Skip to content

Bulk vulnerability fix - Lockfile fix#6

Closed
debricked[bot] wants to merge 1 commit intomainfrom
debricked-fix-bulk_fix-df239345f50e73ac
Closed

Bulk vulnerability fix - Lockfile fix#6
debricked[bot] wants to merge 1 commit intomainfrom
debricked-fix-bulk_fix-df239345f50e73ac

Conversation

@debricked
Copy link
Copy Markdown

@debricked debricked bot commented Sep 7, 2021

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2021–23343
CVE–2021–23364
CVE–2021–23362
CVE–2020–7597
  • Description

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

    The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

    GitHub

    codecov NPM module allows remote attackers to execute arbitrary commands

    codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.

    NVD

    codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.

  • CVSS details - 8.8

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required Low
    User interaction None
    Scope Unchanged
    Confidentiality High
    Integrity High
    Availability High
  • References

        NVD - CVE-2020-7597
        [CE-1330] Escaping args (#167) · codecov/codecov-node@02cf13d · GitHub
        codecov NPM module allows remote attackers to execute arbitrary commands · CVE-2020-7597 · GitHub Advisory Database · GitHub

CVE–2020–15123
CVE–2019–20149
CVE–2019–10747
CVE–2021–32640
  • Description

    Uncontrolled Resource Consumption

    The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

    GitHub

    ReDoS in Sec-Websocket-Protocol header

    Impact

    A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

    Proof of concept

    for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

    Patches

    The vulnerability was fixed in ws@7.4.6 (websockets/ws@00c425e) and backported to ws@6.2.2 (websockets/ws@78c676d) and ws@5.2.3 (websockets/ws@76d47c1).

    Workarounds

    In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

    Credits

    The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

    NVD

    ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

  • CVSS details - 5.3

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability Low
  • References

        THIRD PARTY
        ReDoS in Sec-Websocket-Protocol header · CVE-2021-32640 · GitHub Advisory Database · GitHub
        ReDoS in Sec-Websocket-Protocol header · Advisory · websockets/ws · GitHub
        [security] Fix ReDoS vulnerability · websockets/ws@00c425e · GitHub
        Pony Mail!

CVE–2019–16769
  • Description

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

    GitHub

    Cross-Site Scripting in serialize-javascript

    Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.

    Recommendation

    Upgrade to version 2.1.1 or later.

    NVD

    The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

  • CVSS details - 5.4

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required Low
    User interaction Required
    Scope Changed
    Confidentiality Low
    Integrity Low
    Availability None
  • References

        Cross-Site Scripting in serialize-javascript · CVE-2019-16769 · GitHub Advisory Database · GitHub
        NVD - CVE-2019-16769
        regular expressions Cross-Site Scripting (XSS) vulnerability · Advisory · yahoo/serialize-javascript · GitHub

CVE–2020–7660
  • Description

    Deserialization of Untrusted Data

    The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

    GitHub

    Insecure serialization leading to RCE in serialize-javascript

    serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

    An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.

    The following proof-of-concept calls console.log() when the running eval():
    eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R-<UID>-0__@'}) + ')');

    NVD

    serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

  • CVSS details - 8.1

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity High
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality High
    Integrity High
    Availability High
  • References

        Insecure serialization leading to RCE in serialize-javascript · CVE-2020-7660 · GitHub Advisory Database · GitHub
        Don't replace regex / function placeholders within string literals (#79) · yahoo/serialize-javascript@f21a6fb · GitHub
        NVD - CVE-2020-7660

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked

 

@debricked debricked bot closed this Oct 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants