Skip to content

yarn.lock - HIGH vulnerably #3888

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sk3pp3r opened this issue Jul 22, 2024 · 2 comments
Open

yarn.lock - HIGH vulnerably #3888

sk3pp3r opened this issue Jul 22, 2024 · 2 comments
Labels
bug

Comments

@sk3pp3r
Copy link

sk3pp3r commented Jul 22, 2024

yarn.lock - HIGH vulnerably
scan for vulnerability using trivy

    ~  trivy repo https://github.com/NginxProxyManager/nginx-proxy-manager  -s HIGH,CRITICAL                                                                          ✔  12:25:14  
2024-07-22T12:25:24+03:00	INFO	Vulnerability scanning is enabled
2024-07-22T12:25:24+03:00	INFO	Secret scanning is enabled
2024-07-22T12:25:24+03:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-22T12:25:24+03:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
Enumerating objects: 4596, done.
Counting objects: 100% (4596/4596), done.
Compressing objects: 100% (2738/2738), done.
Total 4596 (delta 2319), reused 3335 (delta 1577), pack-reused 0
2024-07-22T12:25:31+03:00	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2024-07-22T12:25:31+03:00	INFO	Number of language-specific files	num=4
2024-07-22T12:25:31+03:00	INFO	[yarn] Detecting vulnerabilities...

backend/yarn.lock (yarn)

Total: 5 (HIGH: 5, CRITICAL: 0)

┌────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬────────────────────────────┬──────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability  │ Severity │  Status  │ Installed Version │       Fixed Version        │                          Title                           │
├────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────┤
│ ansi-regex         │ CVE-2021-3807  │ HIGH     │ fixed    │ 3.0.0             │ 6.0.1, 5.0.1, 4.1.1, 3.0.1 │ nodejs-ansi-regex: Regular expression denial of service  │
│                    │                │          │          │                   │                            │ (ReDoS) matching ANSI escape codes                       │
│                    │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-3807                │
│                    │                │          │          ├───────────────────┤                            │                                                          │
│                    │                │          │          │ 5.0.0             │                            │                                                          │
│                    │                │          │          │                   │                            │                                                          │
│                    │                │          │          │                   │                            │                                                          │
├────────────────────┼────────────────┤          ├──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────┤
│ dicer              │ CVE-2022-24434 │          │ affected │ 0.3.0             │                            │ dicer: nodejs service crash by sending a crafted payload │
│                    │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-24434               │
├────────────────────┼────────────────┤          │          ├───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────┤
│ express-fileupload │ CVE-2022-27261 │          │          │ 1.1.9             │                            │ Express-FileUpload Arbitrary File Overwrite              │
│                    │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-27261               │
├────────────────────┼────────────────┤          ├──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────┤
│ minimatch          │ CVE-2022-3517  │          │ fixed    │ 3.0.4             │ 3.0.5                      │ nodejs-minimatch: ReDoS via the braceExpand function     │
│                    │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-3517                │
└────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴────────────────────────────┴──────────────────────────────────────────────────────────┘

test/yarn.lock (yarn)

Total: 5 (HIGH: 5, CRITICAL: 0)

