Skip to content

Commit

Permalink
Auto-suppress CVEs
Browse files Browse the repository at this point in the history
  • Loading branch information
dinesh1patel authored and github-actions[bot] committed Nov 28, 2024
1 parent 427ae0c commit ba428a2
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion yarn-audit-known-issues
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"actions":[],"advisories":{"1098094":{"findings":[{"version":"3.0.2","paths":["http-proxy-middleware>micromatch>braces"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4068\n- https://github.com/micromatch/braces/issues/35\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4068\n- https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308\n- https://github.com/micromatch/braces/pull/37\n- https://github.com/micromatch/braces/pull/40\n- https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff\n- https://github.com/advisories/GHSA-grv7-fg5c-xmjg","created":"2024-05-14T18:30:54.000Z","id":1098094,"npm_advisory_id":null,"overview":"The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.\n","reported_by":null,"title":"Uncontrolled resource consumption in braces","metadata":null,"cves":["CVE-2024-4068"],"access":"public","severity":"high","module_name":"braces","vulnerable_versions":"<3.0.3","github_advisory_id":"GHSA-grv7-fg5c-xmjg","recommendation":"Upgrade to version 3.0.3 or later","patched_versions":">=3.0.3","updated":"2024-07-05T21:25:08.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-400","CWE-1050"],"url":"https://github.com/advisories/GHSA-grv7-fg5c-xmjg"},"1098681":{"findings":[{"version":"4.0.5","paths":["http-proxy-middleware>micromatch"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","id":1098681,"npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","metadata":null,"cves":["CVE-2024-4067"],"access":"public","severity":"moderate","module_name":"micromatch","vulnerable_versions":"<4.0.8","github_advisory_id":"GHSA-952p-6rrq-rcjv","recommendation":"Upgrade to version 4.0.8 or later","patched_versions":">=4.0.8","updated":"2024-08-28T13:12:27.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"},"1099846":{"findings":[{"version":"0.6.0","paths":["cookie-parser>cookie"]}],"found_by":null,"deleted":null,"references":"- https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x\n- https://github.com/jshttp/cookie/pull/167\n- https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c\n- https://github.com/advisories/GHSA-pxg6-pf52-xh8x","created":"2024-10-04T20:31:00.000Z","id":1099846,"npm_advisory_id":null,"overview":"### Impact\n\nThe cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize(\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a\", value)` would result in `\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test\"`, setting `userName` cookie to `<script>` and ignoring `value`.\n\nA similar escape can be used for `path` and `domain`, which could be abused to alter other fields of the cookie.\n\n### Patches\n\nUpgrade to 0.7.0, which updates the validation for `name`, `path`, and `domain`.\n\n### Workarounds\n\nAvoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.\n\n### References\n\n* https://github.com/jshttp/cookie/pull/167","reported_by":null,"title":"cookie accepts cookie name, path, and domain with out of bounds characters","metadata":null,"cves":["CVE-2024-47764"],"access":"public","severity":"low","module_name":"cookie","vulnerable_versions":"<0.7.0","github_advisory_id":"GHSA-pxg6-pf52-xh8x","recommendation":"Upgrade to version 0.7.0 or later","patched_versions":">=0.7.0","updated":"2024-10-04T20:31:01.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-74"],"url":"https://github.com/advisories/GHSA-pxg6-pf52-xh8x"},"1100223":{"findings":[{"version":"0.20.0","paths":["http-proxy-middleware"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-21536\n- https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5\n- https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22\n- https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a\n- https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906\n- https://github.com/advisories/GHSA-c7qv-q95q-8v27","created":"2024-10-19T06:30:30.000Z","id":1100223,"npm_advisory_id":null,"overview":"Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.","reported_by":null,"title":"Denial of service in http-proxy-middleware","metadata":null,"cves":["CVE-2024-21536"],"access":"public","severity":"high","module_name":"http-proxy-middleware","vulnerable_versions":"<2.0.7","github_advisory_id":"GHSA-c7qv-q95q-8v27","recommendation":"Upgrade to version 2.0.7 or later","patched_versions":">=2.0.7","updated":"2024-10-22T19:47:42.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-400"],"url":"https://github.com/advisories/GHSA-c7qv-q95q-8v27"},"1100563":{"findings":[{"version":"7.0.3","paths":["cross-env>cross-spawn","nyc>foreground-child>cross-spawn","nyc>spawn-wrap>foreground-child>cross-spawn"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-21538\n- https://github.com/moxystudio/node-cross-spawn/pull/160\n- https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff\n- https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f\n- https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230\n- https://github.com/moxystudio/node-cross-spawn/issues/165\n- https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349\n- https://github.com/advisories/GHSA-3xgq-45jj-v275","created":"2024-11-08T06:30:47.000Z","id":1100563,"npm_advisory_id":null,"overview":"Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in cross-spawn","metadata":null,"cves":["CVE-2024-21538"],"access":"public","severity":"high","module_name":"cross-spawn","vulnerable_versions":">=7.0.0 <7.0.5","github_advisory_id":"GHSA-3xgq-45jj-v275","recommendation":"Upgrade to version 7.0.5 or later","patched_versions":">=7.0.5","updated":"2024-11-19T16:19:50.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-3xgq-45jj-v275"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":1,"moderate":1,"high":5,"critical":0},"dependencies":316,"devDependencies":1,"optionalDependencies":0,"totalDependencies":317}}
