Vulnerable Library - bull-arena-2.4.5.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

WS-2022-0280

Vulnerable Library - moment-timezone-0.5.21.tgz

Parse and display moments in any timezone.

Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.21.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • bull-3.4.8.tgz
    • cron-parser-2.6.0.tgz
      • ❌ moment-timezone-0.5.21.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Command Injection in moment-timezone before 0.5.35.

Publish Date: 2024-10-29

URL: WS-2022-0280

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-56x4-j7p9-fcf9

Release Date: 2022-08-30

Fix Resolution (moment-timezone): 0.5.35

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2018-0211

Vulnerable Libraries - event-stream-3.3.6.tgz, flatmap-stream-0.1.1.tgz

event-stream-3.3.6.tgz

construct pipes of streams of events

Library home page: https://registry.npmjs.org/event-stream/-/event-stream-3.3.6.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • nodemon-1.18.4.tgz
    • pstree.remy-1.1.0.tgz
      • ps-tree-1.1.0.tgz
        • ❌ event-stream-3.3.6.tgz (Vulnerable Library)

flatmap-stream-0.1.1.tgz

UNMAINTAINED

Library home page: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.1.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • nodemon-1.18.4.tgz
    • pstree.remy-1.1.0.tgz
      • ps-tree-1.1.0.tgz
        • event-stream-3.3.6.tgz
          • ❌ flatmap-stream-0.1.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Malicious code in event-stream, the ownership \event-stream\ node_module was transferred

Publish Date: 2018-11-28

URL: WS-2018-0211

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0211

Release Date: 2018-11-28

Fix Resolution (event-stream): 4.0.0

Direct dependency fix Resolution (bull-arena): 2.5.0

Fix Resolution (flatmap-stream): 4.0.0

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-37598

Vulnerable Library - uglify-js-3.4.9.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.4.9.tgz

Path to dependency file: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • handlebars-4.0.12.tgz
    • ❌ uglify-js-3.4.9.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

Publish Date: 2022-10-20

URL: CVE-2022-37598

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-20

Fix Resolution (uglify-js): 3.13.10

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-44906

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.10.tgz, minimist-0.0.8.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm8/os_mismatch/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/npm8/git_dependency_local_file/node_modules/minimist/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/npm6/git_dependency_local_file/node_modules/minimist/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/git_dependency_local_file/node_modules/minimist/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/git_dependency_local_file/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/update-notifier/node_modules/latest-version/node_modules/package-json/node_modules/registry-url/node_modules/rc/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/update-notifier/node_modules/latest-version/node_modules/package-json/node_modules/registry-url/node_modules/rc/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm8/git_dependency_local_file/node_modules/minimist/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/minimist/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/git_dependency_local_file/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/update-notifier/node_modules/latest-version/node_modules/package-json/node_modules/registry-auth-token/node_modules/rc/node_modules/minimist/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/npm8/os_mismatch/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/update-notifier/node_modules/latest-version/node_modules/package-json/node_modules/registry-auth-token/node_modules/rc/node_modules/minimist/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • nodemon-1.18.4.tgz
    • update-notifier-2.5.0.tgz
      • latest-version-3.1.0.tgz
        • package-json-4.0.1.tgz
          • registry-url-3.1.0.tgz
            • rc-1.2.8.tgz
              • ❌ minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • handlebars-4.0.12.tgz
    • optimist-0.6.1.tgz
      • ❌ minimist-0.0.10.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • nodemon-1.18.4.tgz
    • chokidar-2.0.4.tgz
      • fsevents-1.2.4.tgz
        • node-pre-gyp-0.10.3.tgz
          • tar-4.4.6.tgz
            • mkdirp-0.5.1.tgz
              • ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (bull-arena): 2.5.0

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (bull-arena): 2.5.0

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-19919

Vulnerable Library - handlebars-4.0.12.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.12.tgz

Path to dependency file: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • ❌ handlebars-4.0.12.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Mend Note: Converted from WS-2019-0368, on 2022-11-08.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1164

Release Date: 2019-12-20

Fix Resolution (handlebars): 4.3.0

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-10747

Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz

set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • nodemon-1.18.4.tgz
    • chokidar-2.0.4.tgz
      • braces-2.3.2.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • cache-base-1.0.1.tgz
              • union-value-1.0.0.tgz
                • ❌ set-value-0.4.3.tgz (Vulnerable Library)

set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • nodemon-1.18.4.tgz
    • chokidar-2.0.4.tgz
      • braces-2.3.2.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • cache-base-1.0.1.tgz
              • ❌ set-value-2.0.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (bull-arena): 2.5.0

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-10746

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • nodemon-1.18.4.tgz
    • chokidar-2.0.4.tgz
      • braces-2.3.2.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (mixin-deep): 1.3.2

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2022-0284

Vulnerable Library - moment-timezone-0.5.21.tgz

Parse and display moments in any timezone.

Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.21.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • bull-3.4.8.tgz
    • cron-parser-2.6.0.tgz
      • ❌ moment-timezone-0.5.21.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Cleartext Transmission of Sensitive Information in moment-timezone

Publish Date: 2024-10-29

URL: WS-2022-0284

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-v78c-4p63-2j6c

Release Date: 2022-08-30

Fix Resolution (moment-timezone): 0.5.35

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2018-0627

Vulnerable Library - flatmap-stream-0.1.1.tgz

UNMAINTAINED

Library home page: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.1.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • nodemon-1.18.4.tgz
    • pstree.remy-1.1.0.tgz
      • ps-tree-1.1.0.tgz
        • event-stream-3.3.6.tgz
          • ❌ flatmap-stream-0.1.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Flatmap-stream version 0.1.1 is a malicious package. The malicious code attemptes to steal bitcoins stored in the Copay wallets in order to transfer the funds to a remote server

Publish Date: 2018-11-27

URL: WS-2018-0627

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0627

Release Date: 2018-11-27

Fix Resolution (flatmap-stream): 0.1.2

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-10744

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/npm_and_yarn/spec/fixtures/projects/npm8/peer_dependency_changed/node_modules/react-apollo/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_changed/node_modules/react-apollo/node_modules/lodash/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/npm8/peer_dependency_changed/node_modules/react-apollo/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/pnpm/peer_dependency_changed/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/pnpm/peer_dependency_changed/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_changed/node_modules/react-apollo/node_modules/lodash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • ❌ lodash-4.17.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-25

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-32820

Vulnerable Library - express-handlebars-3.0.0.tgz

A Handlebars view engine for Express which doesn't suck.

Library home page: https://registry.npmjs.org/express-handlebars/-/express-handlebars-3.0.0.tgz

Path to dependency file: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • ❌ express-handlebars-3.0.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Express-handlebars is a Handlebars view engine for Express. Express-handlebars mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Notes in documentation have been added to help users avoid this potential information exposure vulnerability.

Publish Date: 2021-05-14

URL: CVE-2021-32820

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-32820

Release Date: 2021-05-14

Fix Resolution (express-handlebars): 5.3.3

Direct dependency fix Resolution (bull-arena): 2.8.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-37712

Vulnerable Library - tar-4.4.6.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.6.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • nodemon-1.18.4.tgz
    • chokidar-2.0.4.tgz
      • fsevents-1.2.4.tgz
        • node-pre-gyp-0.10.3.tgz
          • ❌ tar-4.4.6.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

Publish Date: 2021-08-31

URL: CVE-2021-37712

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-qq89-hq3f-393p

Release Date: 2021-08-31

Fix Resolution (tar): 4.4.18

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2019-0333

Vulnerable Library - handlebars-4.0.12.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.12.tgz

Path to dependency file: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • ❌ handlebars-4.0.12.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In handlebars, versions prior to v4.5.3 are vulnerable to prototype pollution. Using a malicious template it's possbile to add or modify properties to the Object prototype. This can also lead to DOS and RCE in certain conditions.

Publish Date: 2019-11-18

URL: WS-2019-0333

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1325

Release Date: 2019-11-18

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-20920

Vulnerable Library - handlebars-4.0.12.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.12.tgz

Path to dependency file: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • ❌ handlebars-4.0.12.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Publish Date: 2020-09-30

URL: CVE-2019-20920

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2020-10-15

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2019-0493

Vulnerable Library - handlebars-4.0.12.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.12.tgz

Path to dependency file: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • ❌ handlebars-4.0.12.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.2 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-14

URL: WS-2019-0493

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-11-14

Fix Resolution (handlebars): 4.5.2

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2019-0492

Vulnerable Library - handlebars-4.0.12.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.12.tgz

Path to dependency file: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • ❌ handlebars-4.0.12.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-19

URL: WS-2019-0492

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-11-19

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2019-0318

Vulnerable Library - handlebars-4.0.12.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.12.tgz

Path to dependency file: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • ❌ handlebars-4.0.12.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In "showdownjs/showdown", versions prior to v4.4.5 are vulnerable against Regular expression Denial of Service (ReDOS) once receiving specially-crafted templates.

Publish Date: 2019-10-20

URL: WS-2019-0318

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2019-10-20

Fix Resolution (handlebars): 4.4.5

Direct dependency fix Resolution (bull-arena): 2.5.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-4068

Vulnerable Libraries - braces-2.3.2.tgz, braces-1.8.5.tgz

braces-2.3.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz

Path to dependency file: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json

Path to vulnerable library: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/sane/node_modules/braces/package.json,/npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/sane/node_modules/braces/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/readdirp/node_modules/braces/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/readdirp/node_modules/braces/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • nodemon-1.18.4.tgz
    • chokidar-2.0.4.tgz
      • ❌ braces-2.3.2.tgz (Vulnerable Library)

braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/pnpm/lockfile_only_change/package.json

Path to vulnerable library: /updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/pnpm/lockfile_only_change/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/braces/package.json,/npm_and_yarn/spec/fixtures/projects/pnpm/lockfile_only_change/package.json,/npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/braces/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/braces/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/braces/package.json,/updater/vendor/cache/npm_and_yarn/helpers/node_modules/braces/package.json,/updater/vendor/cache/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/npm_and_yarn/helpers/node_modules/braces/package.json

Dependency Hierarchy:

• bull-arena-2.4.5.tgz (Root Library)
  • handlebars-helpers-0.8.4.tgz
    • micromatch-2.3.11.tgz
      • ❌ braces-1.8.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Publish Date: 2024-05-13

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3