-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CCD-5932 : Fix CVE-2024-47764 (#548)
* bumped cookie to 0.7.0 * updated suppressions file
- Loading branch information
1 parent
42a4767
commit 66a4048
Showing
3 changed files
with
597 additions
and
639 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| {"actions":[],"advisories":{"1099846":{"findings":[{"version":"0.6.0","paths":["cookie-parser>cookie"]}],"found_by":null,"deleted":null,"references":"- https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x\n- https://github.com/jshttp/cookie/pull/167\n- https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c\n- https://github.com/advisories/GHSA-pxg6-pf52-xh8x","created":"2024-10-04T20:31:00.000Z","id":1099846,"npm_advisory_id":null,"overview":"### Impact\n\nThe cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize(\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a\", value)` would result in `\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test\"`, setting `userName` cookie to `<script>` and ignoring `value`.\n\nA similar escape can be used for `path` and `domain`, which could be abused to alter other fields of the cookie.\n\n### Patches\n\nUpgrade to 0.7.0, which updates the validation for `name`, `path`, and `domain`.\n\n### Workarounds\n\nAvoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.\n\n### References\n\n* https://github.com/jshttp/cookie/pull/167","reported_by":null,"title":"cookie accepts cookie name, path, and domain with out of bounds characters","metadata":null,"cves":["CVE-2024-47764"],"access":"public","severity":"low","module_name":"cookie","vulnerable_versions":"<0.7.0","github_advisory_id":"GHSA-pxg6-pf52-xh8x","recommendation":"Upgrade to version 0.7.0 or later","patched_versions":">=0.7.0","updated":"2024-10-04T20:31:01.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-74"],"url":"https://github.com/advisories/GHSA-pxg6-pf52-xh8x"},"1100223":{"findings":[{"version":"0.20.0","paths":["http-proxy-middleware"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-21536\n- https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5\n- https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22\n- https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a\n- https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906\n- https://github.com/advisories/GHSA-c7qv-q95q-8v27","created":"2024-10-19T06:30:30.000Z","id":1100223,"npm_advisory_id":null,"overview":"Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.","reported_by":null,"title":"Denial of service in http-proxy-middleware","metadata":null,"cves":["CVE-2024-21536"],"access":"public","severity":"high","module_name":"http-proxy-middleware","vulnerable_versions":"<2.0.7","github_advisory_id":"GHSA-c7qv-q95q-8v27","recommendation":"Upgrade to version 2.0.7 or later","patched_versions":">=2.0.7","updated":"2024-10-22T19:47:42.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-400"],"url":"https://github.com/advisories/GHSA-c7qv-q95q-8v27"},"1100563":{"findings":[{"version":"7.0.3","paths":["cross-env>cross-spawn","nyc>foreground-child>cross-spawn","nyc>spawn-wrap>foreground-child>cross-spawn"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-21538\n- https://github.com/moxystudio/node-cross-spawn/pull/160\n- https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff\n- https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f\n- https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230\n- https://github.com/moxystudio/node-cross-spawn/issues/165\n- https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349\n- https://github.com/advisories/GHSA-3xgq-45jj-v275","created":"2024-11-08T06:30:47.000Z","id":1100563,"npm_advisory_id":null,"overview":"Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in cross-spawn","metadata":null,"cves":["CVE-2024-21538"],"access":"public","severity":"high","module_name":"cross-spawn","vulnerable_versions":">=7.0.0 <7.0.5","github_advisory_id":"GHSA-3xgq-45jj-v275","recommendation":"Upgrade to version 7.0.5 or later","patched_versions":">=7.0.5","updated":"2024-11-19T16:19:50.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-3xgq-45jj-v275"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":1,"moderate":0,"high":4,"critical":0},"dependencies":316,"devDependencies":1,"optionalDependencies":0,"totalDependencies":317}} | ||
| {"actions":[],"advisories":{"1100223":{"findings":[{"version":"0.20.0","paths":["http-proxy-middleware"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-21536\n- https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5\n- https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22\n- https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a\n- https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906\n- https://github.com/advisories/GHSA-c7qv-q95q-8v27","created":"2024-10-19T06:30:30.000Z","id":1100223,"npm_advisory_id":null,"overview":"Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.","reported_by":null,"title":"Denial of service in http-proxy-middleware","metadata":null,"cves":["CVE-2024-21536"],"access":"public","severity":"high","module_name":"http-proxy-middleware","vulnerable_versions":"<2.0.7","github_advisory_id":"GHSA-c7qv-q95q-8v27","recommendation":"Upgrade to version 2.0.7 or later","patched_versions":">=2.0.7","updated":"2024-10-22T19:47:42.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-400"],"url":"https://github.com/advisories/GHSA-c7qv-q95q-8v27"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":0,"high":1,"critical":0},"dependencies":310,"devDependencies":1,"optionalDependencies":0,"totalDependencies":311}} |
Oops, something went wrong.