Bulk vulnerability fix - Lockfile fix

[debricked]

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2017–18077

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  GitHub

  ReDoS in brace-expansion

  Affected versions of brace-expansion are vulnerable to a regular expression denial of service condition.

  Proof of Concept

  var expand = require('brace-expansion');
  expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');
  

  Recommendation

  Update to version 1.1.7 or later.

  NVD

  index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      THIRD PARTY
      ReDoS in brace-expansion · CVE-2017-18077 · GitHub Advisory Database · GitHub
      nodesecurity.io - nodesecurity Resources and Information.
      #862712 - node-brace-expansion: CVE-2017-18077: regular expression denial of service - Debian Bug report logs
      avoid ReDoS in expand by myvyang · Pull Request #35 · juliangruber/brace-expansion · GitHub
      ReDoS in expand · Issue #33 · juliangruber/brace-expansion · GitHub
      avoid ReDoS in expand by myvyang · Pull Request #35 · juliangruber/brace-expansion · GitHub
      ReDoS in brace-expansion · CVE-2017-18077 · GitHub Advisory Database · GitHub

CVE–2018–16492

• Description

  Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

  GitHub

  Prototype Pollution in extend

  Versions of extend prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The extend() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.

  Recommendation

  If you're using extend 3.x upgrade to 3.0.2 or later.
  If you're using extend 2.x upgrade to 2.0.2 or later.

  NVD

  A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      Prototype Pollution in extend · CVE-2018-16492 · GitHub Advisory Database · GitHub
      NVD - CVE-2018-16492
      HackerOne

CVE–2017–16028

• Description

  Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

  GitHub

  Cryptographically Weak PRNG in randomatic

  Affected versions of randomatic generate random values using a cryptographically weak psuedo-random number generator. This may result in predictable values instead of random values as intended.

  Recommendation

  Update to version 3.0.0 or later.

  NVD

  react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	Low
  Integrity	None
  Availability	None

• References

      Cryptographically Weak PRNG in randomatic · CVE-2017-16028 · GitHub Advisory Database · GitHub
      THIRD PARTY
      nodesecurity.io - nodesecurity Resources and Information.
      react-native-meteor-oauth/meteor-oauth.js at a7eb738b74c469f5db20296b44b7cae4e2337435 · tableflip/react-native-meteor-oauth · GitHub
      use cryptographically secure random function · jonschlinkert/randomatic@4a52695 · GitHub

CVE–2017–1000188

• Description

  Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  GitHub

  Moderate severity vulnerability that affects ejs

  nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection

  NVD

  nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection

• CVSS details - 6.1

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	Required
  Scope	Changed
  Confidentiality	Low
  Integrity	Low
  Availability	None

• References

      Bugtraq
      Blacklist a few other unsafe opts from passing in data obj · mde/ejs@49264e0 · GitHub
      THIRD PARTY
      Moderate severity vulnerability that affects ejs · CVE-2017-1000188 · GitHub Advisory Database · GitHub

CVE–2017–1000189

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  GitHub

  High severity vulnerability that affects ejs

  nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile()

  NVD

  nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile()

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      Bugtraq
      Blacklist a few other unsafe opts from passing in data obj · mde/ejs@49264e0 · GitHub
      THIRD PARTY
      High severity vulnerability that affects ejs · CVE-2017-1000189 · GitHub Advisory Database · GitHub

CVE–2017–1000228

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  GitHub

  ejs is ivulnerable to remote code execution due to weak input validation

  nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function

  NVD

  nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      Bugtraq
      THIRD PARTY
      ejs is ivulnerable to remote code execution due to weak input validation · CVE-2017-1000228 · GitHub Advisory Database · GitHub
      Blacklist 'root' option when looking for opts in data obj · mde/ejs@3d447c5 · GitHub

debricked–154240

• Description

  C#-ANNOUNCEMENT

  Microsoft Security Advisory 3181759 : Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege

  Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of ASP.NET Core MVC 1.0.0. This advisory also provides guidance on what developers can do to help ensure that their applications are updated correctly.Microsoft is aware of a security vulnerability in the public version of ASP.NET Core MVC 1.0.0 where View Components could receive incorrect information, including details of the current authenticated user. If a View Component depends on the vulnerable code and makes decisions based on the current user, the decisions the View Component makes could be incorrect and lead to Elevation of Privilege, depending upon the decisions made.

• CVSS details

      No information

• References

      Microsoft Security Advisory 3181759 : Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege · Issue #203 · aspnet/Announcements · GitHub
      Vulnerable Regular Expression · Issue #510 · esamattis/underscore.string · GitHub
      Regular Expression Denial of Service in underscore.string · GHSA-v2p6-4mp7-3r9v · GitHub Advisory Database · GitHub

debricked–149668

• Description

  GitHub

  Regular Expression Denial of Service in underscore.string

  Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).

  The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.

  Recommendation

  Upgrade to version 3.3.5 or higher.

• CVSS details

      No information

• References

      Regular Expression Denial of Service in underscore.string · GHSA-v2p6-4mp7-3r9v · GitHub Advisory Database · GitHub
      Vulnerable Regular Expression · Issue #510 · esamattis/underscore.string · GitHub

CVE–2016–2537

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  GitHub

  Regular Expression Denial of Service in is-my-json-valid

  Version of is-my-json-valid before 1.4.1 or 2.17.2 are vulnerable to regular expression denial of service (ReDoS) via the email validation function.

  Recommendation

  Update to version 1.4.1, 2.17.2 or later.

  NVD

  The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via a crafted string.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      NVD - CVE-2016-2537
      Regular Expression Denial of Service in is-my-json-valid · CVE-2016-2537 · GitHub Advisory Database · GitHub
      nodesecurity.io - nodesecurity Resources and Information.
      fix utc-millisec regex to avoid a ddos attack · mafintosh/is-my-json-valid@eca4beb · GitHub
      Merge pull request #159 from mafintosh/safe-regex · mafintosh/is-my-json-valid@b3051b2 · GitHub
      Regular Expression Denial of Service in is-my-json-valid · CVE-2016-2537 · GitHub Advisory Database · GitHub
      HackerOne
      Avoid catastrophic backtracking by LinusU · Pull Request #159 · mafintosh/is-my-json-valid · GitHub
      THIRD PARTY

CVE–2018–1107

• Description

  Uncontrolled Resource Consumption

  The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  NVD

  It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated.

  GitHub

  Regular expression deinal of service (ReDoS) in is-my-json-valid

  It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated.

• CVSS details - 5.3

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	Low

• References

      NVD - CVE-2018-1107
      1546357 – (CVE-2018-1107) CVE-2018-1107 nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format
      Avoid catastrophic backtracking by LinusU · Pull Request #159 · mafintosh/is-my-json-valid · GitHub
      Merge pull request #159 from mafintosh/safe-regex · mafintosh/is-my-json-valid@b3051b2 · GitHub
      Regular expression deinal of service (ReDoS) in is-my-json-valid · CVE-2018-1107 · GitHub Advisory Database · GitHub

CVE–2021–23807

• Description

  Access of Resource Using Incompatible Type ('Type Confusion')

  The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

  NVD

  This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.

  GitHub

  Prototype Pollution in node-jsonpointer

  This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      NVD - CVE-2021-23807
      Merge pull request #51 from dellalibera/fix-prototype-pollution · janl/node-jsonpointer@a0345f3 · GitHub
      fix-prototype-pollution by dellalibera · Pull Request #51 · janl/node-jsonpointer · GitHub
      Prototype Pollution in node-jsonpointer · CVE-2021-23807 · GitHub Advisory Database · GitHub

CVE–2018–3737

• Description

  Incorrect Regular Expression

  The software specifies a regular expression in a way that causes data to be improperly matched or compared.

  GitHub

  Regular Expression Denial of Service in sshpk

  Versions of sshpk before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

  Recommendation

  Update to version 1.13.2, 1.14.1 or later.

  NVD

  sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      THIRD PARTY
      Regular Expression Denial of Service in sshpk · CVE-2018-3737 · GitHub Advisory Database · GitHub
      HackerOne

debricked–179667

• Description

  GitHub

  Out-of-Bounds read in stringstream

  Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).

  WITHDRAWN

  This is a duplicate of GHSA-mf6x-7mm4-x2g7

• CVSS details

      No information

• References

      Out-of-Bounds read in stringstream · GHSA-qpw2-xchm-655q · GitHub Advisory Database · GitHub
      Uninitialized Memory Exposure · Issue #7 · mhart/StringStream · GitHub
      HackerOne
      NVD - CVE-2018-21270
      Out-of-bounds Read in stringstream · CVE-2018-21270 · GitHub Advisory Database · GitHub
      Merge pull request #9 from mhart/fix-buffer-constructor-vuln · mhart/StringStream@2f4a9d4 · GitHub

CVE–2017–15010

• Description

  Uncontrolled Resource Consumption

  The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  GitHub

  Regular Expression Denial of Service in tough-cookie

  Affected versions of tough-cookie are susceptible to a regular expression denial of service.