┌────────────┬──────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────┐
│  Library   │  Vulnerability   │ Severity │ Status │ Installed Version │                      Fixed Version                       │                          Title                           │
├────────────┼──────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ ansi-regex │ CVE-2021-3807    │ HIGH     │ fixed  │ 5.0.0             │ 6.0.1, 5.0.1, 4.1.1, 3.0.1                               │ nodejs-ansi-regex: Regular expression denial of service  │
│            │                  │          │        │                   │                                                          │ (ReDoS) matching ANSI escape codes                       │
│            │                  │          │        │                   │                                                          │ https://avd.aquasec.com/nvd/cve-2021-3807                │
├────────────┼──────────────────┤          │        ├───────────────────┼──────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ braces     │ CVE-2024-4068    │          │        │ 3.0.2             │ 3.0.3                                                    │ braces: fails to limit the number of characters it can   │
│            │                  │          │        │                   │                                                          │ handle                                                   │
│            │                  │          │        │                   │                                                          │ https://avd.aquasec.com/nvd/cve-2024-4068                │
├────────────┼──────────────────┤          │        ├───────────────────┼──────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ minimatch  │ CVE-2022-3517    │          │        │ 3.0.4             │ 3.0.5                                                    │ nodejs-minimatch: ReDoS via the braceExpand function     │
│            │                  │          │        │                   │                                                          │ https://avd.aquasec.com/nvd/cve-2022-3517                │
├────────────┼──────────────────┤          │        ├───────────────────┼──────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ qs         │ CVE-2017-1000048 │          │        │ 1.2.0             │ 6.0.4, 6.1.2, 6.2.3, 6.3.2                               │ nodejs-qs: Prototype override protection bypass          │
│            │                  │          │        │                   │                                                          │ https://avd.aquasec.com/nvd/cve-2017-1000048             │
│            ├──────────────────┤          │        │                   ├──────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│            │ CVE-2022-24999   │          │        │                   │ 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, │ express: "qs" prototype poisoning causes the hang of the │
│            │                  │          │        │                   │ 6.2.4                                                    │ node process                                             │
│            │                  │          │        │                   │                                                          │ https://avd.aquasec.com/nvd/cve-2022-24999               │
└────────────┴──────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────┘
@sk3pp3r sk3pp3r added the bug label Jul 22, 2024
@github-actions GitHub Actions
Copy link

Issue is now considered stale. If you want to keep it open, please comment 👍

@github-actions github-actions bot added the stale label Feb 15, 2025
@sk3pp3r
Copy link
Author

sk3pp3r commented Feb 17, 2025

still exist


backend/yarn.lock (yarn)

Total: 6 (HIGH: 6, CRITICAL: 0)

┌────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬────────────────────────────┬───────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability  │ Severity │  Status  │ Installed Version │       Fixed Version        │                           Title                           │
├────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼────────────────────────────┼───────────────────────────────────────────────────────────┤
│ ansi-regex         │ CVE-2021-3807  │ HIGH     │ fixed    │ 3.0.0             │ 6.0.1, 5.0.1, 4.1.1, 3.0.1 │ nodejs-ansi-regex: Regular expression denial of service   │
│                    │                │          │          │                   │                            │ (ReDoS) matching ANSI escape codes                        │
│                    │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-3807                 │
│                    │                │          │          ├───────────────────┤                            │                                                           │
│                    │                │          │          │ 5.0.0             │                            │                                                           │
│                    │                │          │          │                   │                            │                                                           │
│                    │                │          │          │                   │                            │                                                           │
├────────────────────┼────────────────┤          ├──────────┼───────────────────┼────────────────────────────┼───────────────────────────────────────────────────────────┤
│ dicer              │ CVE-2022-24434 │          │ affected │ 0.3.0             │                            │ dicer: nodejs service crash by sending a crafted payload  │
│                    │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-24434                │
├────────────────────┼────────────────┤          │          ├───────────────────┼────────────────────────────┼───────────────────────────────────────────────────────────┤
│ express-fileupload │ CVE-2022-27261 │          │          │ 1.1.9             │                            │ Express-FileUpload Arbitrary File Overwrite               │
│                    │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-27261                │
├────────────────────┼────────────────┤          ├──────────┼───────────────────┼────────────────────────────┼───────────────────────────────────────────────────────────┤
│ minimatch          │ CVE-2022-3517  │          │ fixed    │ 3.0.4             │ 3.0.5                      │ nodejs-minimatch: ReDoS via the braceExpand function      │
│                    │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-3517                 │
├────────────────────┼────────────────┤          │          ├───────────────────┼────────────────────────────┼───────────────────────────────────────────────────────────┤
│ path-to-regexp     │ CVE-2024-52798 │          │          │ 0.1.10            │ 0.1.12                     │ path-to-regexp: path-to-regexp Unpatched `path-to-regexp` │
│                    │                │          │          │                   │                            │ ReDoS in 0.1.x                                            │
│                    │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2024-52798                │
└────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴────────────────────────────┴───────────────────────────────────────────────────────────┘

@github-actions github-actions bot removed the stale label May 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sk3pp3r
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy