This repository has been archived by the owner on Jan 23, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
yarn-audit-known-issues
27 lines (27 loc) · 49.5 KB
/
yarn-audit-known-issues
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
{"type":"auditAdvisory","data":{"resolution":{"id":1067315,"path":"url-parse","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.5.3","paths":["url-parse"]}],"metadata":null,"vulnerable_versions":"<1.5.9","module_name":"url-parse","severity":"moderate","github_advisory_id":"GHSA-jf5r-8hm2-f872","cves":["CVE-2022-0691"],"access":"public","patched_versions":">=1.5.9","cvss":{"score":6.5,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2022-03-29T22:16:44.000Z","recommendation":"Upgrade to version 1.5.9 or later","cwe":["CWE-639"],"found_by":null,"deleted":null,"id":1067315,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0691\n- https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63\n- https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4\n- https://security.netapp.com/advisory/ntap-20220325-0006/\n- https://github.com/advisories/GHSA-jf5r-8hm2-f872","created":"2022-02-22T00:00:30.000Z","reported_by":null,"title":"Incorrect hostname / protocol due to unstripped leading control characters.","npm_advisory_id":null,"overview":"Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL.\n\nIf url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect.\n\nThis can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example:\n`````\nconst parse = require('url-parse')\nconst express = require('express')\nconst app = express()\nconst port = 3000\n\nurl = parse(\\\"\\\\bjavascript:alert(1)\\\")\n\nconsole.log(url)\n\napp.get('/', (req, res) => {\n if (url.protocol !== \\\"javascript:\\\") {res.send(\\\"<a href=\\\\'\\\" + url.href + \\\"\\\\'>CLICK ME!</a>\\\")}\n })\n\napp.listen(port, () => {\n console.log(`Example app listening on port ${port}`)\n })\n`````","url":"https://github.com/advisories/GHSA-jf5r-8hm2-f872"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1067316,"path":"url-parse","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.5.3","paths":["url-parse"]}],"metadata":null,"vulnerable_versions":"<1.5.8","module_name":"url-parse","severity":"critical","github_advisory_id":"GHSA-hgjh-723h-mx2j","cves":["CVE-2022-0686"],"access":"public","patched_versions":">=1.5.8","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},"updated":"2022-03-29T22:13:52.000Z","recommendation":"Upgrade to version 1.5.8 or later","cwe":["CWE-639"],"found_by":null,"deleted":null,"id":1067316,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0686\n- https://github.com/unshiftio/url-parse/commit/d5c64791ef496ca5459ae7f2176a31ea53b127e5\n- https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c\n- https://security.netapp.com/advisory/ntap-20220325-0006/\n- https://github.com/advisories/GHSA-hgjh-723h-mx2j","created":"2022-02-21T00:00:21.000Z","reported_by":null,"title":"Authorization Bypass Through User-Controlled Key in url-parse","npm_advisory_id":null,"overview":"url-parse prior to version 1.5.8 is vulnerable to Authorization Bypass Through User-Controlled Key.","url":"https://github.com/advisories/GHSA-hgjh-723h-mx2j"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1067405,"path":"url-parse","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.5.3","paths":["url-parse"]}],"metadata":null,"vulnerable_versions":"<1.5.6","module_name":"url-parse","severity":"moderate","github_advisory_id":"GHSA-rqff-837h-mm52","cves":["CVE-2022-0512"],"access":"public","patched_versions":">=1.5.6","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2022-02-24T14:01:29.000Z","recommendation":"Upgrade to version 1.5.6 or later","cwe":["CWE-639"],"found_by":null,"deleted":null,"id":1067405,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0512\n- https://github.com/unshiftio/url-parse/commit/9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40\n- https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b\n- https://github.com/advisories/GHSA-rqff-837h-mm52","created":"2022-02-15T00:02:46.000Z","reported_by":null,"title":"Authorization bypass in url-parse","npm_advisory_id":null,"overview":"Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.","url":"https://github.com/advisories/GHSA-rqff-837h-mm52"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070014,"path":"url-parse","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.5.3","paths":["url-parse"]}],"metadata":null,"vulnerable_versions":"<1.5.7","module_name":"url-parse","severity":"moderate","github_advisory_id":"GHSA-8v38-pw62-9cw2","cves":["CVE-2022-0639"],"access":"public","patched_versions":">=1.5.7","cvss":{"score":6.5,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2022-04-19T19:03:27.000Z","recommendation":"Upgrade to version 1.5.7 or later","cwe":["CWE-639"],"found_by":null,"deleted":null,"id":1070014,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0639\n- https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788\n- https://huntr.dev/bounties/83a6bc9a-b542-4a38-82cd-d995a1481155\n- https://github.com/advisories/GHSA-8v38-pw62-9cw2","created":"2022-02-18T00:00:33.000Z","reported_by":null,"title":"Incorrect returned href via an '@' sign but no user info and hostname","npm_advisory_id":null,"overview":"A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular,\n`````\nparse(\\\"http://@/127.0.0.1\\\")\n`````\nWill return:\n`````\n{\n slashes: true,\n protocol: 'http:',\n hash: '',\n query: '',\n pathname: '/127.0.0.1',\n auth: '',\n host: '',\n port: '',\n hostname: '',\n password: '',\n username: '',\n origin: 'null',\n href: 'http:///127.0.0.1'\n }\n`````\nIf the 'hostname' or 'origin' attributes of the output from url-parse are used in security decisions and the final 'href' attribute of the output is then used to make a request, the decision may be incorrect.\n","url":"https://github.com/advisories/GHSA-8v38-pw62-9cw2"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1067342,"path":"tsconfig-paths>minimist","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.2.5","paths":["tsconfig-paths>minimist","config>json5>minimist"]}],"metadata":null,"vulnerable_versions":"<1.2.6","module_name":"minimist","severity":"critical","github_advisory_id":"GHSA-xvch-5gv4-984h","cves":["CVE-2021-44906"],"access":"public","patched_versions":">=1.2.6","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2022-04-04T21:39:39.000Z","recommendation":"Upgrade to version 1.2.6 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1067342,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-44906\n- https://github.com/substack/minimist/issues/164\n- https://github.com/substack/minimist/blob/master/index.js#L69\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068\n- https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip\n- https://github.com/advisories/GHSA-xvch-5gv4-984h","created":"2022-03-18T00:01:09.000Z","reported_by":null,"title":"Prototype Pollution in minimist","npm_advisory_id":null,"overview":"Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).","url":"https://github.com/advisories/GHSA-xvch-5gv4-984h"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1067342,"path":"config>json5>minimist","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.2.5","paths":["tsconfig-paths>minimist","config>json5>minimist"]}],"metadata":null,"vulnerable_versions":"<1.2.6","module_name":"minimist","severity":"critical","github_advisory_id":"GHSA-xvch-5gv4-984h","cves":["CVE-2021-44906"],"access":"public","patched_versions":">=1.2.6","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2022-04-04T21:39:39.000Z","recommendation":"Upgrade to version 1.2.6 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1067342,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-44906\n- https://github.com/substack/minimist/issues/164\n- https://github.com/substack/minimist/blob/master/index.js#L69\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068\n- https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip\n- https://github.com/advisories/GHSA-xvch-5gv4-984h","created":"2022-03-18T00:01:09.000Z","reported_by":null,"title":"Prototype Pollution in minimist","npm_advisory_id":null,"overview":"Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).","url":"https://github.com/advisories/GHSA-xvch-5gv4-984h"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1067761,"path":"node-sass>meow>read-pkg-up>read-pkg>normalize-package-data>resolve>path-parse","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.0.6","paths":["node-sass>meow>read-pkg-up>read-pkg>normalize-package-data>resolve>path-parse"]}],"metadata":null,"vulnerable_versions":"<1.0.7","module_name":"path-parse","severity":"moderate","github_advisory_id":"GHSA-hj48-42vr-x3v9","cves":["CVE-2021-23343"],"access":"public","patched_versions":">=1.0.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2021-08-10T15:34:57.000Z","recommendation":"Upgrade to version 1.0.7 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1067761,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23343\n- https://github.com/jbgutierrez/path-parse/issues/8\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028\n- https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067\n- https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E\n- https://github.com/jbgutierrez/path-parse/pull/10\n- https://github.com/jbgutierrez/path-parse/commit/eca63a7b9a473bf6978a2f5b7b3343662d1506f7\n- https://github.com/advisories/GHSA-hj48-42vr-x3v9","created":"2021-08-10T15:33:47.000Z","reported_by":null,"title":"Regular Expression Denial of Service in path-parse","npm_advisory_id":null,"overview":"Affected versions of npm package `path-parse` are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.","url":"https://github.com/advisories/GHSA-hj48-42vr-x3v9"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070273,"path":"node-sass>node-gyp>npmlog>gauge>wide-align>string-width>strip-ansi>ansi-regex","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"3.0.0","paths":["node-sass>node-gyp>npmlog>gauge>wide-align>string-width>strip-ansi>ansi-regex"]}],"metadata":null,"vulnerable_versions":">=3.0.0 <3.0.1","module_name":"ansi-regex","severity":"high","github_advisory_id":"GHSA-93q8-gq69-wqmw","cves":["CVE-2021-3807"],"access":"public","patched_versions":">=3.0.1","cvss":{"score":7.5,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2022-05-02T21:01:45.000Z","recommendation":"Upgrade to version 3.0.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1070273,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3807\n- https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9\n- https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311\n- https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774\n- https://github.com/chalk/ansi-regex/releases/tag/v6.0.1\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-93q8-gq69-wqmw","created":"2021-09-20T20:20:09.000Z","reported_by":null,"title":" Inefficient Regular Expression Complexity in chalk/ansi-regex","npm_advisory_id":null,"overview":"ansi-regex is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-93q8-gq69-wqmw"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070274,"path":"node-sass>sass-graph>yargs>string-width>strip-ansi>ansi-regex","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.1.0","paths":["node-sass>sass-graph>yargs>string-width>strip-ansi>ansi-regex","node-sass>sass-graph>yargs>cliui>string-width>strip-ansi>ansi-regex","node-sass>sass-graph>yargs>cliui>wrap-ansi>string-width>strip-ansi>ansi-regex"]},{"version":"4.1.0","paths":["node-sass>sass-graph>yargs>cliui>strip-ansi>ansi-regex"]},{"version":"4.1.0","paths":["node-sass>sass-graph>yargs>cliui>wrap-ansi>strip-ansi>ansi-regex"]}],"metadata":null,"vulnerable_versions":">=4.0.0 <4.1.1","module_name":"ansi-regex","severity":"high","github_advisory_id":"GHSA-93q8-gq69-wqmw","cves":["CVE-2021-3807"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2022-05-02T21:01:45.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1070274,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3807\n- https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9\n- https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311\n- https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774\n- https://github.com/chalk/ansi-regex/releases/tag/v6.0.1\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-93q8-gq69-wqmw","created":"2021-09-20T20:20:09.000Z","reported_by":null,"title":" Inefficient Regular Expression Complexity in chalk/ansi-regex","npm_advisory_id":null,"overview":"ansi-regex is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-93q8-gq69-wqmw"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070274,"path":"node-sass>sass-graph>yargs>cliui>string-width>strip-ansi>ansi-regex","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.1.0","paths":["node-sass>sass-graph>yargs>string-width>strip-ansi>ansi-regex","node-sass>sass-graph>yargs>cliui>string-width>strip-ansi>ansi-regex","node-sass>sass-graph>yargs>cliui>wrap-ansi>string-width>strip-ansi>ansi-regex"]},{"version":"4.1.0","paths":["node-sass>sass-graph>yargs>cliui>strip-ansi>ansi-regex"]},{"version":"4.1.0","paths":["node-sass>sass-graph>yargs>cliui>wrap-ansi>strip-ansi>ansi-regex"]}],"metadata":null,"vulnerable_versions":">=4.0.0 <4.1.1","module_name":"ansi-regex","severity":"high","github_advisory_id":"GHSA-93q8-gq69-wqmw","cves":["CVE-2021-3807"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2022-05-02T21:01:45.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1070274,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3807\n- https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9\n- https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311\n- https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774\n- https://github.com/chalk/ansi-regex/releases/tag/v6.0.1\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-93q8-gq69-wqmw","created":"2021-09-20T20:20:09.000Z","reported_by":null,"title":" Inefficient Regular Expression Complexity in chalk/ansi-regex","npm_advisory_id":null,"overview":"ansi-regex is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-93q8-gq69-wqmw"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070274,"path":"node-sass>sass-graph>yargs>cliui>wrap-ansi>string-width>strip-ansi>ansi-regex","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.1.0","paths":["node-sass>sass-graph>yargs>string-width>strip-ansi>ansi-regex","node-sass>sass-graph>yargs>cliui>string-width>strip-ansi>ansi-regex","node-sass>sass-graph>yargs>cliui>wrap-ansi>string-width>strip-ansi>ansi-regex"]},{"version":"4.1.0","paths":["node-sass>sass-graph>yargs>cliui>strip-ansi>ansi-regex"]},{"version":"4.1.0","paths":["node-sass>sass-graph>yargs>cliui>wrap-ansi>strip-ansi>ansi-regex"]}],"metadata":null,"vulnerable_versions":">=4.0.0 <4.1.1","module_name":"ansi-regex","severity":"high","github_advisory_id":"GHSA-93q8-gq69-wqmw","cves":["CVE-2021-3807"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2022-05-02T21:01:45.