  The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.

  If node was compiled using the -DHTTP_MAX_HEADER_SIZE however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.

  Recommendation

  Update to version 2.3.3 or later.

  NVD

  A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      Bugtraq
      Red Hat Customer Portal - Access to 24x7 support and knowledge
      Red Hat Customer Portal - Access to 24x7 support and knowledge
      Red Hat Customer Portal - Access to 24x7 support and knowledge
      Red Hat Customer Portal - Access to 24x7 support and knowledge
      nodesecurity.io - nodesecurity Resources and Information.
      Regular Expression Denial of Service in tough-cookie · CVE-2017-15010 · GitHub Advisory Database · GitHub
      THIRD PARTY
      Vulnerable Regular Expression · Issue #92 · salesforce/tough-cookie · GitHub
      [SECURITY] Fedora 30 Update: nodejs-tough-cookie-2.3.4-1.fc30 - package-announce - Fedora Mailing-Lists
      Regular Expression Denial of Service in tough-cookie · CVE-2017-15010 · GitHub Advisory Database · GitHub

CVE–2018–20834

• Description

  Improper Link Resolution Before File Access ('Link Following')

  The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

  GitHub

  Arbitrary File Overwrite in tar

  Versions of tar prior to 4.4.2 for 4.x and 2.2.2 for 2.x are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

  Recommendation

  For tar 4.x, upgrade to version 4.4.2 or later.
  For tar 2.x, upgrade to version 2.2.2 or later.

  NVD

  A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	High
  Availability	None

• References

      unpack: only reuse file fs entries if nlink = 1 · npm/node-tar@b0c5843 · GitHub
      Comparing 58a8d43...a5f7779 · npm/node-tar · GitHub
      HackerOne
      Arbitrary File Overwrite in tar · CVE-2018-20834 · GitHub Advisory Database · GitHub
      Red Hat Customer Portal - Access to 24x7 support and knowledge
      Bump fstream to fix hardlink overwriting vulnerability · npm/node-tar@7ecef07 · GitHub
      Commits · npm/node-tar · GitHub
      NVD - CVE-2018-20834
      Arbitrary File Overwrite in tar · CVE-2018-20834 · GitHub Advisory Database · GitHub

CVE–2019–13173

• Description

  Improper Link Resolution Before File Access ('Link Following')

  The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

  GitHub

  Arbitrary File Overwrite in fstream

  Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

  Recommendation

  Upgrade to version 1.0.12 or later.

  NVD

  fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	High
  Availability	None

• References

      THIRD PARTY
      Arbitrary File Overwrite in fstream · CVE-2019-13173 · GitHub Advisory Database · GitHub
      Clobber a Link if it's in the way of a File · npm/fstream@6a77d2f · GitHub
      Arbitrary File Overwrite in fstream · CVE-2019-13173 · GitHub Advisory Database · GitHub
      [security-announce] openSUSE-SU-2019:1846-1: important: Security update for nodejs10 - openSUSE Security Announce - openSUSE Mailing Lists
      [security-announce] openSUSE-SU-2019:1907-1: important: Security update for nodejs8 - openSUSE Security Announce - openSUSE Mailing Lists
      USN-4123-1: npm/fstream vulnerability | Ubuntu security notices | Ubuntu

CVE–2018–20835

• Description

  Improper Input Validation

  The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  GitHub

  Improper Input Validation in tar-fs

  A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

  NVD

  A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	High
  Availability	None

• References

      THIRD PARTY
      Improper Input Validation in tar-fs · CVE-2018-20835 · GitHub Advisory Database · GitHub
      force hardlink targets to be in the tar · mafintosh/tar-fs@0667282 · GitHub
      HackerOne
      Comparing d590fc7...a35ce2f · mafintosh/tar-fs · GitHub

debricked–160898

• Description

  GitHub

  Regular Expression Denial of Service

  A Regular Expression vulnerability was found in nwmatcher before 1.4.4. The fix replacing multiple repeated instances of the "\s*" pattern.

• CVSS details

      No information

• References

      Regular Expression Denial of Service · GHSA-6394-6h9h-cfjg · GitHub Advisory Database · GitHub
      changed instances of \s* with \s? in regular expressions to reduce th… · dperini/nwmatcher@9dcc2b0 · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked