serverless-offline-11.6.0.tgz: 2 vulnerabilities (highest severity is: 9.8) #1294
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: d6f11282ee9f4af0baad5df06570b6a9700994af
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - jsonpath-plus-7.2.0.tgz
A JS implementation of JSONPath with some additional operators
Library home page: https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-7.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: d6f11282ee9f4af0baad5df06570b6a9700994af
Found in base branch: master
Vulnerability Details
All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. Note: There were several attempts to fix it in versions 10.0.0-10.1.0 but it could still be exploited using different payloads.
Publish Date: 2024-10-11
URL: CVE-2024-21534
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21534
Release Date: 2024-10-11
Fix Resolution: jsonpath-plus - 10.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - jose-4.13.1.tgz
Library home page: https://registry.npmjs.org/jose/-/jose-4.13.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: d6f11282ee9f4af0baad5df06570b6a9700994af
Found in base branch: master
Vulnerability Details
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has
been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
Publish Date: 2024-03-09
URL: CVE-2024-28176
CVSS 3 Score Details (4.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hhhv-q57g-882q
Release Date: 2024-03-09
Fix Resolution (jose): 4.15.5
Direct dependency fix Resolution (serverless-offline): 12.0.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: