Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bulk vulnerability fix - Lockfile fix #3

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

debricked-staging[bot]
Copy link

@debricked-staging debricked-staging bot commented Jun 18, 2021

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

debricked–245
debricked–124
CVE–2021–23362
CVE–2020–7597
  • Description

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

    The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

    NVD

    codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.

    GitHub

    codecov NPM module allows remote attackers to execute arbitrary commands

    codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.

  • CVSS details - 8.8

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required Low
    User interaction None
    Scope Unchanged
    Confidentiality High
    Integrity High
    Availability High
  • References

        [CE-1330] Escaping args (#167) · codecov/codecov-node@02cf13d · GitHub
        NVD - CVE-2020-7597
        codecov NPM module allows remote attackers to execute arbitrary commands · CVE-2020-7597 · GitHub Advisory Database · GitHub

CVE–2020–15123
CVE–2019–20149
CVE–2019–20922
  • Description

    Loop with Unreachable Exit Condition ('Infinite Loop')

    The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

    NVD

    Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        fix: non-eager matching raw-block-contents · handlebars-lang/handlebars.js@8d5530e · GitHub
        npm

CVE–2019–20920
  • Description

    Improper Control of Generation of Code ('Code Injection')

    The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

    NVD

    Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

  • CVSS details - 8.1

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity High
    Privileges Required None
    User interaction None
    Scope Changed
    Confidentiality High
    Integrity Low
    Availability Low
  • References

        npm
        npm

CVE–2021–23369
debricked–154311
debricked–149740
CVE–2019–10747
CVE–2020–13822
CVE–2020–28498
CVE–2020–7774
CVE–2019–16769
  • Description

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

    NVD

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

    GitHub

    Cross-Site Scripting in serialize-javascript

    Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.

    Recommendation

    Upgrade to version 2.1.1 or later.

  • CVSS details - 5.4

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required Low
    User interaction Required
    Scope Changed
    Confidentiality Low
    Integrity Low
    Availability None
  • References

        regular expressions Cross-Site Scripting (XSS) vulnerability · Advisory · yahoo/serialize-javascript · GitHub
        NVD - CVE-2019-16769
        Cross-Site Scripting in serialize-javascript · CVE-2019-16769 · GitHub Advisory Database · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked

 

@debricked-staging debricked-staging bot force-pushed the debricked-fix-bulk_fix-047896fd4c146106 branch from 0035a64 to 8b101a3 Compare June 29, 2021 21:07
@debricked-staging debricked-staging bot force-pushed the debricked-fix-bulk_fix-047896fd4c146106 branch from 8b101a3 to 1cf3bce Compare June 30, 2021 21:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants