-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency coder/code-server to v4.90.3 #5476
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Auto-approved because label type/renovate is present.
🔍 Vulnerabilities of
|
digest | sha256:457c94d97d4a239797cdf15c4cc7fd72a6eaf4e23631c2d77b25af878756f1d2 |
vulnerabilities | |
platform | linux/amd64 |
size | 97 MB |
packages | 385 |
handlebars
|
Affected range | <4.7.7 |
Fixed version | 4.7.7 |
CVSS Score | 9.8 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Description
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Improper Control of Generation of Code ('Code Injection')
Affected range | <4.7.7 |
Fixed version | 4.7.7 |
CVSS Score | 9.8 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Description
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Affected range | <3.0.8 |
Fixed version | 4.3.0 |
CVSS Score | 9.8 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Description
Versions of
handlebars
prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects'__proto__
and__defineGetter__
properties, which may allow an attacker to execute arbitrary code through crafted payloads.Recommendation
Upgrade to version 3.0.8, 4.3.0 or later.
Improper Control of Generation of Code ('Code Injection')
Affected range | <3.0.8 |
Fixed version | 3.0.8 |
CVSS Score | 8.1 |
CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L |
Description
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Modification of Assumed-Immutable Data (MAID)
Affected range | <3.0.7 |
Fixed version | 3.0.7 |
CVSS Score | 7.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
Description
Versions of
handlebars
prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.Recommendation
For handlebars 4.1.x upgrade to 4.1.2 or later.
For handlebars 4.0.x upgrade to 4.0.14 or later.
Improper Control of Generation of Code ('Code Injection')
Affected range | <3.0.8 |
Fixed version | 3.0.8 |
CVSS Score | 7.3 |
CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L |
Description
Versions of
handlebars
prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).The following template can be used to demonstrate the vulnerability:
{{#with split as |a|}} {{pop (push "alert('Vulnerable Handlebars JS');")}} {{#with (concat (lookup join (slice 0 1)))}} {{#each (slice 2 3)}} {{#with (apply 0 a)}} {{.}} {{/with}} {{/each}} {{/with}} {{/with}} {{/with}}``` ## Recommendation Upgrade to version 3.0.8, 4.5.2 or later. </blockquote> </details> <a href="https://scout.docker.com/v/GHSA-q2c6-c6pm-g3gh?s=github&n=handlebars&t=npm&vr=%3C3.0.8"><img alt="high : GHSA--q2c6--c6pm--g3gh" src="https://img.shields.io/badge/GHSA--q2c6--c6pm--g3gh-lightgrey?label=high%20&labelColor=e25d68"/></a> <table> <tr><td>Affected range</td><td><code><3.0.8</code></td></tr> <tr><td>Fixed version</td><td><code>3.0.8</code></td></tr></table> <details><summary>Description</summary> <blockquote> Versions of `handlebars` prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a [previous issue](https://www.npmjs.com/advisories/1316). This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting). ## Recommendation Upgrade to version 3.0.8, 4.5.3 or later. </blockquote> </details> <a href="https://scout.docker.com/v/GHSA-g9r4-xpmj-mj65?s=github&n=handlebars&t=npm&vr=%3C3.0.8"><img alt="high : GHSA--g9r4--xpmj--mj65" src="https://img.shields.io/badge/GHSA--g9r4--xpmj--mj65-lightgrey?label=high%20&labelColor=e25d68"/></a> <i>Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')</i> <table> <tr><td>Affected range</td><td><code><3.0.8</code></td></tr> <tr><td>Fixed version</td><td><code>3.0.8</code></td></tr></table> <details><summary>Description</summary> <blockquote> Versions of `handlebars` prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions. ## Recommendation Upgrade to version 3.0.8, 4.5.3 or later. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2015-8861?s=github&n=handlebars&t=npm&vr=%3C4.0.0"><img alt="medium 6.1: CVE--2015--8861" src="https://img.shields.io/badge/CVE--2015--8861-lightgrey?label=medium%206.1&labelColor=fbb552"/></a> <i>Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</i> <table> <tr><td>Affected range</td><td><code><4.0.0</code></td></tr> <tr><td>Fixed version</td><td><code>4.0.0</code></td></tr> <tr><td>CVSS Score</td><td><code>6.1</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Versions of `handlebars` prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted. ## Proof of Concept Template: ```<a href={{foo}}/>``` Input: ```{ 'foo' : 'test.com onload=alert(1)'}``` Rendered result: ```<a href=test.com onload=alert(1)/>``` ## Recommendation Update to version 4.0.0 or later. Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes. </blockquote> </details> <a href="https://scout.docker.com/v/GMS-2020-730?s=gitlab&n=handlebars&t=npm&vr=%3C3.0.8"><img alt="unspecified : GMS--2020--730" src="https://img.shields.io/badge/GMS--2020--730-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i> <table> <tr><td>Affected range</td><td><code><3.0.8</code></td></tr> <tr><td>Fixed version</td><td><code>3.0.8, 4.5.3</code></td></tr></table> <details><summary>Description</summary> <blockquote> Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. </blockquote> </details> <a href="https://scout.docker.com/v/GMS-2020-729?s=gitlab&n=handlebars&t=npm&vr=%3C3.0.8"><img alt="unspecified : GMS--2020--729" src="https://img.shields.io/badge/GMS--2020--729-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i> <table> <tr><td>Affected range</td><td><code><3.0.8</code></td></tr> <tr><td>Fixed version</td><td><code>3.0.8, 4.5.3</code></td></tr></table> <details><summary>Description</summary> <blockquote> Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. </blockquote> </details> <a href="https://scout.docker.com/v/GMS-2020-727?s=gitlab&n=handlebars&t=npm&vr=%3C3.0.8"><img alt="unspecified : GMS--2020--727" src="https://img.shields.io/badge/GMS--2020--727-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i> <table> <tr><td>Affected range</td><td><code><3.0.8</code></td></tr> <tr><td>Fixed version</td><td><code>3.0.8, 4.5.2</code></td></tr></table> <details><summary>Description</summary> <blockquote> Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. </blockquote> </details> <a href="https://scout.docker.com/v/GMS-2019-126?s=gitlab&n=handlebars&t=npm&vr=%3C3.0.7"><img alt="unspecified : GMS--2019--126" src="https://img.shields.io/badge/GMS--2019--126-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i> <table> <tr><td>Affected range</td><td><code><3.0.7</code></td></tr> <tr><td>Fixed version</td><td><code>3.0.7, 4.0.14, 4.1.2</code></td></tr></table> <details><summary>Description</summary> <blockquote> Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. </blockquote> </details> <a href="https://scout.docker.com/v/GMS-2015-33?s=gitlab&n=handlebars&t=npm&vr=%3C4.0.0"><img alt="unspecified : GMS--2015--33" src="https://img.shields.io/badge/GMS--2015--33-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i> <table> <tr><td>Affected range</td><td><code><4.0.0</code></td></tr> <tr><td>Fixed version</td><td><code>4.0.0</code></td></tr></table> <details><summary>Description</summary> <blockquote> The library does not properly escape attribute values making XSS exploits possible. </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 5" src="https://img.shields.io/badge/H-5-e25d68"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <img alt="unspecified: 1" src="https://img.shields.io/badge/U-1-lightgrey"/><strong>npm</strong> <code>1.0.1</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/CVE-2018-7408?s=github&n=npm&t=npm&vr=%3C5.7.1"><img alt="high 7.8: CVE--2018--7408" src="https://img.shields.io/badge/CVE--2018--7408-lightgrey?label=high%207.8&labelColor=e25d68"/></a> <i>Incorrect Permission Assignment for Critical Resource</i> <table> <tr><td>Affected range</td><td><code><5.7.1</code></td></tr> <tr><td>Fixed version</td><td><code>5.7.1</code></td></tr> <tr><td>CVSS Score</td><td><code>7.8</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</code></td></tr> </table> <details><summary>Description</summary> <blockquote> An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2019-16777?s=github&n=npm&t=npm&vr=%3C6.13.4"><img alt="high 7.7: CVE--2019--16777" src="https://img.shields.io/badge/CVE--2019--16777-lightgrey?label=high%207.7&labelColor=e25d68"/></a> <i>Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</i> <table> <tr><td>Affected range</td><td><code><6.13.4</code></td></tr> <tr><td>Fixed version</td><td><code>6.13.4</code></td></tr> <tr><td>CVSS Score</td><td><code>7.7</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a `serve` binary, any subsequent installs of packages that also create a `serve` binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global node_modules directory. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. ## Recommendation Upgrade to version 6.13.4 or later. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2019-16776?s=github&n=npm&t=npm&vr=%3C6.13.3"><img alt="high 7.7: CVE--2019--16776" src="https://img.shields.io/badge/CVE--2019--16776-lightgrey?label=high%207.7&labelColor=e25d68"/></a> <i>Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</i> <table> <tr><td>Affected range</td><td><code><6.13.3</code></td></tr> <tr><td>Fixed version</td><td><code>6.13.3</code></td></tr> <tr><td>CVSS Score</td><td><code>7.7</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of node_modules. It is possible for packages to create symlinks to files outside of the`node_modules` folder through the `bin` field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the `npm install` are affected. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. ## Recommendation Upgrade to version 6.13.3 or later. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2019-16775?s=github&n=npm&t=npm&vr=%3C6.13.3"><img alt="high 7.7: CVE--2019--16775" src="https://img.shields.io/badge/CVE--2019--16775-lightgrey?label=high%207.7&labelColor=e25d68"/></a> <i>Improper Link Resolution Before File Access ('Link Following')</i> <table> <tr><td>Affected range</td><td><code><6.13.3</code></td></tr> <tr><td>Fixed version</td><td><code>6.13.3</code></td></tr> <tr><td>CVSS Score</td><td><code>7.7</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on a user's system when the package is installed. It is only possible to affect files that the user running `npm install` has access to and it is not possible to over write files that already exist on disk. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. ## Recommendation Upgrade to version 6.13.3 or later. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2016-3956?s=github&n=npm&t=npm&vr=%3C%3D2.15.0"><img alt="high : CVE--2016--3956" src="https://img.shields.io/badge/CVE--2016--3956-lightgrey?label=high%20&labelColor=e25d68"/></a> <i>Exposure of Sensitive Information to an Unauthorized Actor</i> <table> <tr><td>Affected range</td><td><code><=2.15.0</code></td></tr> <tr><td>Fixed version</td><td><code>2.15.1</code></td></tr></table> <details><summary>Description</summary> <blockquote> Affected versions of the `npm` package include the bearer token of the logged in user in every request made by the CLI, even if the request is not directed towards the user's active registry. An attacker could create an HTTP server to collect tokens, and by various means including but not limited to install scripts, cause the npm CLI to make a request to that server, which would compromise the user's token. This compromised token could be used to do anything that the user could do, including publishing new packages. ## Recommendation 1. Update npm with `npm install npm@latest -g` 2. [Revoke your Tokens](https://www.npmjs.com/settings/tokens) 3. Enable [Two-Factor Authentication](https://docs.npmjs.com/getting-started/using-two-factor-authentication) </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2020-15095?s=github&n=npm&t=npm&vr=%3C6.14.6"><img alt="medium 4.4: CVE--2020--15095" src="https://img.shields.io/badge/CVE--2020--15095-lightgrey?label=medium%204.4&labelColor=fbb552"/></a> <i>Insertion of Sensitive Information into Log File</i> <table> <tr><td>Affected range</td><td><code><6.14.6</code></td></tr> <tr><td>Fixed version</td><td><code>6.14.6</code></td></tr> <tr><td>CVSS Score</td><td><code>4.4</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like `<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>`. The password value is not redacted and is printed to stdout and also to any generated log files. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2013-4116?s=github&n=npm&t=npm&vr=%3C1.3.3"><img alt="low : CVE--2013--4116" src="https://img.shields.io/badge/CVE--2013--4116-lightgrey?label=low%20&labelColor=fce1a9"/></a> <i>Improper Link Resolution Before File Access ('Link Following')</i> <table> <tr><td>Affected range</td><td><code><1.3.3</code></td></tr> <tr><td>Fixed version</td><td><code>1.3.3</code></td></tr></table> <details><summary>Description</summary> <blockquote> Affected versions of `npm` use predictable temporary file names during archive unpacking. If an attacker can create a symbolic link at the location of one of these temporary file names, the attacker can arbitrarily write to any file that the user which owns the `npm` process has permission to write to, potentially resulting in local privilege escalation. ## Recommendation Update to version 1.3.3 or later. </blockquote> </details> <a href="https://scout.docker.com/v/GMS-2016-23?s=gitlab&n=npm&t=npm&vr=%3C%3D%2C2.15.0"><img alt="unspecified : GMS--2016--23" src="https://img.shields.io/badge/GMS--2016--23-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i> <table> <tr><td>Affected range</td><td><code><=<br/>2.15.0</code></td></tr> <tr><td>Fixed version</td><td><code>2.15.1, 3.8.3</code></td></tr></table> <details><summary>Description</summary> <blockquote> The primary npm registry has, since late, used HTTP bearer tokens to authenticate requests from the npm command-line interface. Due to a design flaw in the CLI, these bearer tokens were sent with every request made by the CLI for logged-in users, regardless of the destination of the request. They should instead only be included for requests made against the registry or registries used for the current install. This flaw allows an attacker to set up an HTTP server that could collect authentication information they could use to impersonate the users whose tokens they collected. This impersonation would allow them to do anything the compromised users could do, including publishing new versions of packages. </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 2" src="https://img.shields.io/badge/H-2-e25d68"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>grunt</strong> <code>1.0.0</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/CVE-2020-7729?s=github&n=grunt&t=npm&vr=%3C1.3.0"><img alt="high 7.1: CVE--2020--7729" src="https://img.shields.io/badge/CVE--2020--7729-lightgrey?label=high%207.1&labelColor=e25d68"/></a> <i>Initialization of a Resource with an Insecure Default</i> <table> <tr><td>Affected range</td><td><code><1.3.0</code></td></tr> <tr><td>Fixed version</td><td><code>1.3.0</code></td></tr> <tr><td>CVSS Score</td><td><code>7.1</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H</code></td></tr> </table> <details><summary>Description</summary> <blockquote> The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2022-1537?s=github&n=grunt&t=npm&vr=%3C1.5.3"><img alt="high 7.0: CVE--2022--1537" src="https://img.shields.io/badge/CVE--2022--1537-lightgrey?label=high%207.0&labelColor=e25d68"/></a> <i>Time-of-check Time-of-use (TOCTOU) Race Condition</i> <table> <tr><td>Affected range</td><td><code><1.5.3</code></td></tr> <tr><td>Fixed version</td><td><code>1.5.3</code></td></tr> <tr><td>CVSS Score</td><td><code>7</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H</code></td></tr> </table> <details><summary>Description</summary> <blockquote> file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2022-0436?s=github&n=grunt&t=npm&vr=%3C1.5.2"><img alt="medium 5.5: CVE--2022--0436" src="https://img.shields.io/badge/CVE--2022--0436-lightgrey?label=medium%205.5&labelColor=fbb552"/></a> <i>Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</i> <table> <tr><td>Affected range</td><td><code><1.5.2</code></td></tr> <tr><td>Fixed version</td><td><code>1.5.2</code></td></tr> <tr><td>CVSS Score</td><td><code>5.5</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Grunt prior to version 1.5.2 is vulnerable to path traversal. </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 2" src="https://img.shields.io/badge/H-2-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>pug</strong> <code>1.0.0</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/CVE-2024-36361?s=github&n=pug&t=npm&vr=%3C%3D3.0.2"><img alt="high 8.1: CVE--2024--36361" src="https://img.shields.io/badge/CVE--2024--36361-lightgrey?label=high%208.1&labelColor=e25d68"/></a> <i>Improper Control of Generation of Code ('Code Injection')</i> <table> <tr><td>Affected range</td><td><code><=3.0.2</code></td></tr> <tr><td>Fixed version</td><td><code>3.0.3</code></td></tr> <tr><td>CVSS Score</td><td><code>8.1</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</code></td></tr> </table> <details><summary>Description</summary> <blockquote> Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the `compileClient`, `compileFileClient`, or `compileClientWithDependenciesTracked` function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2021-21353?s=github&n=pug&t=npm&vr=%3C3.0.1"><img alt="high 6.8: CVE--2021--21353" src="https://img.shields.io/badge/CVE--2021--21353-lightgrey?label=high%206.8&labelColor=e25d68"/></a> <i>Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')</i> <table> <tr><td>Affected range</td><td><code><3.0.1</code></td></tr> <tr><td>Fixed version</td><td><code>3.0.1</code></td></tr> <tr><td>CVSS Score</td><td><code>6.8</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N</code></td></tr> </table> <details><summary>Description</summary> <blockquote> ### Impact If a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. ### Patches Upgrade to `[email protected]` or `[email protected]` or `[email protected]`, which correctly sanitise the parameter. ### Workarounds If there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade. ### References Original report: https://github.com/pugjs/pug/issues/3312 ### For more information If you believe you have found other vulnerabilities, please **DO NOT** open an issue. Instead, you can follow the instructions in our [Security Policy](https://github.com/pugjs/pug/blob/master/SECURITY.md) </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>node</strong> <code>20.11.1</code> (generic)</summary> <small><code>pkg:generic/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/CVE-2024-27983?s=docker&n=node&t=generic&vr=%3E%3D20.0.0%2C%3C20.12.1"><img alt="high : CVE--2024--27983" src="https://img.shields.io/badge/CVE--2024--27983-lightgrey?label=high%20&labelColor=e25d68"/></a> <table> <tr><td>Affected range</td><td><code>>=20.0.0<br/><20.12.1</code></td></tr> <tr><td>Fixed version</td><td><code>20.12.1</code></td></tr></table> <details><summary>Description</summary> <blockquote> </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2024-27982?s=docker&n=node&t=generic&vr=%3E%3D20.0.0%2C%3C20.12.1"><img alt="medium : CVE--2024--27982" src="https://img.shields.io/badge/CVE--2024--27982-lightgrey?label=medium%20&labelColor=fbb552"/></a> <table> <tr><td>Affected range</td><td><code>>=20.0.0<br/><20.12.1</code></td></tr> <tr><td>Fixed version</td><td><code>20.12.1</code></td></tr></table> <details><summary>Description</summary> <blockquote> </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <img alt="unspecified: 1" src="https://img.shields.io/badge/U-1-lightgrey"/><strong>diff</strong> <code>1.0.0</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/GHSA-h6ch-v84p-w6p9?s=github&n=diff&t=npm&vr=%3C3.5.0"><img alt="high : GHSA--h6ch--v84p--w6p9" src="https://img.shields.io/badge/GHSA--h6ch--v84p--w6p9-lightgrey?label=high%20&labelColor=e25d68"/></a> <i>Uncontrolled Resource Consumption</i> <table> <tr><td>Affected range</td><td><code><3.5.0</code></td></tr> <tr><td>Fixed version</td><td><code>3.5.0</code></td></tr></table> <details><summary>Description</summary> <blockquote> A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. </blockquote> </details> <a href="https://scout.docker.com/v/GMS-2019-21?s=gitlab&n=diff&t=npm&vr=%3C3.5.0"><img alt="unspecified : GMS--2019--21" src="https://img.shields.io/badge/GMS--2019--21-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i> <table> <tr><td>Affected range</td><td><code><3.5.0</code></td></tr> <tr><td>Fixed version</td><td><code>3.5.0</code></td></tr></table> <details><summary>Description</summary> <blockquote> A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>ws</strong> <code>8.17.0</code> (npm)</summary> <small><code>pkg:npm/[email protected]</code></small><br/> <a href="https://scout.docker.com/v/CVE-2024-37890?s=github&n=ws&t=npm&vr=%3E%3D8.0.0%2C%3C8.17.1"><img alt="high 7.5: CVE--2024--37890" src="https://img.shields.io/badge/CVE--2024--37890-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>NULL Pointer Dereference</i> <table> <tr><td>Affected range</td><td><code>>=8.0.0<br/><8.17.1</code></td></tr> <tr><td>Fixed version</td><td><code>8.17.1</code></td></tr> <tr><td>CVSS Score</td><td><code>7.5</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr> </table> <details><summary>Description</summary> <blockquote> ### Impact A request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server. ### Proof of concept ```js const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); });
Patches
The vulnerability was fixed in [email protected] (websockets/ws@e55e510) and backported to [email protected] (websockets/ws@22c2876), [email protected] (websockets/ws@eeb76d3), and [email protected] (websockets/ws@4abd8f6)
Workarounds
In vulnerable versions of ws, the issue can be mitigated in the following ways:
- Reduce the maximum allowed length of the request headers using the
--max-http-header-size=size
and/or themaxHeaderSize
options so that no more headers than theserver.maxHeadersCount
limit can be sent.- Set
server.maxHeadersCount
to0
so that no limit is applied.Credits
The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.
References
json 1.0.0
(npm)
pkg:npm/[email protected]
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Affected range | <10.0.0 |
Fixed version | 10.0.0 |
CVSS Score | 7.2 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Description
This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.
ip 1.1.9
(npm)
pkg:npm/[email protected]
Server-Side Request Forgery (SSRF)
Affected range | <=2.0.1 |
Fixed version | Not Fixed |
Description
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
ini 1.0.0
(npm)
pkg:npm/[email protected]
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Affected range | <1.3.6 |
Fixed version | 1.3.6 |
CVSS Score | 7.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
Description
Overview
The
ini
npm package before version 1.3.6 has a Prototype Pollution vulnerability.If an attacker submits a malicious INI file to an application that parses it with
ini.parse
, they will pollute the prototype on the application. This can be exploited further depending on the context.Patches
This has been patched in 1.3.6.
Steps to reproduce
payload.ini
[__proto__] polluted = "polluted"
poc.js:
var fs = require('fs') var ini = require('ini') var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.__proto__) console.log(polluted)
> node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted
ip 2.0.1
(npm)
pkg:npm/[email protected]
Server-Side Request Forgery (SSRF)
Affected range | <=2.0.1 |
Fixed version | Not Fixed |
Description
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
braces 3.0.2
(npm)
pkg:npm/[email protected]
Excessive Platform Resource Consumption within a Loop
Affected range | <3.0.3 |
Fixed version | 3.0.3 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Description
The NPM package
braces
fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. Inlib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
markdown 1.0.0
(npm)
pkg:npm/[email protected]
Uncontrolled Resource Consumption
Affected range | >=0.0.0 |
Fixed version | Not Fixed |
Description
All versions of
markdown
are vulnerable to Regular Expression Denial of Service (ReDoS). Themarkdown.toHTML()
function has significantly degraded performance when parsing long strings containing underscores. This may lead to Denial of Service if the parser accepts user input.Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range | >=0 |
Fixed version | Not Fixed |
Description
All versions of
markdown
are vulnerable to Regular Expression Denial of Service (ReDoS). Themarkdown.toHTML()
function has significantly degraded performance when parsing long strings containing underscores. This may lead to Denial of Service if the parser accepts user input. No fix is currently available. Consider using an alternative package until a fix is made available.
Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/9621875654. |
PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/9621875654. |
This PR contains the following updates:
4.90.2
->4.90.3
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
coder/code-server (coder/code-server)
v4.90.3
Compare Source
Changed
Fixed
directory created in the current working directory named with a date.
Instead, the file itself is prepended with the date and kept in the same
directory, as originally intended.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.