forked from hmcts/cmc-citizen-frontend
-
Notifications
You must be signed in to change notification settings - Fork 0
/
yarn-audit-known-issues
6 lines (6 loc) · 13.1 KB
/
yarn-audit-known-issues
1
2
3
4
5
6
{"type":"auditAdvisory","data":{"resolution":{"id":1080920,"path":"webdriverio>@wdio/types>got","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"11.8.3","paths":["webdriverio>@wdio/types>got","webdriverio>@wdio/config>@wdio/types>got","webdriverio>devtools>@wdio/config>@wdio/types>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2022-07-05T21:24:52.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1080920,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1080920,"path":"webdriverio>@wdio/config>@wdio/types>got","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"11.8.3","paths":["webdriverio>@wdio/types>got","webdriverio>@wdio/config>@wdio/types>got","webdriverio>devtools>@wdio/config>@wdio/types>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2022-07-05T21:24:52.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1080920,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1080920,"path":"webdriverio>devtools>@wdio/config>@wdio/types>got","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"11.8.3","paths":["webdriverio>@wdio/types>got","webdriverio>@wdio/config>@wdio/types>got","webdriverio>devtools>@wdio/config>@wdio/types>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2022-07-05T21:24:52.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1080920,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1081761,"path":"moment","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.29.2","paths":["moment","@hmcts/draft-store-client>moment","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>moment"]}],"metadata":null,"vulnerable_versions":">=2.18.0 <2.29.4","module_name":"moment","severity":"high","github_advisory_id":"GHSA-wc69-rhjr-hc9g","cves":["CVE-2022-31129"],"access":"public","patched_versions":">=2.29.4","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2022-07-25T19:17:39.000Z","recommendation":"Upgrade to version 2.29.4 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1081761,"references":"- https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g\n- https://github.com/moment/moment/pull/6015#issuecomment-1152961973\n- https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-31129\n- https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/\n- https://github.com/advisories/GHSA-wc69-rhjr-hc9g","created":"2022-07-06T18:38:49.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in moment","npm_advisory_id":null,"overview":"### Impact\n\n* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs\n* noticeable slowdown is observed with inputs above 10k characters\n* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks\n\n### Patches\nThe problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.\n\n### Workarounds\nIn general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.\n\n### References\nThere is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=\n\n### Details\nThe issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment(\"(\".repeat(500000))` will take a few minutes to process, which is unacceptable.","url":"https://github.com/advisories/GHSA-wc69-rhjr-hc9g"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1081761,"path":"@hmcts/draft-store-client>moment","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.29.2","paths":["moment","@hmcts/draft-store-client>moment","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>moment"]}],"metadata":null,"vulnerable_versions":">=2.18.0 <2.29.4","module_name":"moment","severity":"high","github_advisory_id":"GHSA-wc69-rhjr-hc9g","cves":["CVE-2022-31129"],"access":"public","patched_versions":">=2.29.4","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2022-07-25T19:17:39.000Z","recommendation":"Upgrade to version 2.29.4 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1081761,"references":"- https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g\n- https://github.com/moment/moment/pull/6015#issuecomment-1152961973\n- https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-31129\n- https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/\n- https://github.com/advisories/GHSA-wc69-rhjr-hc9g","created":"2022-07-06T18:38:49.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in moment","npm_advisory_id":null,"overview":"### Impact\n\n* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs\n* noticeable slowdown is observed with inputs above 10k characters\n* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks\n\n### Patches\nThe problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.\n\n### Workarounds\nIn general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.\n\n### References\nThere is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=\n\n### Details\nThe issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment(\"(\".repeat(500000))` will take a few minutes to process, which is unacceptable.","url":"https://github.com/advisories/GHSA-wc69-rhjr-hc9g"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1081761,"path":"@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>moment","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.29.2","paths":["moment","@hmcts/draft-store-client>moment","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>moment"]}],"metadata":null,"vulnerable_versions":">=2.18.0 <2.29.4","module_name":"moment","severity":"high","github_advisory_id":"GHSA-wc69-rhjr-hc9g","cves":["CVE-2022-31129"],"access":"public","patched_versions":">=2.29.4","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2022-07-25T19:17:39.000Z","recommendation":"Upgrade to version 2.29.4 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1081761,"references":"- https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g\n- https://github.com/moment/moment/pull/6015#issuecomment-1152961973\n- https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-31129\n- https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/\n- https://github.com/advisories/GHSA-wc69-rhjr-hc9g","created":"2022-07-06T18:38:49.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in moment","npm_advisory_id":null,"overview":"### Impact\n\n* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs\n* noticeable slowdown is observed with inputs above 10k characters\n* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks\n\n### Patches\nThe problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.\n\n### Workarounds\nIn general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.\n\n### References\nThere is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=\n\n### Details\nThe issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment(\"(\".repeat(500000))` will take a few minutes to process, which is unacceptable.","url":"https://github.com/advisories/GHSA-wc69-rhjr-hc9g"}}}