This repository has been archived by the owner on May 16, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
yarn-audit-known-issues
26 lines (26 loc) · 44.6 KB
/
yarn-audit-known-issues
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
{"type":"auditAdvisory","data":{"resolution":{"id":565,"path":"@angular/cli>@schematics/update>npm-registry-client>ssri","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.3.0","paths":["@angular/cli>@schematics/update>npm-registry-client>ssri"]},{"version":"6.0.1","paths":["@angular/cli>pacote>cacache>ssri","@angular/cli>pacote>make-fetch-happen>cacache>ssri","@angular/cli>pacote>make-fetch-happen>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>ssri","npm-registry-fetch>make-fetch-happen>cacache>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>ssri","npm-registry-fetch>make-fetch-happen>ssri","@angular/cli>pacote>ssri"]}],"id":565,"created":"2018-04-20T21:20:19.406Z","updated":"2021-04-14T15:34:03.470Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Jamie Davis","email":""},"reported_by":{"link":"","name":"Jamie Davis","email":""},"module_name":"ssri","cves":[],"vulnerable_versions":">=5.2.2 <6.0.2 || >=7.0.0 <8.0.1","patched_versions":">=6.0.2 <7.0.0 || >=8.0.1","overview":"`ssri` 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.","recommendation":"Update to version 6.0.2 or 8.0.1 or later","references":"- [GitHub Advisory](https://github.com/advisories/GHSA-vx3p-948g-6vhq)\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-27290)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":3,"affected_components":""},"url":"https://npmjs.com/advisories/565"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1589,"path":"@angular/cli>ini","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.3.5","paths":["@angular/cli>ini","json-server>update-notifier>is-installed-globally>global-dirs>ini","json-server>update-notifier>latest-version>package-json>registry-auth-token>rc>ini","json-server>update-notifier>latest-version>package-json>registry-url>rc>ini"]}],"id":1589,"created":"2020-12-09T22:25:48.568Z","updated":"2020-12-10T16:49:29.595Z","deleted":null,"title":"Prototype Pollution","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Gur Shafriri","email":""},"module_name":"ini","cves":[],"vulnerable_versions":"<1.3.6","patched_versions":">1.3.6","overview":"`ini` before version 1.3.6 has a Prototype Pollution vulnerability.\n\n### Impact\n\nIf an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context.\n\n### Patches\n\nThis has been patched in 1.3.6\n\n### Steps to reproduce\n\npayload.ini\n```\n[__proto__]\npolluted = \"polluted\"\n```\n\npoc.js:\n```\nvar fs = require('fs')\nvar ini = require('ini')\n\nvar parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))\nconsole.log(parsed)\nconsole.log(parsed.__proto__)\nconsole.log(polluted)\n```\n\n```\n> node poc.js\n{}\n{ polluted: 'polluted' }\n{ polluted: 'polluted' }\npolluted\n\n```","recommendation":"Upgrade to version 1.3.6 or later.","references":"- [Fix Commit](https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1)\n- [GitHub Advisory](https://github.com/advisories/GHSA-qqgx-2p2h-9c37)","access":"public","severity":"low","cwe":"CWE-471","metadata":{"module_type":"","exploitability":3,"affected_components":""},"url":"https://npmjs.com/advisories/1589"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":565,"path":"@angular/cli>pacote>cacache>ssri","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.3.0","paths":["@angular/cli>@schematics/update>npm-registry-client>ssri"]},{"version":"6.0.1","paths":["@angular/cli>pacote>cacache>ssri","@angular/cli>pacote>make-fetch-happen>cacache>ssri","@angular/cli>pacote>make-fetch-happen>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>ssri","npm-registry-fetch>make-fetch-happen>cacache>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>ssri","npm-registry-fetch>make-fetch-happen>ssri","@angular/cli>pacote>ssri"]}],"id":565,"created":"2018-04-20T21:20:19.406Z","updated":"2021-04-14T15:34:03.470Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Jamie Davis","email":""},"reported_by":{"link":"","name":"Jamie Davis","email":""},"module_name":"ssri","cves":[],"vulnerable_versions":">=5.2.2 <6.0.2 || >=7.0.0 <8.0.1","patched_versions":">=6.0.2 <7.0.0 || >=8.0.1","overview":"`ssri` 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.","recommendation":"Update to version 6.0.2 or 8.0.1 or later","references":"- [GitHub Advisory](https://github.com/advisories/GHSA-vx3p-948g-6vhq)\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-27290)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":3,"affected_components":""},"url":"https://npmjs.com/advisories/565"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":565,"path":"@angular/cli>pacote>make-fetch-happen>cacache>ssri","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.3.0","paths":["@angular/cli>@schematics/update>npm-registry-client>ssri"]},{"version":"6.0.1","paths":["@angular/cli>pacote>cacache>ssri","@angular/cli>pacote>make-fetch-happen>cacache>ssri","@angular/cli>pacote>make-fetch-happen>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>ssri","npm-registry-fetch>make-fetch-happen>cacache>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>ssri","npm-registry-fetch>make-fetch-happen>ssri","@angular/cli>pacote>ssri"]}],"id":565,"created":"2018-04-20T21:20:19.406Z","updated":"2021-04-14T15:34:03.470Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Jamie Davis","email":""},"reported_by":{"link":"","name":"Jamie Davis","email":""},"module_name":"ssri","cves":[],"vulnerable_versions":">=5.2.2 <6.0.2 || >=7.0.0 <8.0.1","patched_versions":">=6.0.2 <7.0.0 || >=8.0.1","overview":"`ssri` 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.","recommendation":"Update to version 6.0.2 or 8.0.1 or later","references":"- [GitHub Advisory](https://github.com/advisories/GHSA-vx3p-948g-6vhq)\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-27290)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":3,"affected_components":""},"url":"https://npmjs.com/advisories/565"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":565,"path":"@angular/cli>pacote>make-fetch-happen>ssri","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.3.0","paths":["@angular/cli>@schematics/update>npm-registry-client>ssri"]},{"version":"6.0.1","paths":["@angular/cli>pacote>cacache>ssri","@angular/cli>pacote>make-fetch-happen>cacache>ssri","@angular/cli>pacote>make-fetch-happen>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>ssri","npm-registry-fetch>make-fetch-happen>cacache>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>ssri","npm-registry-fetch>make-fetch-happen>ssri","@angular/cli>pacote>ssri"]}],"id":565,"created":"2018-04-20T21:20:19.406Z","updated":"2021-04-14T15:34:03.470Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Jamie Davis","email":""},"reported_by":{"link":"","name":"Jamie Davis","email":""},"module_name":"ssri","cves":[],"vulnerable_versions":">=5.2.2 <6.0.2 || >=7.0.0 <8.0.1","patched_versions":">=6.0.2 <7.0.0 || >=8.0.1","overview":"`ssri` 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.","recommendation":"Update to version 6.0.2 or 8.0.1 or later","references":"- [GitHub Advisory](https://github.com/advisories/GHSA-vx3p-948g-6vhq)\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-27290)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":3,"affected_components":""},"url":"https://npmjs.com/advisories/565"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":565,"path":"@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>ssri","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.3.0","paths":["@angular/cli>@schematics/update>npm-registry-client>ssri"]},{"version":"6.0.1","paths":["@angular/cli>pacote>cacache>ssri","@angular/cli>pacote>make-fetch-happen>cacache>ssri","@angular/cli>pacote>make-fetch-happen>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>ssri","npm-registry-fetch>make-fetch-happen>cacache>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>ssri","npm-registry-fetch>make-fetch-happen>ssri","@angular/cli>pacote>ssri"]}],"id":565,"created":"2018-04-20T21:20:19.406Z","updated":"2021-04-14T15:34:03.470Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Jamie Davis","email":""},"reported_by":{"link":"","name":"Jamie Davis","email":""},"module_name":"ssri","cves":[],"vulnerable_versions":">=5.2.2 <6.0.2 || >=7.0.0 <8.0.1","patched_versions":">=6.0.2 <7.0.0 || >=8.0.1","overview":"`ssri` 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.","recommendation":"Update to version 6.0.2 or 8.0.1 or later","references":"- [GitHub Advisory](https://github.com/advisories/GHSA-vx3p-948g-6vhq)\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-27290)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":3,"affected_components":""},"url":"https://npmjs.com/advisories/565"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":565,"path":"npm-registry-fetch>make-fetch-happen>cacache>ssri","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.3.0","paths":["@angular/cli>@schematics/update>npm-registry-client>ssri"]},{"version":"6.0.1","paths":["@angular/cli>pacote>cacache>ssri","@angular/cli>pacote>make-fetch-happen>cacache>ssri","@angular/cli>pacote>make-fetch-happen>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>ssri","npm-registry-fetch>make-fetch-happen>cacache>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>ssri","npm-registry-fetch>make-fetch-happen>ssri","@angular/cli>pacote>ssri"]}],"id":565,"created":"2018-04-20T21:20:19.406Z","updated":"2021-04-14T15:34:03.470Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Jamie Davis","email":""},"reported_by":{"link":"","name":"Jamie Davis","email":""},"module_name":"ssri","cves":[],"vulnerable_versions":">=5.2.2 <6.0.2 || >=7.0.0 <8.0.1","patched_versions":">=6.0.2 <7.0.0 || >=8.0.1","overview":"`ssri` 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.","recommendation":"Update to version 6.0.2 or 8.0.1 or later","references":"- [GitHub Advisory](https://github.com/advisories/GHSA-vx3p-948g-6vhq)\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-27290)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":3,"affected_components":""},"url":"https://npmjs.com/advisories/565"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":565,"path":"@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>ssri","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.3.0","paths":["@angular/cli>@schematics/update>npm-registry-client>ssri"]},{"version":"6.0.1","paths":["@angular/cli>pacote>cacache>ssri","@angular/cli>pacote>make-fetch-happen>cacache>ssri","@angular/cli>pacote>make-fetch-happen>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>ssri","npm-registry-fetch>make-fetch-happen>cacache>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>ssri","npm-registry-fetch>make-fetch-happen>ssri","@angular/cli>pacote>ssri"]}],"id":565,"created":"2018-04-20T21:20:19.406Z","updated":"2021-04-14T15:34:03.470Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Jamie Davis","email":""},"reported_by":{"link":"","name":"Jamie Davis","email":""},"module_name":"ssri","cves":[],"vulnerable_versions":">=5.2.2 <6.0.2 || >=7.0.0 <8.0.1","patched_versions":">=6.0.2 <7.0.0 || >=8.0.1","overview":"`ssri` 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.","recommendation":"Update to version 6.0.2 or 8.0.1 or later","references":"- [GitHub Advisory](https://github.com/advisories/GHSA-vx3p-948g-6vhq)\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-27290)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":3,"affected_components":""},"url":"https://npmjs.com/advisories/565"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":565,"path":"npm-registry-fetch>make-fetch-happen>ssri","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.3.0","paths":["@angular/cli>@schematics/update>npm-registry-client>ssri"]},{"version":"6.0.1","paths":["@angular/cli>pacote>cacache>ssri","@angular/cli>pacote>make-fetch-happen>cacache>ssri","@angular/cli>pacote>make-fetch-happen>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>ssri","npm-registry-fetch>make-fetch-happen>cacache>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>ssri","npm-registry-fetch>make-fetch-happen>ssri","@angular/cli>pacote>ssri"]}],"id":565,"created":"2018-04-20T21:20:19.406Z","updated":"2021-04-14T15:34:03.470Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Jamie Davis","email":""},"reported_by":{"link":"","name":"Jamie Davis","email":""},"module_name":"ssri","cves":[],"vulnerable_versions":">=5.2.2 <6.0.2 || >=7.0.0 <8.0.1","patched_versions":">=6.0.2 <7.0.0 || >=8.0.1","overview":"`ssri` 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.","recommendation":"Update to version 6.0.2 or 8.0.1 or later","references":"- [GitHub Advisory](https://github.com/advisories/GHSA-vx3p-948g-6vhq)\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-27290)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":3,"affected_components":""},"url":"https://npmjs.com/advisories/565"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":565,"path":"@angular/cli>pacote>ssri","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.3.0","paths":["@angular/cli>@schematics/update>npm-registry-client>ssri"]},{"version":"6.0.1","paths":["@angular/cli>pacote>cacache>ssri","@angular/cli>pacote>make-fetch-happen>cacache>ssri","@angular/cli>pacote>make-fetch-happen>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>cacache>ssri","npm-registry-fetch>make-fetch-happen>cacache>ssri","@angular/cli>pacote>npm-registry-fetch>make-fetch-happen>ssri","npm-registry-fetch>make-fetch-happen>ssri","@angular/cli>pacote>ssri"]}],"id":565,"created":"2018-04-20T21:20:19.406Z","updated":"2021-04-14T15:34:03.470Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Jamie Davis","email":""},"reported_by":{"link":"","name":"Jamie Davis","email":""},"module_name":"ssri","cves":[],"vulnerable_versions":">=5.2.2 <6.0.2 || >=7.0.0 <8.0.1","patched_versions":">=6.0.2 <7.0.0 || >=8.0.1","overview":"`ssri` 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.","recommendation":"Update to version 6.0.2 or 8.0.1 or later","references":"- [GitHub Advisory](https://github.com/advisories/GHSA-vx3p-948g-6vhq)\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-27290)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":3,"affected_components":""},"url":"https://npmjs.com/advisories/565"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1589,"path":"json-server>update-notifier>is-installed-globally>global-dirs>ini","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.3.5","paths":["@angular/cli>ini","json-server>update-notifier>is-installed-globally>global-dirs>ini","json-server>update-notifier>latest-version>package-json>registry-auth-token>rc>ini","json-server>update-notifier>latest-version>package-json>registry-url>rc>ini"]}],"id":1589,"created":"2020-12-09T22:25:48.568Z","updated":"2020-12-10T16:49:29.595Z","deleted":null,"title":"Prototype Pollution","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Gur Shafriri","email":""},"module_name":"ini","cves":[],"vulnerable_versions":"<1.3.6","patched_versions":">1.3.6","overview":"`ini` before version 1.3.6 has a Prototype Pollution vulnerability.\n\n### Impact\n\nIf an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context.\n\n### Patches\n\nThis has been patched in 1.3.6\n\n### Steps to reproduce\n\npayload.ini\n```\n[__proto__]\npolluted = \"polluted\"\n```\n\npoc.js:\n```\nvar fs = require('fs')\nvar ini = require('ini')\n\nvar parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))\nconsole.log(parsed)\nconsole.log(parsed.__proto__)\nconsole.log(polluted)\n```\n\n```\n> node poc.js\n{}\n{ polluted: 'polluted' }\n{ polluted: 'polluted' }\npolluted\n\n```","recommendation":"Upgrade to version 1.3.6 or later.","references":"- [Fix Commit](https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1)\n- [GitHub Advisory](https://github.com/advisories/GHSA-qqgx-2p2h-9c37)","access":"public","severity":"low","cwe":"CWE-471","metadata":{"module_type":"","exploitability":3,"affected_components":""},"url":"https://npmjs.com/advisories/1589"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1589,"path":"json-server>update-notifier>latest-version>package-json>registry-auth-token>rc>ini","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.3.5","paths":["@angular/cli>ini","json-server>update-notifier>is-installed-globally>global-dirs>ini","json-server>update-notifier>latest-version>package-json>registry-auth-token>rc>ini","json-server>update-notifier>latest-version>package-json>registry-url>rc>ini"]}],"id":1589,"created":"2020-12-09T22:25:48.568Z","updated":"2020-12-10T16:49:29.595Z","deleted":null,"title":"Prototype Pollution","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Gur Shafriri","email":""},"module_name":"ini","cves":[],"vulnerable_versions":"<1.3.6","patched_versions":">1.3.6","overview":"`ini` before version 1.3.6 has a Prototype Pollution vulnerability.\n\n### Impact\n\nIf an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context.\n\n### Patches\n\nThis has been patched in 1.3.6\n\n### Steps to reproduce\n\npayload.ini\n```\n[__proto__]\npolluted = \"polluted\"\n```\n\npoc.js:\n```\nvar fs = require('fs')\nvar ini = require('ini')\n\nvar parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))\nconsole.log(parsed)\nconsole.log(parsed.__proto__)\nconsole.log(polluted)\n```\n\n```\n> node poc.js\n{}\n{ polluted: 'polluted' }\n{ polluted: 'polluted' }\npolluted\n\n```","recommendation":"Upgrade to version 1.3.6 or later.","references":"- [Fix Commit](https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1)\n- [GitHub Advisory](https://github.com/advisories/GHSA-qqgx-2p2h-9c37)","access":"public","severity":"low","cwe":"CWE-471","metadata":{"module_type":"","exploitability":3,"affected_components":""},"url":"https://npmjs.com/advisories/1589"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1589,"path":"json-server>update-notifier>latest-version>package-json>registry-url>rc>ini","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.3.5","paths":["@angular/cli>ini","json-server>update-notifier>is-installed-globally>global-dirs>ini","json-server>update-notifier>latest-version>package-json>registry-auth-token>rc>ini","json-server>update-notifier>latest-version>package-json>registry-url>rc>ini"]}],"id":1589,"created":"2020-12-09T22:25:48.568Z","updated":"2020-12-10T16:49:29.595Z","deleted":null,"title":"Prototype Pollution","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Gur Shafriri","email":""},"module_name":"ini","cves":[],"vulnerable_versions":"<1.3.6","patched_versions":">1.3.6","overview":"`ini` before version 1.3.6 has a Prototype Pollution vulnerability.\n\n### Impact\n\nIf an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context.\n\n### Patches\n\nThis has been patched in 1.3.6\n\n### Steps to reproduce\n\npayload.ini\n```\n[__proto__]\npolluted = \"polluted\"\n```\n\npoc.js:\n```\nvar fs = require('fs')\nvar ini = require('ini')\n\nvar parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))\nconsole.log(parsed)\nconsole.log(parsed.__proto__)\nconsole.log(polluted)\n```\n\n```\n> node poc.js\n{}\n{ polluted: 'polluted' }\n{ polluted: 'polluted' }\npolluted\n\n```","recommendation":"Upgrade to version 1.3.6 or later.","references":"- [Fix Commit](https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1)\n- [GitHub Advisory](https://github.com/advisories/GHSA-qqgx-2p2h-9c37)","access":"public","severity":"low","cwe":"CWE-471","metadata":{"module_type":"","exploitability":3,"affected_components":""},"url":"https://npmjs.com/advisories/1589"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1654,"path":"@angular/compiler-cli>yargs>y18n","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"3.2.1","paths":["@angular/compiler-cli>yargs>y18n"]}],"id":1654,"created":"2021-03-12T23:16:43.813Z","updated":"2021-03-29T16:07:59.314Z","deleted":null,"title":"Prototype Pollution","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"y18n","cves":["CVE-2020-7774"],"vulnerable_versions":"<3.2.2||=4.0.0||>=5.0.0 <5.0.5","patched_versions":">=5.0.5||>=4.0.1 <5.0.0||>=3.2.2 <4.0.0","overview":"`y18n` before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to prototype pollution.\n\n## POC\n\n```\nconst y18n = require('y18n')();\n \ny18n.setLocale('__proto__');\ny18n.updateLocale({polluted: true});\n\nconsole.log(polluted); // true\n```","recommendation":"Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-7774)\n- [Snyk Advisory](https://snyk.io/vuln/SNYK-JS-Y18N-1021887)","access":"public","severity":"high","cwe":"CWE-1321","metadata":{"module_type":"","exploitability":7,"affected_components":""},"url":"https://npmjs.com/advisories/1654"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1673,"path":"json-server>lodash","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.17.19","paths":["json-server>lodash","json-server>lowdb>lodash"]}],"id":1673,"created":"2021-05-06T16:14:39.514Z","updated":"2021-05-06T16:24:12.299Z","deleted":null,"title":"Command Injection","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"lodash","cves":["CVE-2021-23337"],"vulnerable_versions":"<4.17.21","patched_versions":">=4.17.21","overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","recommendation":"Upgrade to version 4.17.21 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23337)\n- [GitHub Advisory](https://github.com/advisories/GHSA-35jh-r3h4-6jhm)\n- [Snyk Advisory](https://snyk.io/vuln/SNYK-JS-LODASH-1040724)","access":"public","severity":"high","cwe":"CWE-77","metadata":{"module_type":"","exploitability":7,"affected_components":""},"url":"https://npmjs.com/advisories/1673"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1673,"path":"json-server>lowdb>lodash","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.17.19","paths":["json-server>lodash","json-server>lowdb>lodash"]}],"id":1673,"created":"2021-05-06T16:14:39.514Z","updated":"2021-05-06T16:24:12.299Z","deleted":null,"title":"Command Injection","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"lodash","cves":["CVE-2021-23337"],"vulnerable_versions":"<4.17.21","patched_versions":">=4.17.21","overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","recommendation":"Upgrade to version 4.17.21 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23337)\n- [GitHub Advisory](https://github.com/advisories/GHSA-35jh-r3h4-6jhm)\n- [Snyk Advisory](https://snyk.io/vuln/SNYK-JS-LODASH-1040724)","access":"public","severity":"high","cwe":"CWE-77","metadata":{"module_type":"","exploitability":7,"affected_components":""},"url":"https://npmjs.com/advisories/1673"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1674,"path":"underscore","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.9.2","paths":["underscore"]}],"id":1674,"created":"2021-05-06T16:14:45.792Z","updated":"2021-05-06T16:26:42.768Z","deleted":null,"title":"Arbitrary Code Execution","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"underscore","cves":["CVE-2021-23358"],"vulnerable_versions":">=1.3.2 <1.12.1","patched_versions":">=1.12.1","overview":"The package `underscore` from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.","recommendation":"Upgrade to versions 1.12.1 or 1.13.0-2 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23358)\n- [GitHub Advisory](https://github.com/advisories/GHSA-cf4h-3jhx-xvhq)\n","access":"public","severity":"high","cwe":"CWE-94","metadata":{"module_type":"","exploitability":7,"affected_components":""},"url":"https://npmjs.com/advisories/1674"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1677,"path":"@angular/cli>@schematics/update>npm-registry-client>normalize-package-data>hosted-git-info","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.8.8","paths":["@angular/cli>@schematics/update>npm-registry-client>normalize-package-data>hosted-git-info","@angular/cli>pacote>normalize-package-data>hosted-git-info","@angular/compiler-cli>yargs>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info","@angular/cli>@schematics/update>npm-registry-client>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-pick-manifest>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-registry-fetch>npm-package-arg>hosted-git-info","npm-registry-fetch>npm-package-arg>hosted-git-info","@angular/cli>npm-package-arg>hosted-git-info"]}],"id":1677,"created":"2021-05-06T16:15:08.412Z","updated":"2021-05-07T17:41:14.327Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"hosted-git-info","cves":["CVE-2021-23362"],"vulnerable_versions":"<2.8.9 || >=3.0.0 <3.0.8","patched_versions":">=2.8.9 <3.0.0 || >=3.0.8","overview":"`hosted-git-info` before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity","recommendation":"Upgrade to version 3.0.8 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23362)\n- [GitHub Advisory](https://github.com/advisories/GHSA-43f8-2h32-f4cj)\n","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1677"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1677,"path":"@angular/cli>pacote>normalize-package-data>hosted-git-info","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.8.8","paths":["@angular/cli>@schematics/update>npm-registry-client>normalize-package-data>hosted-git-info","@angular/cli>pacote>normalize-package-data>hosted-git-info","@angular/compiler-cli>yargs>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info","@angular/cli>@schematics/update>npm-registry-client>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-pick-manifest>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-registry-fetch>npm-package-arg>hosted-git-info","npm-registry-fetch>npm-package-arg>hosted-git-info","@angular/cli>npm-package-arg>hosted-git-info"]}],"id":1677,"created":"2021-05-06T16:15:08.412Z","updated":"2021-05-07T17:41:14.327Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"hosted-git-info","cves":["CVE-2021-23362"],"vulnerable_versions":"<2.8.9 || >=3.0.0 <3.0.8","patched_versions":">=2.8.9 <3.0.0 || >=3.0.8","overview":"`hosted-git-info` before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity","recommendation":"Upgrade to version 3.0.8 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23362)\n- [GitHub Advisory](https://github.com/advisories/GHSA-43f8-2h32-f4cj)\n","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1677"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1677,"path":"@angular/compiler-cli>yargs>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.8.8","paths":["@angular/cli>@schematics/update>npm-registry-client>normalize-package-data>hosted-git-info","@angular/cli>pacote>normalize-package-data>hosted-git-info","@angular/compiler-cli>yargs>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info","@angular/cli>@schematics/update>npm-registry-client>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-pick-manifest>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-registry-fetch>npm-package-arg>hosted-git-info","npm-registry-fetch>npm-package-arg>hosted-git-info","@angular/cli>npm-package-arg>hosted-git-info"]}],"id":1677,"created":"2021-05-06T16:15:08.412Z","updated":"2021-05-07T17:41:14.327Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"hosted-git-info","cves":["CVE-2021-23362"],"vulnerable_versions":"<2.8.9 || >=3.0.0 <3.0.8","patched_versions":">=2.8.9 <3.0.0 || >=3.0.8","overview":"`hosted-git-info` before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity","recommendation":"Upgrade to version 3.0.8 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23362)\n- [GitHub Advisory](https://github.com/advisories/GHSA-43f8-2h32-f4cj)\n","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1677"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1677,"path":"@angular/cli>@schematics/update>npm-registry-client>npm-package-arg>hosted-git-info","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.8.8","paths":["@angular/cli>@schematics/update>npm-registry-client>normalize-package-data>hosted-git-info","@angular/cli>pacote>normalize-package-data>hosted-git-info","@angular/compiler-cli>yargs>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info","@angular/cli>@schematics/update>npm-registry-client>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-pick-manifest>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-registry-fetch>npm-package-arg>hosted-git-info","npm-registry-fetch>npm-package-arg>hosted-git-info","@angular/cli>npm-package-arg>hosted-git-info"]}],"id":1677,"created":"2021-05-06T16:15:08.412Z","updated":"2021-05-07T17:41:14.327Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"hosted-git-info","cves":["CVE-2021-23362"],"vulnerable_versions":"<2.8.9 || >=3.0.0 <3.0.8","patched_versions":">=2.8.9 <3.0.0 || >=3.0.8","overview":"`hosted-git-info` before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity","recommendation":"Upgrade to version 3.0.8 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23362)\n- [GitHub Advisory](https://github.com/advisories/GHSA-43f8-2h32-f4cj)\n","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1677"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1677,"path":"@angular/cli>pacote>npm-package-arg>hosted-git-info","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.8.8","paths":["@angular/cli>@schematics/update>npm-registry-client>normalize-package-data>hosted-git-info","@angular/cli>pacote>normalize-package-data>hosted-git-info","@angular/compiler-cli>yargs>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info","@angular/cli>@schematics/update>npm-registry-client>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-pick-manifest>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-registry-fetch>npm-package-arg>hosted-git-info","npm-registry-fetch>npm-package-arg>hosted-git-info","@angular/cli>npm-package-arg>hosted-git-info"]}],"id":1677,"created":"2021-05-06T16:15:08.412Z","updated":"2021-05-07T17:41:14.327Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"hosted-git-info","cves":["CVE-2021-23362"],"vulnerable_versions":"<2.8.9 || >=3.0.0 <3.0.8","patched_versions":">=2.8.9 <3.0.0 || >=3.0.8","overview":"`hosted-git-info` before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity","recommendation":"Upgrade to version 3.0.8 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23362)\n- [GitHub Advisory](https://github.com/advisories/GHSA-43f8-2h32-f4cj)\n","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1677"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1677,"path":"@angular/cli>pacote>npm-pick-manifest>npm-package-arg>hosted-git-info","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.8.8","paths":["@angular/cli>@schematics/update>npm-registry-client>normalize-package-data>hosted-git-info","@angular/cli>pacote>normalize-package-data>hosted-git-info","@angular/compiler-cli>yargs>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info","@angular/cli>@schematics/update>npm-registry-client>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-pick-manifest>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-registry-fetch>npm-package-arg>hosted-git-info","npm-registry-fetch>npm-package-arg>hosted-git-info","@angular/cli>npm-package-arg>hosted-git-info"]}],"id":1677,"created":"2021-05-06T16:15:08.412Z","updated":"2021-05-07T17:41:14.327Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"hosted-git-info","cves":["CVE-2021-23362"],"vulnerable_versions":"<2.8.9 || >=3.0.0 <3.0.8","patched_versions":">=2.8.9 <3.0.0 || >=3.0.8","overview":"`hosted-git-info` before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity","recommendation":"Upgrade to version 3.0.8 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23362)\n- [GitHub Advisory](https://github.com/advisories/GHSA-43f8-2h32-f4cj)\n","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1677"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1677,"path":"@angular/cli>pacote>npm-registry-fetch>npm-package-arg>hosted-git-info","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.8.8","paths":["@angular/cli>@schematics/update>npm-registry-client>normalize-package-data>hosted-git-info","@angular/cli>pacote>normalize-package-data>hosted-git-info","@angular/compiler-cli>yargs>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info","@angular/cli>@schematics/update>npm-registry-client>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-pick-manifest>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-registry-fetch>npm-package-arg>hosted-git-info","npm-registry-fetch>npm-package-arg>hosted-git-info","@angular/cli>npm-package-arg>hosted-git-info"]}],"id":1677,"created":"2021-05-06T16:15:08.412Z","updated":"2021-05-07T17:41:14.327Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"hosted-git-info","cves":["CVE-2021-23362"],"vulnerable_versions":"<2.8.9 || >=3.0.0 <3.0.8","patched_versions":">=2.8.9 <3.0.0 || >=3.0.8","overview":"`hosted-git-info` before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity","recommendation":"Upgrade to version 3.0.8 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23362)\n- [GitHub Advisory](https://github.com/advisories/GHSA-43f8-2h32-f4cj)\n","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1677"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1677,"path":"npm-registry-fetch>npm-package-arg>hosted-git-info","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.8.8","paths":["@angular/cli>@schematics/update>npm-registry-client>normalize-package-data>hosted-git-info","@angular/cli>pacote>normalize-package-data>hosted-git-info","@angular/compiler-cli>yargs>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info","@angular/cli>@schematics/update>npm-registry-client>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-pick-manifest>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-registry-fetch>npm-package-arg>hosted-git-info","npm-registry-fetch>npm-package-arg>hosted-git-info","@angular/cli>npm-package-arg>hosted-git-info"]}],"id":1677,"created":"2021-05-06T16:15:08.412Z","updated":"2021-05-07T17:41:14.327Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"hosted-git-info","cves":["CVE-2021-23362"],"vulnerable_versions":"<2.8.9 || >=3.0.0 <3.0.8","patched_versions":">=2.8.9 <3.0.0 || >=3.0.8","overview":"`hosted-git-info` before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity","recommendation":"Upgrade to version 3.0.8 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23362)\n- [GitHub Advisory](https://github.com/advisories/GHSA-43f8-2h32-f4cj)\n","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1677"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1677,"path":"@angular/cli>npm-package-arg>hosted-git-info","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.8.8","paths":["@angular/cli>@schematics/update>npm-registry-client>normalize-package-data>hosted-git-info","@angular/cli>pacote>normalize-package-data>hosted-git-info","@angular/compiler-cli>yargs>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info","@angular/cli>@schematics/update>npm-registry-client>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-pick-manifest>npm-package-arg>hosted-git-info","@angular/cli>pacote>npm-registry-fetch>npm-package-arg>hosted-git-info","npm-registry-fetch>npm-package-arg>hosted-git-info","@angular/cli>npm-package-arg>hosted-git-info"]}],"id":1677,"created":"2021-05-06T16:15:08.412Z","updated":"2021-05-07T17:41:14.327Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"hosted-git-info","cves":["CVE-2021-23362"],"vulnerable_versions":"<2.8.9 || >=3.0.0 <3.0.8","patched_versions":">=2.8.9 <3.0.0 || >=3.0.8","overview":"`hosted-git-info` before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity","recommendation":"Upgrade to version 3.0.8 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23362)\n- [GitHub Advisory](https://github.com/advisories/GHSA-43f8-2h32-f4cj)\n","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1677"}}}