generated from hmcts/expressjs-template
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathyarn-audit-known-issues
1 lines (1 loc) · 3.45 KB
/
yarn-audit-known-issues
1
{"actions":[],"advisories":{"1099357":{"findings":[{"version":"2.0.1","paths":["puppeteer>@puppeteer/browsers>proxy-agent>socks-proxy-agent>socks>ip","playwright>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","mocha>chokidar>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","codeceptjs>mocha>chokidar>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","codeceptjs>mocha-junit-reporter>mocha>chokidar>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-29415\n- https://github.com/indutny/node-ip/issues/150\n- https://github.com/indutny/node-ip/pull/143\n- https://github.com/indutny/node-ip/pull/144\n- https://github.com/advisories/GHSA-2p57-rm9w-gvfp","created":"2024-06-02T22:29:29.000Z","id":1099357,"npm_advisory_id":null,"overview":"The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.","reported_by":null,"title":"ip SSRF improper categorization in isPublic","metadata":null,"cves":["CVE-2024-29415"],"access":"public","severity":"high","module_name":"ip","vulnerable_versions":"<=2.0.1","github_advisory_id":"GHSA-2p57-rm9w-gvfp","recommendation":"None","patched_versions":"<0.0.0","updated":"2024-09-03T19:59:02.000Z","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"cwe":["CWE-918"],"url":"https://github.com/advisories/GHSA-2p57-rm9w-gvfp"},"1101081":{"findings":[{"version":"0.1.10","paths":["express>path-to-regexp","@hmcts/info-provider>express>path-to-regexp"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w\n- https://blakeembrey.com/posts/2024-09-web-redos\n- https://nvd.nist.gov/vuln/detail/CVE-2024-52798\n- https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4\n- https://github.com/advisories/GHSA-rhx6-c78j-4q9w","created":"2024-12-05T22:40:47.000Z","id":1101081,"npm_advisory_id":null,"overview":"### Impact\n\nThe regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296\n\n### Patches\n\nUpgrade to 0.1.12.\n\n### Workarounds\n\nAvoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.\n\n### References\n\n- https://github.com/advisories/GHSA-9wv6-86v2-598j\n- https://blakeembrey.com/posts/2024-09-web-redos/","reported_by":null,"title":"Unpatched `path-to-regexp` ReDoS in 0.1.x","metadata":null,"cves":["CVE-2024-52798"],"access":"public","severity":"moderate","module_name":"path-to-regexp","vulnerable_versions":"<0.1.12","github_advisory_id":"GHSA-rhx6-c78j-4q9w","recommendation":"Upgrade to version 0.1.12 or later","patched_versions":">=0.1.12","updated":"2024-12-06T00:33:29.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-rhx6-c78j-4q9w"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":2,"high":5,"critical":0},"dependencies":706,"devDependencies":0,"optionalDependencies":0,"totalDependencies":706}}