 or later.","url":"https://github.com/advisories/GHSA-gxpj-cx7g-858c"},"1094280":{"findings":[{"version":"8.2.15","paths":["@nguniversal/express-engine>@nguniversal/common>critters>postcss"]}],"metadata":null,"vulnerable_versions":"<8.4.31","module_name":"postcss","severity":"moderate","github_advisory_id":"GHSA-7fh5-64p2-3v2j","cves":["CVE-2023-44270"],"access":"public","patched_versions":">=8.4.31","cvss":{"score":0,"vectorString":null},"updated":"2023-10-09T20:06:54.000Z","recommendation":"Upgrade to version 8.4.31 or later","cwe":["CWE-144"],"found_by":null,"deleted":null,"id":1094280,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-44270\n- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\n- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\n- https://github.com/postcss/postcss/releases/tag/8.4.31\n- https://github.com/advisories/GHSA-7fh5-64p2-3v2j","created":"2023-09-30T00:31:10.000Z","reported_by":null,"title":"PostCSS line return parsing error","npm_advisory_id":null,"overview":"An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.","url":"https://github.com/advisories/GHSA-7fh5-64p2-3v2j"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":2,"moderate":30,"high":10,"critical":2},"dependencies":569,"devDependencies":15,"optionalDependencies":0,"totalDependencies":584}} +{"actions":[],"advisories":{"1085674":{"findings":[{"version":"3.10.1","paths":["@hmcts/properties-volume>lodash","@angular/cli>inquirer>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-x5rq-j2xg-h7qm","cves":["CVE-2019-1010266"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:01:38.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085674,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm","created":"2019-07-19T16:13:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.","url":"https://github.com/advisories/GHSA-x5rq-j2xg-h7qm"},"1087627":{"findings":[{"version":"3.10.1","paths":["@hmcts/properties-volume>lodash","@angular/cli>inquirer>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-4xc9-xhrj-v574","cves":["CVE-2018-16487"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:02:32.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1087627,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2019-02-07T18:16:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.","url":"https://github.com/advisories/GHSA-4xc9-xhrj-v574"},"1087663":{"findings":[{"version":"3.10.1","paths":["@hmcts/properties-volume>lodash","@angular/cli>inquirer>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.5","module_name":"lodash","severity":"low","github_advisory_id":"GHSA-fvqr-27wr-82fm","cves":["CVE-2018-3721"],"access":"public","patched_versions":">=4.17.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:03:02.000Z","recommendation":"Upgrade to version 4.17.5 or later","cwe":["CWE-471"],"found_by":null,"deleted":null,"id":1087663,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2018-07-26T15:14:52.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.","url":"https://github.com/advisories/GHSA-fvqr-27wr-82fm"},"1088948":{"findings":[{"version":"6.7.1","paths":["nodemon>update-notifier>latest-version>package-json>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1091307":{"findings":[{"version":"3.10.1","paths":["@hmcts/properties-volume>lodash","@angular/cli>inquirer>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.20","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-p6mc-m468-83gw","cves":["CVE-2020-8203"],"access":"public","patched_versions":">=4.17.20","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-03-08T05:05:35.000Z","recommendation":"Upgrade to version 4.17.20 or later","cwe":["CWE-770","CWE-1321"],"found_by":null,"deleted":null,"id":1091307,"references":"- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://www.npmjs.com/advisories/1523\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/lodash/lodash/issues/4874\n- https://www.oracle.com/security-alerts/cpuApr2021.html\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-p6mc-m468-83gw","created":"2020-07-15T19:15:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.","url":"https://github.com/advisories/GHSA-p6mc-m468-83gw"},"1091832":{"findings":[{"version":"3.10.1","paths":["@hmcts/properties-volume>lodash","@angular/cli>inquirer>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-35jh-r3h4-6jhm","cves":["CVE-2021-23337"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":7.2,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-04-26T17:56:06.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-77","CWE-94"],"found_by":null,"deleted":null,"id":1091832,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm","created":"2021-05-06T16:05:51.000Z","reported_by":null,"title":"Command Injection in lodash","npm_advisory_id":null,"overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","url":"https://github.com/advisories/GHSA-35jh-r3h4-6jhm"},"1092174":{"findings":[{"version":"4.2.2","paths":["socket.io-client>socket.io-parser"]}],"metadata":null,"vulnerable_versions":">=4.0.4 <4.2.3","module_name":"socket.io-parser","severity":"high","github_advisory_id":"GHSA-cqmj-92xf-r6r9","cves":["CVE-2023-32695"],"access":"public","patched_versions":">=4.2.3","cvss":{"score":7.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-06-05T21:07:58.000Z","recommendation":"Upgrade to version 4.2.3 or later","cwe":["CWE-20","CWE-754"],"found_by":null,"deleted":null,"id":1092174,"references":"- https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3\n- https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9\n- https://nvd.nist.gov/vuln/detail/CVE-2023-32695\n- https://github.com/socketio/socket.io-parser/releases/tag/4.2.3\n- https://github.com/advisories/GHSA-cqmj-92xf-r6r9","created":"2023-05-23T19:55:13.000Z","reported_by":null,"title":"Insufficient validation when decoding a Socket.IO packet","npm_advisory_id":null,"overview":"### Impact\n\nA specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.\n\n```\nTypeError: Cannot convert object to primitive value\n at Socket.emit (node:events:507:25)\n at .../node_modules/socket.io/lib/socket.js:531:14\n```\n\n### Patches\n\nA fix has been released today (2023/05/22):\n\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in `socket.io-parser@4.2.3`\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in `socket.io-parser@3.4.3`\n\n| `socket.io` version | `socket.io-parser` version | Needs minor update? |\n|---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------|\n| `4.5.2...latest` | `~4.2.0` ([ref](https://github.com/socketio/socket.io/commit/9890b036cf942f6b6ad2afeb6a8361c32cd5d528)) | `npm audit fix` should be sufficient |\n| `4.1.3...4.5.1` | `~4.1.1` ([ref](https://github.com/socketio/socket.io/commit/7c44893d7878cd5bba1eff43150c3e664f88fb57)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.5...4.1.2` | `~4.0.3` ([ref](https://github.com/socketio/socket.io/commit/752dfe3b1e5fecda53dae899b4a39e6fed5a1a17)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.0...3.0.4` | `~4.0.1` ([ref](https://github.com/socketio/socket.io/commit/1af3267e3f5f7884214cf2ca4d5282d620092fb0)) | Please upgrade to `socket.io@4.6.x` |\n| `2.3.0...2.5.0` | `~3.4.0` ([ref](https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd)) | `npm audit fix` should be sufficient |\n\n\n### Workarounds\n\nThere is no known workaround except upgrading to a safe version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open a discussion [here](https://github.com/socketio/socket.io/discussions)\n\nThanks to [@rafax00](https://github.com/rafax00) for the responsible disclosure.\n","url":"https://github.com/advisories/GHSA-cqmj-92xf-r6r9"},"1092301":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"metadata":null,"vulnerable_versions":"<0.5.0","module_name":"xml2js","severity":"moderate","github_advisory_id":"GHSA-776f-qx25-q3cc","cves":["CVE-2023-0842"],"access":"public","patched_versions":">=0.5.0","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-06-21T18:11:17.000Z","recommendation":"Upgrade to version 0.5.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092301,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://fluidattacks.com/advisories/myers/\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1092316":{"findings":[{"version":"4.1.0","paths":["@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>http-cache-semantics","@angular/cli>@schematics/update>pacote>npm-registry-fetch>make-fetch-happen>http-cache-semantics"]}],"metadata":null,"vulnerable_versions":"<4.1.1","module_name":"http-cache-semantics","severity":"high","github_advisory_id":"GHSA-rc47-6667-2j5j","cves":["CVE-2022-25881"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-06-22T17:26:15.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092316,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25881\n- https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332\n- https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783\n- https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74\n- https://security.netapp.com/advisory/ntap-20230622-0008/\n- https://github.com/advisories/GHSA-rc47-6667-2j5j","created":"2023-01-31T06:30:26.000Z","reported_by":null,"title":"http-cache-semantics vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.","url":"https://github.com/advisories/GHSA-rc47-6667-2j5j"},"1092470":{"findings":[{"version":"2.5.0","paths":["request-promise-native>tough-cookie","@angular/cli>universal-analytics>request>tough-cookie","protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie","@angular/cli>pacote>@npmcli/run-script>node-gyp>request>tough-cookie","@angular/cli>@schematics/update>pacote>@npmcli/run-script>node-gyp>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092972":{"findings":[{"version":"2.88.2","paths":["@angular/cli>universal-analytics>request","protractor-screenshot-utils>protractor>webdriver-manager>request","@angular/cli>pacote>@npmcli/run-script>node-gyp>request","@angular/cli>@schematics/update>pacote>@npmcli/run-script>node-gyp>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1093264":{"findings":[{"version":"7.3.4","paths":["@angular/cli>semver","@angular/cli>npm-package-arg>semver","@angular/cli>@schematics/update>npm-package-arg>semver","@angular/cli>pacote>npm-pick-manifest>npm-package-arg>semver","@angular/cli>pacote>@npmcli/git>npm-pick-manifest>npm-package-arg>semver","@angular/cli>@schematics/update>pacote>@npmcli/git>npm-pick-manifest>npm-package-arg>semver"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=7.5.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-09-01T23:43:55.000Z","recommendation":"Upgrade to version 7.5.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1093264,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1093296":{"findings":[{"version":"3.10.1","paths":["@hmcts/properties-volume>lodash","@angular/cli>inquirer>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-29mw-wpgm-hmr9","cves":["CVE-2020-28500"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-09-05T22:58:26.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1093296,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9","created":"2022-01-06T20:30:46.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. \n\nSteps to reproduce (provided by reporter Liyuan Chen):\n```js\nvar lo = require('lodash');\n\nfunction build_blank(n) {\n var ret = \"1\"\n for (var i = 0; i < n; i++) {\n ret += \" \"\n }\n return ret + \"1\";\n}\nvar s = build_blank(50000) var time0 = Date.now();\nlo.trim(s) var time_cost0 = Date.now() - time0;\nconsole.log(\"time_cost0: \" + time_cost0) var time1 = Date.now();\nlo.toNumber(s) var time_cost1 = Date.now() - time1;\nconsole.log(\"time_cost1: \" + time_cost1) var time2 = Date.now();\nlo.trimEnd(s) var time_cost2 = Date.now() - time2;\nconsole.log(\"time_cost2: \" + time_cost2)\n```","url":"https://github.com/advisories/GHSA-29mw-wpgm-hmr9"},"1093314":{"findings":[{"version":"3.10.1","paths":["@hmcts/properties-volume>lodash","@angular/cli>inquirer>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.12","module_name":"lodash","severity":"critical","github_advisory_id":"GHSA-jf85-cpcp-j695","cves":["CVE-2019-10744"],"access":"public","patched_versions":">=4.17.12","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-09-05T22:24:56.000Z","recommendation":"Upgrade to version 4.17.12 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1093314,"references":"- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://github.com/advisories/GHSA-jf85-cpcp-j695","created":"2019-07-10T19:45:23.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.","url":"https://github.com/advisories/GHSA-jf85-cpcp-j695"},"1093882":{"findings":[{"version":"1.0.2","paths":["@nguniversal/express-engine>@nguniversal/common>critters>css-select>nth-check"]}],"metadata":null,"vulnerable_versions":"<2.0.1","module_name":"nth-check","severity":"high","github_advisory_id":"GHSA-rp65-9cf3-cjxr","cves":["CVE-2021-3803"],"access":"public","patched_versions":">=2.0.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-09-13T21:49:55.000Z","recommendation":"Upgrade to version 2.0.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1093882,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3803\n- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726\n- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0\n- https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html\n- https://github.com/advisories/GHSA-rp65-9cf3-cjxr","created":"2021-09-20T20:47:31.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in nth-check","npm_advisory_id":null,"overview":"There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.\n\nThe ReDoS vulnerabilities of the regex are mainly due to the sub-pattern `\\s*(?:([+-]?)\\s*(\\d+))?` with quantified overlapping adjacency and can be exploited with the following code.\n\n**Proof of Concept**\n```js\n// PoC.js\nvar nthCheck = require(\"nth-check\")\nfor(var i = 1; i <= 50000; i++) {\n var time = Date.now();\n var attack_str = '2n' + ' '.repeat(i*10000)+\"!\";\n try {\n nthCheck.parse(attack_str) \n }\n catch(err) {\n var time_cost = Date.now() - time;\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n }\n}\n```\n\n**The Output**\n```\nattack_str.length: 10003: 174 ms\nattack_str.length: 20003: 1427 ms\nattack_str.length: 30003: 2602 ms\nattack_str.length: 40003: 4378 ms\nattack_str.length: 50003: 7473 ms\n```","url":"https://github.com/advisories/GHSA-rp65-9cf3-cjxr"},"1094219":{"findings":[{"version":"4.1.1","paths":["@angular/cli>debug","@angular/cli>universal-analytics>debug","protractor-screenshot-utils>protractor>browserstack>https-proxy-agent>debug","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>agentkeepalive>debug","@angular/cli>@schematics/update>pacote>npm-registry-fetch>make-fetch-happen>agentkeepalive>debug","scss-bundle>sass>chokidar>anymatch>micromatch>braces>snapdragon>debug","protractor-screenshot-utils>protractor>webdriver-manager>del>globby>fast-glob>micromatch>braces>snapdragon>debug"]}],"metadata":null,"vulnerable_versions":">=4.0.0 <4.3.1","module_name":"debug","severity":"moderate","github_advisory_id":"GHSA-gxpj-cx7g-858c","cves":["CVE-2017-16137"],"access":"public","patched_versions":">=4.3.1","cvss":{"score":5.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-10-02T17:59:03.000Z","recommendation":"Upgrade to version 4.3.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1094219,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2017-16137\n- https://github.com/visionmedia/debug/issues/501\n- https://github.com/visionmedia/debug/pull/504\n- https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E\n- https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E\n- https://github.com/debug-js/debug/issues/797\n- https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020\n- https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290\n- https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac\n- https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a\n- https://github.com/advisories/GHSA-gxpj-cx7g-858c","created":"2018-08-09T20:18:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service in debug","npm_advisory_id":null,"overview":"Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.\n\nThis was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.\n\n## Recommendation\n\nVersion 2.x.x: Update to version 2.6.9 or later.\nVersion 3.1.x: Update to version 3.1.0 or later.\nVersion 3.2.x: Update to version 3.2.7 or later.\nVersion 4.x.x: Update to version 4.3.1 or later.","url":"https://github.com/advisories/GHSA-gxpj-cx7g-858c"},"1094304":{"findings":[{"version":"8.2.15","paths":["@nguniversal/express-engine>@nguniversal/common>critters>postcss"]}],"metadata":null,"vulnerable_versions":"<8.4.31","module_name":"postcss","severity":"moderate","github_advisory_id":"GHSA-7fh5-64p2-3v2j","cves":["CVE-2023-44270"],"access":"public","patched_versions":">=8.4.31","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-10-10T21:32:38.000Z","recommendation":"Upgrade to version 8.4.31 or later","cwe":["CWE-74","CWE-144"],"found_by":null,"deleted":null,"id":1094304,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-44270\n- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\n- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\n- https://github.com/postcss/postcss/releases/tag/8.4.31\n- https://github.com/github/advisory-database/issues/2820\n- https://github.com/advisories/GHSA-7fh5-64p2-3v2j","created":"2023-09-30T00:31:10.000Z","reported_by":null,"title":"PostCSS line return parsing error","npm_advisory_id":null,"overview":"An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.","url":"https://github.com/advisories/GHSA-7fh5-64p2-3v2j"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":2,"moderate":30,"high":10,"critical":2},"dependencies":569,"devDependencies":15,"optionalDependencies":0,"totalDependencies":584}}