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1070274,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3807\n- https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9\n- https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311\n- https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774\n- https://github.com/chalk/ansi-regex/releases/tag/v6.0.1\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-93q8-gq69-wqmw","created":"2021-09-20T20:20:09.000Z","reported_by":null,"title":" Inefficient Regular Expression Complexity in chalk/ansi-regex","npm_advisory_id":null,"overview":"ansi-regex is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-93q8-gq69-wqmw"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070274,"path":"node-sass>sass-graph>yargs>cliui>strip-ansi>ansi-regex","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.1.0","paths":["node-sass>sass-graph>yargs>string-width>strip-ansi>ansi-regex","node-sass>sass-graph>yargs>cliui>string-width>strip-ansi>ansi-regex","node-sass>sass-graph>yargs>cliui>wrap-ansi>string-width>strip-ansi>ansi-regex"]},{"version":"4.1.0","paths":["node-sass>sass-graph>yargs>cliui>strip-ansi>ansi-regex"]},{"version":"4.1.0","paths":["node-sass>sass-graph>yargs>cliui>wrap-ansi>strip-ansi>ansi-regex"]}],"metadata":null,"vulnerable_versions":">=4.0.0 <4.1.1","module_name":"ansi-regex","severity":"high","github_advisory_id":"GHSA-93q8-gq69-wqmw","cves":["CVE-2021-3807"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2022-05-02T21:01:45.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1070274,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3807\n- https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9\n- https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311\n- https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774\n- https://github.com/chalk/ansi-regex/releases/tag/v6.0.1\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-93q8-gq69-wqmw","created":"2021-09-20T20:20:09.000Z","reported_by":null,"title":" Inefficient Regular Expression Complexity in chalk/ansi-regex","npm_advisory_id":null,"overview":"ansi-regex is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-93q8-gq69-wqmw"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070274,"path":"node-sass>sass-graph>yargs>cliui>wrap-ansi>strip-ansi>ansi-regex","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.1.0","paths":["node-sass>sass-graph>yargs>string-width>strip-ansi>ansi-regex","node-sass>sass-graph>yargs>cliui>string-width>strip-ansi>ansi-regex","node-sass>sass-graph>yargs>cliui>wrap-ansi>string-width>strip-ansi>ansi-regex"]},{"version":"4.1.0","paths":["node-sass>sass-graph>yargs>cliui>strip-ansi>ansi-regex"]},{"version":"4.1.0","paths":["node-sass>sass-graph>yargs>cliui>wrap-ansi>strip-ansi>ansi-regex"]}],"metadata":null,"vulnerable_versions":">=4.0.0 <4.1.1","module_name":"ansi-regex","severity":"high","github_advisory_id":"GHSA-93q8-gq69-wqmw","cves":["CVE-2021-3807"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2022-05-02T21:01:45.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1070274,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3807\n- https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9\n- https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311\n- https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908\n- https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774\n- https://github.com/chalk/ansi-regex/releases/tag/v6.0.1\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-93q8-gq69-wqmw","created":"2021-09-20T20:20:09.000Z","reported_by":null,"title":" Inefficient Regular Expression Complexity in chalk/ansi-regex","npm_advisory_id":null,"overview":"ansi-regex is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-93q8-gq69-wqmw"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070413,"path":"request>http-signature>jsprim>json-schema","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"0.2.3","paths":["request>http-signature>jsprim>json-schema","@hmcts/draft-store-client>request>http-signature>jsprim>json-schema","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>http-signature>jsprim>json-schema"]}],"metadata":null,"vulnerable_versions":"<0.4.0","module_name":"json-schema","severity":"critical","github_advisory_id":"GHSA-896r-f27r-55mw","cves":["CVE-2021-3918"],"access":"public","patched_versions":">=0.4.0","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2022-05-26T19:50:43.000Z","recommendation":"Upgrade to version 0.4.0 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1070413,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3918\n- https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741\n- https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9\n- https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a\n- https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa\n- https://github.com/advisories/GHSA-896r-f27r-55mw","created":"2021-11-19T20:16:17.000Z","reported_by":null,"title":"json-schema is vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')","url":"https://github.com/advisories/GHSA-896r-f27r-55mw"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070413,"path":"@hmcts/draft-store-client>request>http-signature>jsprim>json-schema","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"0.2.3","paths":["request>http-signature>jsprim>json-schema","@hmcts/draft-store-client>request>http-signature>jsprim>json-schema","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>http-signature>jsprim>json-schema"]}],"metadata":null,"vulnerable_versions":"<0.4.0","module_name":"json-schema","severity":"critical","github_advisory_id":"GHSA-896r-f27r-55mw","cves":["CVE-2021-3918"],"access":"public","patched_versions":">=0.4.0","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2022-05-26T19:50:43.000Z","recommendation":"Upgrade to version 0.4.0 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1070413,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3918\n- https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741\n- https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9\n- https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a\n- https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa\n- https://github.com/advisories/GHSA-896r-f27r-55mw","created":"2021-11-19T20:16:17.000Z","reported_by":null,"title":"json-schema is vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')","url":"https://github.com/advisories/GHSA-896r-f27r-55mw"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070413,"path":"@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>http-signature>jsprim>json-schema","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"0.2.3","paths":["request>http-signature>jsprim>json-schema","@hmcts/draft-store-client>request>http-signature>jsprim>json-schema","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>http-signature>jsprim>json-schema"]}],"metadata":null,"vulnerable_versions":"<0.4.0","module_name":"json-schema","severity":"critical","github_advisory_id":"GHSA-896r-f27r-55mw","cves":["CVE-2021-3918"],"access":"public","patched_versions":">=0.4.0","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2022-05-26T19:50:43.000Z","recommendation":"Upgrade to version 0.4.0 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1070413,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3918\n- https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741\n- https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9\n- https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a\n- https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa\n- https://github.com/advisories/GHSA-896r-f27r-55mw","created":"2021-11-19T20:16:17.000Z","reported_by":null,"title":"json-schema is vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')","url":"https://github.com/advisories/GHSA-896r-f27r-55mw"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070447,"path":"@hmcts/draft-store-client>moment","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.29.0","paths":["@hmcts/draft-store-client>moment","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>moment"]},{"version":"2.29.0","paths":["@hmcts/cmc-draft-store-middleware>moment"]},{"version":"2.29.0","paths":["@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment"]},{"version":"2.29.0","paths":["@hmcts/nodejs-logging>moment","@hmcts/properties-volume>@hmcts/nodejs-logging>moment"]},{"version":"2.29.1","paths":["moment"]}],"metadata":null,"vulnerable_versions":"<2.29.2","module_name":"moment","severity":"high","github_advisory_id":"GHSA-8hfj-j24r-96c4","cves":["CVE-2022-24785"],"access":"public","patched_versions":">=2.29.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},"updated":"2022-06-02T19:00:05.000Z","recommendation":"Upgrade to version 2.29.2 or later","cwe":["CWE-22","CWE-27"],"found_by":null,"deleted":null,"id":1070447,"references":"- https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24785\n- https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5\n- https://www.tenable.com/security/tns-2022-09\n- https://security.netapp.com/advisory/ntap-20220513-0006/\n- https://github.com/advisories/GHSA-8hfj-j24r-96c4","created":"2022-04-04T21:25:48.000Z","reported_by":null,"title":"Path Traversal: 'dir/../../filename' in moment.locale","npm_advisory_id":null,"overview":"### Impact\nThis vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale.\n\n### Patches\nThis problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).\n\n### Workarounds\nSanitize user-provided locale name before passing it to moment.js.\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [moment repo](https://github.com/moment/moment)\n","url":"https://github.com/advisories/GHSA-8hfj-j24r-96c4"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070447,"path":"@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>moment","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.29.0","paths":["@hmcts/draft-store-client>moment","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>moment"]},{"version":"2.29.0","paths":["@hmcts/cmc-draft-store-middleware>moment"]},{"version":"2.29.0","paths":["@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment"]},{"version":"2.29.0","paths":["@hmcts/nodejs-logging>moment","@hmcts/properties-volume>@hmcts/nodejs-logging>moment"]},{"version":"2.29.1","paths":["moment"]}],"metadata":null,"vulnerable_versions":"<2.29.2","module_name":"moment","severity":"high","github_advisory_id":"GHSA-8hfj-j24r-96c4","cves":["CVE-2022-24785"],"access":"public","patched_versions":">=2.29.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},"updated":"2022-06-02T19:00:05.000Z","recommendation":"Upgrade to version 2.29.2 or later","cwe":["CWE-22","CWE-27"],"found_by":null,"deleted":null,"id":1070447,"references":"- https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24785\n- https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5\n- https://www.tenable.com/security/tns-2022-09\n- https://security.netapp.com/advisory/ntap-20220513-0006/\n- https://github.com/advisories/GHSA-8hfj-j24r-96c4","created":"2022-04-04T21:25:48.000Z","reported_by":null,"title":"Path Traversal: 'dir/../../filename' in moment.locale","npm_advisory_id":null,"overview":"### Impact\nThis vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale.\n\n### Patches\nThis problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).\n\n### Workarounds\nSanitize user-provided locale name before passing it to moment.js.\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [moment repo](https://github.com/moment/moment)\n","url":"https://github.com/advisories/GHSA-8hfj-j24r-96c4"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070447,"path":"@hmcts/cmc-draft-store-middleware>moment","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.29.0","paths":["@hmcts/draft-store-client>moment","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>moment"]},{"version":"2.29.0","paths":["@hmcts/cmc-draft-store-middleware>moment"]},{"version":"2.29.0","paths":["@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment"]},{"version":"2.29.0","paths":["@hmcts/nodejs-logging>moment","@hmcts/properties-volume>@hmcts/nodejs-logging>moment"]},{"version":"2.29.1","paths":["moment"]}],"metadata":null,"vulnerable_versions":"<2.29.2","module_name":"moment","severity":"high","github_advisory_id":"GHSA-8hfj-j24r-96c4","cves":["CVE-2022-24785"],"access":"public","patched_versions":">=2.29.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},"updated":"2022-06-02T19:00:05.000Z","recommendation":"Upgrade to version 2.29.2 or later","cwe":["CWE-22","CWE-27"],"found_by":null,"deleted":null,"id":1070447,"references":"- https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24785\n- https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5\n- https://www.tenable.com/security/tns-2022-09\n- https://security.netapp.com/advisory/ntap-20220513-0006/\n- https://github.com/advisories/GHSA-8hfj-j24r-96c4","created":"2022-04-04T21:25:48.000Z","reported_by":null,"title":"Path Traversal: 'dir/../../filename' in moment.locale","npm_advisory_id":null,"overview":"### Impact\nThis vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale.\n\n### Patches\nThis problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).\n\n### Workarounds\nSanitize user-provided locale name before passing it to moment.js.\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [moment repo](https://github.com/moment/moment)\n","url":"https://github.com/advisories/GHSA-8hfj-j24r-96c4"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070447,"path":"@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.29.0","paths":["@hmcts/draft-store-client>moment","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>moment"]},{"version":"2.29.0","paths":["@hmcts/cmc-draft-store-middleware>moment"]},{"version":"2.29.0","paths":["@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment"]},{"version":"2.29.0","paths":["@hmcts/nodejs-logging>moment","@hmcts/properties-volume>@hmcts/nodejs-logging>moment"]},{"version":"2.29.1","paths":["moment"]}],"metadata":null,"vulnerable_versions":"<2.29.2","module_name":"moment","severity":"high","github_advisory_id":"GHSA-8hfj-j24r-96c4","cves":["CVE-2022-24785"],"access":"public","patched_versions":">=2.29.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},"updated":"2022-06-02T19:00:05.000Z","recommendation":"Upgrade to version 2.29.2 or later","cwe":["CWE-22","CWE-27"],"found_by":null,"deleted":null,"id":1070447,"references":"- https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24785\n- https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5\n- https://www.tenable.com/security/tns-2022-09\n- https://security.netapp.com/advisory/ntap-20220513-0006/\n- https://github.com/advisories/GHSA-8hfj-j24r-96c4","created":"2022-04-04T21:25:48.000Z","reported_by":null,"title":"Path Traversal: 'dir/../../filename' in moment.locale","npm_advisory_id":null,"overview":"### Impact\nThis vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale.\n\n### Patches\nThis problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).\n\n### Workarounds\nSanitize user-provided locale name before passing it to moment.js.\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [moment repo](https://github.com/moment/moment)\n","url":"https://github.com/advisories/GHSA-8hfj-j24r-96c4"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070447,"path":"@hmcts/nodejs-logging>moment","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.29.0","paths":["@hmcts/draft-store-client>moment","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>moment"]},{"version":"2.29.0","paths":["@hmcts/cmc-draft-store-middleware>moment"]},{"version":"2.29.0","paths":["@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment"]},{"version":"2.29.0","paths":["@hmcts/nodejs-logging>moment","@hmcts/properties-volume>@hmcts/nodejs-logging>moment"]},{"version":"2.29.1","paths":["moment"]}],"metadata":null,"vulnerable_versions":"<2.29.2","module_name":"moment","severity":"high","github_advisory_id":"GHSA-8hfj-j24r-96c4","cves":["CVE-2022-24785"],"access":"public","patched_versions":">=2.29.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},"updated":"2022-06-02T19:00:05.000Z","recommendation":"Upgrade to version 2.29.2 or later","cwe":["CWE-22","CWE-27"],"found_by":null,"deleted":null,"id":1070447,"references":"- https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24785\n- https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5\n- https://www.tenable.com/security/tns-2022-09\n- https://security.netapp.com/advisory/ntap-20220513-0006/\n- https://github.com/advisories/GHSA-8hfj-j24r-96c4","created":"2022-04-04T21:25:48.000Z","reported_by":null,"title":"Path Traversal: 'dir/../../filename' in moment.locale","npm_advisory_id":null,"overview":"### Impact\nThis vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale.\n\n### Patches\nThis problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).\n\n### Workarounds\nSanitize user-provided locale name before passing it to moment.js.\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [moment repo](https://github.com/moment/moment)\n","url":"https://github.com/advisories/GHSA-8hfj-j24r-96c4"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070447,"path":"@hmcts/properties-volume>@hmcts/nodejs-logging>moment","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.29.0","paths":["@hmcts/draft-store-client>moment","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>moment"]},{"version":"2.29.0","paths":["@hmcts/cmc-draft-store-middleware>moment"]},{"version":"2.29.0","paths":["@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment"]},{"version":"2.29.0","paths":["@hmcts/nodejs-logging>moment","@hmcts/properties-volume>@hmcts/nodejs-logging>moment"]},{"version":"2.29.1","paths":["moment"]}],"metadata":null,"vulnerable_versions":"<2.29.2","module_name":"moment","severity":"high","github_advisory_id":"GHSA-8hfj-j24r-96c4","cves":["CVE-2022-24785"],"access":"public","patched_versions":">=2.29.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},"updated":"2022-06-02T19:00:05.000Z","recommendation":"Upgrade to version 2.29.2 or later","cwe":["CWE-22","CWE-27"],"found_by":null,"deleted":null,"id":1070447,"references":"- https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24785\n- https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5\n- https://www.tenable.com/security/tns-2022-09\n- https://security.netapp.com/advisory/ntap-20220513-0006/\n- https://github.com/advisories/GHSA-8hfj-j24r-96c4","created":"2022-04-04T21:25:48.000Z","reported_by":null,"title":"Path Traversal: 'dir/../../filename' in moment.locale","npm_advisory_id":null,"overview":"### Impact\nThis vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale.\n\n### Patches\nThis problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).\n\n### Workarounds\nSanitize user-provided locale name before passing it to moment.js.\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [moment repo](https://github.com/moment/moment)\n","url":"https://github.com/advisories/GHSA-8hfj-j24r-96c4"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1070447,"path":"moment","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.29.0","paths":["@hmcts/draft-store-client>moment","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>moment"]},{"version":"2.29.0","paths":["@hmcts/cmc-draft-store-middleware>moment"]},{"version":"2.29.0","paths":["@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment"]},{"version":"2.29.0","paths":["@hmcts/nodejs-logging>moment","@hmcts/properties-volume>@hmcts/nodejs-logging>moment"]},{"version":"2.29.1","paths":["moment"]}],"metadata":null,"vulnerable_versions":"<2.29.2","module_name":"moment","severity":"high","github_advisory_id":"GHSA-8hfj-j24r-96c4","cves":["CVE-2022-24785"],"access":"public","patched_versions":">=2.29.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},"updated":"2022-06-02T19:00:05.000Z","recommendation":"Upgrade to version 2.29.2 or later","cwe":["CWE-22","CWE-27"],"found_by":null,"deleted":null,"id":1070447,"references":"- https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24785\n- https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5\n- https://www.tenable.com/security/tns-2022-09\n- https://security.netapp.com/advisory/ntap-20220513-0006/\n- https://github.com/advisories/GHSA-8hfj-j24r-96c4","created":"2022-04-04T21:25:48.000Z","reported_by":null,"title":"Path Traversal: 'dir/../../filename' in moment.locale","npm_advisory_id":null,"overview":"### Impact\nThis vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale.\n\n### Patches\nThis problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).\n\n### Workarounds\nSanitize user-provided locale name before passing it to moment.js.\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [moment repo](https://github.com/moment/moment)\n","url":"https://github.com/advisories/GHSA-8hfj-j24r-96c4"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1067560,"path":"@hmcts/cmc-validators>@hmcts/class-validator>validator","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"10.4.0","paths":["@hmcts/cmc-validators>@hmcts/class-validator>validator"]}],"metadata":null,"vulnerable_versions":"<13.7.0","module_name":"validator","severity":"moderate","github_advisory_id":"GHSA-qgmg-gppg-76g5","cves":["CVE-2021-3765"],"access":"public","patched_versions":">=13.7.0","cvss":{"score":5.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2021-11-03T17:34:45.000Z","recommendation":"Upgrade to version 13.7.0 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1067560,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3765\n- https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1\n- https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9\n- https://github.com/advisories/GHSA-qgmg-gppg-76g5","created":"2021-11-03T17:34:45.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in validator.js","npm_advisory_id":null,"overview":"validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-qgmg-gppg-76g5"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1067946,"path":"request>har-validator>ajv","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.12.0","paths":["request>har-validator>ajv","@hmcts/draft-store-client>request>har-validator>ajv","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>har-validator>ajv"]}],"metadata":null,"vulnerable_versions":"<6.12.3","module_name":"ajv","severity":"moderate","github_advisory_id":"GHSA-v88g-cgmw-v5xw","cves":["CVE-2020-15366"],"access":"public","patched_versions":">=6.12.3","cvss":{"score":5.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2022-02-10T23:30:59.000Z","recommendation":"Upgrade to version 6.12.3 or later","cwe":["CWE-915"],"found_by":null,"deleted":null,"id":1067946,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-15366\n- https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f\n- https://github.com/ajv-validator/ajv/releases/tag/v6.12.3\n- https://hackerone.com/bugs?subject=user&report_id=894259\n- https://github.com/ajv-validator/ajv/tags\n- https://github.com/advisories/GHSA-v88g-cgmw-v5xw","created":"2022-02-10T23:30:59.000Z","reported_by":null,"title":"Prototype Pollution in Ajv","npm_advisory_id":null,"overview":"An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)","url":"https://github.com/advisories/GHSA-v88g-cgmw-v5xw"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1067946,"path":"@hmcts/draft-store-client>request>har-validator>ajv","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.12.0","paths":["request>har-validator>ajv","@hmcts/draft-store-client>request>har-validator>ajv","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>har-validator>ajv"]}],"metadata":null,"vulnerable_versions":"<6.12.3","module_name":"ajv","severity":"moderate","github_advisory_id":"GHSA-v88g-cgmw-v5xw","cves":["CVE-2020-15366"],"access":"public","patched_versions":">=6.12.3","cvss":{"score":5.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2022-02-10T23:30:59.000Z","recommendation":"Upgrade to version 6.12.3 or later","cwe":["CWE-915"],"found_by":null,"deleted":null,"id":1067946,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-15366\n- https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f\n- https://github.com/ajv-validator/ajv/releases/tag/v6.12.3\n- https://hackerone.com/bugs?subject=user&report_id=894259\n- https://github.com/ajv-validator/ajv/tags\n- https://github.com/advisories/GHSA-v88g-cgmw-v5xw","created":"2022-02-10T23:30:59.000Z","reported_by":null,"title":"Prototype Pollution in Ajv","npm_advisory_id":null,"overview":"An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)","url":"https://github.com/advisories/GHSA-v88g-cgmw-v5xw"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1067946,"path":"@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>har-validator>ajv","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.12.0","paths":["request>har-validator>ajv","@hmcts/draft-store-client>request>har-validator>ajv","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>har-validator>ajv"]}],"metadata":null,"vulnerable_versions":"<6.12.3","module_name":"ajv","severity":"moderate","github_advisory_id":"GHSA-v88g-cgmw-v5xw","cves":["CVE-2020-15366"],"access":"public","patched_versions":">=6.12.3","cvss":{"score":5.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2022-02-10T23:30:59.000Z","recommendation":"Upgrade to version 6.12.3 or later","cwe":["CWE-915"],"found_by":null,"deleted":null,"id":1067946,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-15366\n- https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f\n- https://github.com/ajv-validator/ajv/releases/tag/v6.12.3\n- https://hackerone.com/bugs?subject=user&report_id=894259\n- https://github.com/ajv-validator/ajv/tags\n- https://github.com/advisories/GHSA-v88g-cgmw-v5xw","created":"2022-02-10T23:30:59.000Z","reported_by":null,"title":"Prototype Pollution in Ajv","npm_advisory_id":null,"overview":"An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)","url":"https://github.com/advisories/GHSA-v88g-cgmw-v5xw"}}}