-
Notifications
You must be signed in to change notification settings - Fork 4
/
yarn-audit-known-issues
1 lines (1 loc) · 44.6 KB
/
yarn-audit-known-issues
1
{"actions":[],"advisories":{"1085685":{"findings":[{"version":"1.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>os-locale>mem"]}],"metadata":null,"vulnerable_versions":"<4.0.0","module_name":"mem","severity":"moderate","github_advisory_id":"GHSA-4xcv-9jjx-gfj3","cves":[],"access":"public","patched_versions":">=4.0.0","cvss":{"score":5.1,"vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},"updated":"2023-01-09T05:01:45.000Z","recommendation":"Upgrade to version 4.0.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085685,"references":"- https://github.com/sindresorhus/mem/commit/da4e4398cb27b602de3bd55f746efa9b4a31702b\n- https://bugzilla.redhat.com/show_bug.cgi?id=1623744\n- https://www.npmjs.com/advisories/1084\n- https://snyk.io/vuln/npm:mem:20180117\n- https://github.com/advisories/GHSA-4xcv-9jjx-gfj3","created":"2019-07-05T21:07:58.000Z","reported_by":null,"title":"Denial of Service in mem","npm_advisory_id":null,"overview":"Versions of `mem` prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its `maxAge` property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.\n\n\n## Recommendation\n\nUpgrade to version 4.0.0 or later.","url":"https://github.com/advisories/GHSA-4xcv-9jjx-gfj3"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088811":{"findings":[{"version":"8.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>yargs-parser"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <13.1.2","module_name":"yargs-parser","severity":"moderate","github_advisory_id":"GHSA-p9pc-299p-vxgp","cves":["CVE-2020-7608"],"access":"public","patched_versions":">=13.1.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-01-27T05:00:51.000Z","recommendation":"Upgrade to version 13.1.2 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1088811,"references":"- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381\n- https://www.npmjs.com/advisories/1500\n- https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2\n- https://nvd.nist.gov/vuln/detail/CVE-2020-7608\n- https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36\n- https://github.com/advisories/GHSA-p9pc-299p-vxgp","created":"2020-09-04T18:00:54.000Z","reported_by":null,"title":"yargs-parser Vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.\n\n\n\n## Recommendation\n\nUpgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.","url":"https://github.com/advisories/GHSA-p9pc-299p-vxgp"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094599":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-11-06T05:04:13.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1094599,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1095051":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T20:51:52.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1095051,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1095052":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T20:51:17.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1095052,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1095126":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-11-29T22:21:11.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1095126,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1095531":{"findings":[{"version":"6.2.1","paths":["log4js"]}],"metadata":null,"vulnerable_versions":"<6.4.0","module_name":"log4js","severity":"moderate","github_advisory_id":"GHSA-82v2-mx6x-wq7q","cves":["CVE-2022-21704"],"access":"public","patched_versions":">=6.4.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"updated":"2024-01-24T08:54:14.000Z","recommendation":"Upgrade to version 6.4.0 or later","cwe":["CWE-276"],"found_by":null,"deleted":null,"id":1095531,"references":"- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q\n- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76\n- https://github.com/log4js-node/streamroller/pull/87\n- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21704\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html\n- https://github.com/advisories/GHSA-82v2-mx6x-wq7q","created":"2022-01-21T18:53:27.000Z","reported_by":null,"title":"Incorrect Default Permissions in log4js","npm_advisory_id":null,"overview":"### Impact\r\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\r\n\r\n### Patches\r\nFixed by:\r\n* https://github.com/log4js-node/log4js-node/pull/1141\r\n* https://github.com/log4js-node/streamroller/pull/87\r\n\r\nReleased to NPM in [email protected]\r\n\r\n### Workarounds\r\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\r\n\r\n### References\r\n\r\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @lamweili for fixing the problem.\r\n\r\n### For more information\r\nIf you have any questions or comments about this advisory:\r\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\r\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\r\n* Email us at [[email protected]](mailto:[email protected])\r\n","url":"https://github.com/advisories/GHSA-82v2-mx6x-wq7q"},"1096832":{"findings":[{"version":"1.28.2","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":"<2.0.7","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-hhhv-q57g-882q","cves":["CVE-2024-28176"],"access":"public","patched_versions":">=2.0.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-03-30T06:30:42.000Z","recommendation":"Upgrade to version 2.0.7 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1096832,"references":"- https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q\n- https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314\n- https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28176\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG\n- https://github.com/advisories/GHSA-hhhv-q57g-882q","created":"2024-03-07T17:40:57.000Z","reported_by":null,"title":"jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext","npm_advisory_id":null,"overview":"A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.\n\nNote that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory.\n\n### Impact\n\nUnder certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.\n\n### Affected users\n\nThe impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.\n\nYou are NOT affected if any of the following applies to you\n\n- Your code uses jose version v5.x where JWE Compression is not supported anymore\n- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box\n- Your code does not use the JWE decryption APIs\n- Your code only accepts JWEs produced by trusted sources\n\n### Patches\n\n`v2.0.7` and `v4.15.5` releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the `inflateRaw` decryption option implementation. In v2.x it is possible to further adjust this limit via the `inflateRawSyncLimit` decryption option.\n\n### Workarounds\n\nIf you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header\n\n```js\nconst { zip } = jose.decodeProtectedHeader(token)\nif (zip !== undefined) {\n throw new Error('JWE Compression is not supported')\n}\n```\n\nIf you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.\n\n### For more information\nIf you have any questions or comments about this advisory please open a discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-hhhv-q57g-882q%20advisory%20question)","url":"https://github.com/advisories/GHSA-hhhv-q57g-882q"},"1096911":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.20.2","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-5pgg-2g8v-p4x9","cves":["CVE-2024-22363"],"access":"public","patched_versions":">=0.20.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-04-08T13:47:06.000Z","recommendation":"Upgrade to version 0.20.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1096911,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-22363\n- https://cdn.sheetjs.com/advisories/CVE-2024-22363\n- https://cwe.mitre.org/data/definitions/1333.html\n- https://git.sheetjs.com/sheetjs/sheetjs/src/tag/v0.20.2\n- https://github.com/advisories/GHSA-5pgg-2g8v-p4x9","created":"2024-04-05T06:30:46.000Z","reported_by":null,"title":"SheetJS Regular Expression Denial of Service (ReDoS)","npm_advisory_id":null,"overview":"SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).","url":"https://github.com/advisories/GHSA-5pgg-2g8v-p4x9"},"1097492":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.10","module_name":"ejs","severity":"moderate","github_advisory_id":"GHSA-ghr5-ch3p-vcr6","cves":["CVE-2024-33883"],"access":"public","patched_versions":">=3.1.10","cvss":{"score":0,"vectorString":null},"updated":"2024-06-10T18:30:56.000Z","recommendation":"Upgrade to version 3.1.10 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097492,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-33883\n- https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5\n- https://github.com/mde/ejs/compare/v3.1.9...v3.1.10\n- https://security.netapp.com/advisory/ntap-20240605-0003\n- https://github.com/advisories/GHSA-ghr5-ch3p-vcr6","created":"2024-04-28T18:30:31.000Z","reported_by":null,"title":"ejs lacks certain pollution protection","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.","url":"https://github.com/advisories/GHSA-ghr5-ch3p-vcr6"},"1097504":{"findings":[{"version":"2.5.207","paths":["pdfjs-dist","@hmcts/media-viewer>pdfjs-dist"]}],"metadata":null,"vulnerable_versions":"<=4.1.392","module_name":"pdfjs-dist","severity":"high","github_advisory_id":"GHSA-wgrm-67xf-hhpq","cves":["CVE-2024-4367"],"access":"public","patched_versions":">=4.2.67","cvss":{"score":0,"vectorString":null},"updated":"2024-06-10T20:18:19.000Z","recommendation":"Upgrade to version 4.2.67 or later","cwe":[],"found_by":null,"deleted":null,"id":1097504,"references":"- https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq\n- https://github.com/mozilla/pdf.js/pull/18015\n- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645\n- https://nvd.nist.gov/vuln/detail/CVE-2024-4367\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\n- https://www.mozilla.org/security/advisories/mfsa2024-21\n- https://www.mozilla.org/security/advisories/mfsa2024-22\n- https://www.mozilla.org/security/advisories/mfsa2024-23\n- https://github.com/advisories/GHSA-wgrm-67xf-hhpq","created":"2024-05-07T10:25:08.000Z","reported_by":null,"title":"PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF","npm_advisory_id":null,"overview":"### Impact\nIf pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.\n\n### Patches\nThe patch removes the use of `eval`:\nhttps://github.com/mozilla/pdf.js/pull/18015\n\n### Workarounds\nSet the option `isEvalSupported` to `false`. \n\n### References\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1893645","url":"https://github.com/advisories/GHSA-wgrm-67xf-hhpq"},"1097616":{"findings":[{"version":"7.4.6","paths":["puppeteer>ws","@hmcts/media-viewer>socket.io-client>engine.io-client>ws"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.10","module_name":"ws","severity":"high","github_advisory_id":"GHSA-3h5v-q93c-6h6q","cves":["CVE-2024-37890"],"access":"public","patched_versions":">=7.5.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-06-17T19:09:12.000Z","recommendation":"Upgrade to version 7.5.10 or later","cwe":["CWE-476"],"found_by":null,"deleted":null,"id":1097616,"references":"- https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n- https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f\n- https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e\n- https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c\n- https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63\n- https://github.com/advisories/GHSA-3h5v-q93c-6h6q","created":"2024-06-17T19:09:10.000Z","reported_by":null,"title":"ws affected by a DoS when handling a request with many HTTP headers","npm_advisory_id":null,"overview":"### Impact\n\nA request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.\n\n### Proof of concept\n\n```js\nconst http = require('http');\nconst WebSocket = require('ws');\n\nconst wss = new WebSocket.Server({ port: 0 }, function () {\n const chars = \"!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~\".split('');\n const headers = {};\n let count = 0;\n\n for (let i = 0; i < chars.length; i++) {\n if (count === 2000) break;\n\n for (let j = 0; j < chars.length; j++) {\n const key = chars[i] + chars[j];\n headers[key] = 'x';\n\n if (++count === 2000) break;\n }\n }\n\n headers.Connection = 'Upgrade';\n headers.Upgrade = 'websocket';\n headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';\n headers['Sec-WebSocket-Version'] = '13';\n\n const request = http.request({\n headers: headers,\n host: '127.0.0.1',\n port: wss.address().port\n });\n\n request.end();\n});\n```\n\n### Patches\n\nThe vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to [email protected] (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), [email protected] (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and [email protected] (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated in the following ways:\n\n1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent.\n2. Set `server.maxHeadersCount` to `0` so that no limit is applied.\n\n### Credits\n\nThe vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in https://github.com/websockets/ws/issues/2230.\n\n### References\n\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n\n[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize\n[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener\n[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount\n","url":"https://github.com/advisories/GHSA-3h5v-q93c-6h6q"},"1097679":{"findings":[{"version":"0.26.1","paths":["axios","@hmcts/rpx-xui-node-lib>axios"]}],"metadata":null,"vulnerable_versions":">=0.8.1 <0.28.0","module_name":"axios","severity":"moderate","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","cves":["CVE-2023-45857"],"access":"public","patched_versions":">=0.28.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"updated":"2024-06-21T21:33:58.000Z","recommendation":"Upgrade to version 0.28.0 or later","cwe":["CWE-352"],"found_by":null,"deleted":null,"id":1097679,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/axios/axios/pull/6091\n- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967\n- https://github.com/axios/axios/releases/tag/v0.28.0\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},"1097682":{"findings":[{"version":"2.5.0","paths":["rx-polling-hmcts>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1097684":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<9.0.0","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-qwph-4952-7xr6","cves":["CVE-2022-23540"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":6.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L"},"updated":"2024-06-21T21:34:57.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287","CWE-327","CWE-347"],"found_by":null,"deleted":null,"id":1097684,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23540\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-qwph-4952-7xr6","created":"2022-12-22T03:32:59.000Z","reported_by":null,"title":"jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()","npm_advisory_id":null,"overview":"# Overview\n\nIn versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.\n\n# Am I affected?\nYou will be affected if all the following are true in the `jwt.verify()` function:\n- a token with no signature is received\n- no algorithms are specified \n- a falsy (e.g. null, false, undefined) secret or key is passed \n\n# How do I fix it?\n \nUpdate to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. \n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n","url":"https://github.com/advisories/GHSA-qwph-4952-7xr6"},"1097690":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"high","github_advisory_id":"GHSA-8cf7-32gw-wr33","cves":["CVE-2022-23539"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},"updated":"2024-06-24T21:23:39.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-327"],"found_by":null,"deleted":null,"id":1097690,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23539\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-8cf7-32gw-wr33","created":"2022-12-22T03:32:22.000Z","reported_by":null,"title":"jsonwebtoken unrestricted key type could lead to legacy keys usage ","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. \n\n# Am I affected?\n\nYou are affected if you are using an algorithm and a key type other than the combinations mentioned below\n\n| Key type | algorithm |\n|----------|------------------------------------------|\n| ec | ES256, ES384, ES512 |\n| rsa | RS256, RS384, RS512, PS256, PS384, PS512 |\n| rsa-pss | PS256, PS384, PS512 |\n\nAnd for Elliptic Curve algorithms:\n\n| `alg` | Curve |\n|-------|------------|\n| ES256 | prime256v1 |\n| ES384 | secp384r1 |\n| ES512 | secp521r1 |\n\n# How do I fix it?\n\nUpdate to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.\n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility. \n\n","url":"https://github.com/advisories/GHSA-8cf7-32gw-wr33"},"1097694":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-hjrf-2m68-5959","cves":["CVE-2022-23541"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2024-06-24T21:24:07.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287","CWE-1259"],"found_by":null,"deleted":null,"id":1097694,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23541\n- https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-hjrf-2m68-5959","created":"2022-12-22T03:33:19.000Z","reported_by":null,"title":"jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. \n\n# Am I affected?\n\nYou will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. \n\n# How do I fix it?\n \nUpdate to version 9.0.0.\n\n# Will the fix impact my users?\n\nThere is no impact for end users","url":"https://github.com/advisories/GHSA-hjrf-2m68-5959"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":16,"high":10,"critical":1},"dependencies":1001,"devDependencies":5,"optionalDependencies":0,"totalDependencies":1006}}