-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathyarn-audit-known-issues
executable file
·1 lines (1 loc) · 3.12 KB
/
yarn-audit-known-issues
1
{"actions":[],"advisories":{"1096727":{"findings":[{"version":"2.88.2","paths":["promise-request-retry>request","promise-request-retry>coveralls>request"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://security.netapp.com/advisory/ntap-20230413-0007\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","id":1096727,"npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","reported_by":null,"title":"Server-Side Request Forgery in Request","metadata":null,"cves":["CVE-2023-28155"],"access":"public","severity":"moderate","module_name":"request","vulnerable_versions":"<=2.88.2","github_advisory_id":"GHSA-p8p7-x288-28g6","recommendation":"None","patched_versions":"<0.0.0","updated":"2024-03-21T17:47:21.000Z","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"cwe":["CWE-918"],"url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1100531":{"findings":[{"version":"3.0.0","paths":["i18next-conv>node-gettext"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-21528\n- https://security.snyk.io/vuln/SNYK-JS-NODEGETTEXT-6100943\n- https://github.com/alexanderwallin/node-gettext/blob/65d9670f691c2eeca40dce129c95bcf8b613d344/lib/gettext.js#L113\n- https://github.com/advisories/GHSA-g974-hxvm-x689","created":"2024-09-10T06:30:48.000Z","id":1100531,"npm_advisory_id":null,"overview":"All versions of the package node-gettext are vulnerable to Prototype Pollution via the addTranslations() function in gettext.js due to improper user input sanitization.","reported_by":null,"title":"node-gettext vulnerable to Prototype Pollution","metadata":null,"cves":["CVE-2024-21528"],"access":"public","severity":"high","module_name":"node-gettext","vulnerable_versions":"<=3.0.0","github_advisory_id":"GHSA-g974-hxvm-x689","recommendation":"None","patched_versions":"<0.0.0","updated":"2024-11-18T16:27:11.000Z","cvss":{"score":5.9,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-g974-hxvm-x689"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":2,"high":1,"critical":0},"dependencies":444,"devDependencies":94,"optionalDependencies":0,"totalDependencies":538}}