{"actions":[],"advisories":{"1098094":{"findings":[{"version":"3.0.2","paths":["http-proxy-middleware>micromatch>braces"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4068\n- https://github.com/micromatch/braces/issues/35\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4068\n- https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308\n- https://github.com/micromatch/braces/pull/37\n- https://github.com/micromatch/braces/pull/40\n- https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff\n- https://github.com/advisories/GHSA-grv7-fg5c-xmjg","created":"2024-05-14T18:30:54.000Z","id":1098094,"npm_advisory_id":null,"overview":"The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.\n","reported_by":null,"title":"Uncontrolled resource consumption in braces","metadata":null,"cves":["CVE-2024-4068"],"access":"public","severity":"high","module_name":"braces","vulnerable_versions":"<3.0.3","github_advisory_id":"GHSA-grv7-fg5c-xmjg","recommendation":"Upgrade to version 3.0.3 or later","patched_versions":">=3.0.3","updated":"2024-07-05T21:25:08.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-400","CWE-1050"],"url":"https://github.com/advisories/GHSA-grv7-fg5c-xmjg"},"1098681":{"findings":[{"version":"4.0.5","paths":["http-proxy-middleware>micromatch"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","id":1098681,"npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","metadata":null,"cves":["CVE-2024-4067"],"access":"public","severity":"moderate","module_name":"micromatch","vulnerable_versions":"<4.0.8","github_advisory_id":"GHSA-952p-6rrq-rcjv","recommendation":"Upgrade to version 4.0.8 or later","patched_versions":">=4.0.8","updated":"2024-08-28T13:12:27.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"},"1099846":{"findings":[{"version":"0.6.0","paths":["cookie-parser>cookie"]}],"found_by":null,"deleted":null,"references":"- https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x\n- https://github.com/jshttp/cookie/pull/167\n- https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c\n- https://github.com/advisories/GHSA-pxg6-pf52-xh8x","created":"2024-10-04T20:31:00.000Z","id":1099846,"npm_advisory_id":null,"overview":"### Impact\n\nThe cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize(\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a\", value)` would result in `\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test\"`, setting `userName` cookie to `<script>` and ignoring `value`.\n\nA similar escape can be used for `path` and `domain`, which could be abused to alter other fields of the cookie.\n\n### Patches\n\nUpgrade to 0.7.0, which updates the validation for `name`, `path`, and `domain`.\n\n### Workarounds\n\nAvoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.\n\n### References\n\n* https://github.com/jshttp/cookie/pull/167","reported_by":null,"title":"cookie accepts cookie name, path, and domain with out of bounds characters","metadata":null,"cves":["CVE-2024-47764"],"access":"public","severity":"low","module_name":"cookie","vulnerable_versions":"<0.7.0","github_advisory_id":"GHSA-pxg6-pf52-xh8x","recommendation":"Upgrade to version 0.7.0 or later","patched_versions":">=0.7.0","updated":"2024-10-04T20:31:01.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-74"],"url":"https://github.com/advisories/GHSA-pxg6-pf52-xh8x"},"1100223":{"findings":[{"version":"0.20.0","paths":["http-proxy-middleware"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-21536\n- https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5\n- https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22\n- https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a\n- https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906\n- https://github.com/advisories/GHSA-c7qv-q95q-8v27","created":"2024-10-19T06:30:30.000Z","id":1100223,"npm_advisory_id":null,"overview":"Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.","reported_by":null,"title":"Denial of service in http-proxy-middleware","metadata":null,"cves":["CVE-2024-21536"],"access":"public","severity":"high","module_name":"http-proxy-middleware","vulnerable_versions":"<2.0.7","github_advisory_id":"GHSA-c7qv-q95q-8v27","recommendation":"Upgrade to version 2.0.7 or later","patched_versions":">=2.0.7","updated":"2024-10-22T19:47:42.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-400"],"url":"https://github.com/advisories/GHSA-c7qv-q95q-8v27"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":1,"moderate":1,"high":2,"critical":0},"dependencies":316,"devDependencies":1,"optionalDependencies":0,"totalDependencies":317}}

0 comments on commit ba428a2

Please sign in to comment.