Update devsecops-mvp.yml #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

subhashbohra wants to merge 1 commit into main from subhashbohra-patch-8

Owner

subhashbohra commented Sep 22, 2025

No description provided.


          Update devsecops-mvp.yml

43d8f9a

github-actions bot commented Sep 22, 2025

🛡️ AI DevSecOps Scan Summary

✅ Dependency scan completed.

📊 Vulnerability Report

🔍 Dependency Vulnerability Report%0A%0A| axios | CVE-2021-3749 | HIGH | nodejs-axios: Regular expression denial of service in trim function | Fixed: 0.21.2 |%0A| axios | CVE-2025-27152 | HIGH | axios: Possible SSRF and Credential Leakage via Absolute URL in axios Requests | Fixed: 1.8.2, 0.30.0 |%0A| axios | CVE-2025-58754 | HIGH | axios: Axios DoS via lack of data size check | Fixed: 1.12.0 |%0A| axios | CVE-2020-28168 | MEDIUM | nodejs-axios: allows an attacker to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address | Fixed: 0.21.1 |%0A| axios | CVE-2023-45857 | MEDIUM | axios: exposure of confidential data stored in cookies | Fixed: 1.6.0, 0.28.0 |%0A| body-parser | CVE-2024-45590 | HIGH | body-parser: Denial of Service Vulnerability in body-parser | Fixed: 1.20.3 |%0A| cookie | CVE-2024-47764 | LOW | cookie: cookie accepts cookie name, path, and domain with out of bounds characters | Fixed: 0.7.0 |%0A| crypto-js | CVE-2023-46233 | CRITICAL | crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard | Fixed: 4.2.0 |%0A| crypto-js | CVE-2020-36732 | MEDIUM | crypto-js uses insecure random numbers | Fixed: 3.2.1 |%0A| express | CVE-2024-29041 | MEDIUM | express: cause malformed URLs to be evaluated | Fixed: 4.19.2, 5.0.0-beta.3 |%0A| express | CVE-2024-43796 | LOW | express: Improper Input Handling in Express Redirects | Fixed: 4.20.0, 5.0.0 |%0A| follow-redirects | CVE-2022-0155 | HIGH | follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor | Fixed: 1.14.7 |%0A| follow-redirects | CVE-2022-0536 | MEDIUM | follow-redirects: Exposure of Sensitive Information via Authorization Header leak | Fixed: 1.14.8 |%0A| follow-redirects | CVE-2023-26159 | MEDIUM | follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse() | Fixed: 1.15.4 |%0A| follow-redirects | CVE-2024-28849 | MEDIUM | follow-redirects: Possible credential leak | Fixed: 1.15.6 |%0A| form-data | CVE-2025-7783 | CRITICAL | form-data: Unsafe random function in form-data | Fixed: 2.5.4, 3.0.4, 4.0.4 |%0A| jsonwebtoken | CVE-2022-23539 | HIGH | jsonwebtoken: Unrestricted key type could lead to legacy keys usagen | Fixed: 9.0.0 |%0A| jsonwebtoken | CVE-2022-23540 | MEDIUM | jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass | Fixed: 9.0.0 |%0A| jsonwebtoken | CVE-2022-23541 | MEDIUM | jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC | Fixed: 9.0.0 |%0A| lodash | CVE-2021-23337 | HIGH | nodejs-lodash: command injection via template | Fixed: 4.17.21 |%0A| lodash | CVE-2020-28500 | MEDIUM | nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions | Fixed: 4.17.21 |%0A| multer | CVE-2025-47935 | HIGH | Multer vulnerable to Denial of Service via memory leaks from unclosed streams | Fixed: 2.0.0 |%0A| path-to-regexp | CVE-2024-45296 | HIGH | path-to-regexp: Backtracking regular expressions cause ReDoS | Fixed: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 |%0A| path-to-regexp | CVE-2024-52798 | HIGH | path-to-regexp: path-to-regexp Unpatched `path-to-regexp` ReDoS in 0.1.x | Fixed: 0.1.12 |%0A| qs | CVE-2022-24999 | HIGH | express: "qs" prototype poisoning causes the hang of the node process | Fixed: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 |%0A| send | CVE-2024-43799 | LOW | send: Code Execution Vulnerability in Send Library | Fixed: 0.19.0 |%0A| serve-static | CVE-2024-43800 | LOW | serve-static: Improper Sanitization in serve-static | Fixed: 1.16.0, 2.1.0 |%0A| tar | CVE-2024-28863 | MEDIUM | node-tar: denial of service while parsing a tar file due to lack of folders depth validation | Fixed: 6.2.1 |%0A| tough-cookie | CVE-2023-26136 | MEDIUM | tough-cookie: prototype pollution in cookie memstore | Fixed: 4.1.3 |%0A| xmldom | CVE-2021-21366 | MEDIUM | xmldom: incorrect parsing and serialization leads to unexpected behavior | Fixed: 0.5.0 |%0A--- RAW JSON (for debugging) ---%0A{%0A "SchemaVersion": 2,%0A "CreatedAt": "2025-09-22T15:13:36.155554396Z",%0A "ArtifactName": ".",%0A "ArtifactType": "filesystem",%0A "Metadata": {%0A "RepoURL": "https://github.com/subhashbohra/DevSecOps_Platform",%0A "Commit": "7d80f76f30f2f1ffcecba8974710ebcbf11119b9",%0A "CommitMsg": "Merge `43d8f9a` into `16ba1e3`",%0A "Author": "Subhash Bohra \[email protected]\u003e",%0A "Committer": "GitHub \[email protected]\u003e"%0A },%0A "Results": [%0A {%0A "Target": "package-lock.json",%0A "Class": "lang-pkgs",%0A "Type": "npm",%0A "Vulnerabilities": [%0A {%0A "VulnerabilityID": "CVE-2021-3749",%0A "PkgID": "[email protected]",%0A "PkgName": "axios",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "be12beb3f884210c"%0A },%0A "InstalledVersion": "0.19.0",%0A "FixedVersion": "0.21.2",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3749",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "nodejs-axios: Regular expression denial of service in trim function",%0A "Description": "axios is vulnerable to Inefficient Regular Expression Complexity",%0A "Severity": "HIGH",%0A "CweIDs": [%0A "CWE-1333",%0A "CWE-400"%0A ],%0A "VendorSeverity": {%0A "ghsa": 3,%0A "nvd": 3,%0A "redhat": 2,%0A "ubuntu": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",%0A "V3Score": 7.5%0A },%0A "nvd": {%0A "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C",%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",%0A "V2Score": 7.8,%0A "V3Score": 7.5%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",%0A "V3Score": 7.5%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2021-3749",%0A "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",%0A "https://github.com/axios/axios",%0A "https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929",%0A "https://github.com/axios/axios/pull/3980",%0A "https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31",%0A "https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/",%0A "https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10%2540%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10@%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2%2540%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2@%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8%2540%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8@%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391%2540%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391@%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1%2540%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1@%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321%2540%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321@%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1%2540%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1@%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289%2540%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289@%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a%2540%253Cdev.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a@%253Cdev.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103%2540%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103@%253Ccommits.druid.apache.org%253E",%0A "https://nvd.nist.gov/vuln/detail/CVE-2021-3749",%0A "https://www.cve.org/CVERecord?id=CVE-2021-3749",%0A "https://www.npmjs.com/package/axios",%0A "https://www.oracle.com/security-alerts/cpujul2022.html"%0A ],%0A "PublishedDate": "2021-08-31T11:15:07.89Z",%0A "LastModifiedDate": "2024-11-21T06:22:19.837Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2025-27152",%0A "PkgID": "[email protected]",%0A "PkgName": "axios",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "be12beb3f884210c"%0A },%0A "InstalledVersion": "0.19.0",%0A "FixedVersion": "1.8.2, 0.30.0",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-27152",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "axios: Possible SSRF and Credential Leakage via Absolute URL in axios Requests",%0A "Description": "axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.",%0A "Severity": "HIGH",%0A "CweIDs": [%0A "CWE-918"%0A ],%0A "VendorSeverity": {%0A "ghsa": 3,%0A "redhat": 2%0A },%0A "CVSS": {%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",%0A "V3Score": 5.3%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2025-27152",%0A "https://github.com/axios/axios",%0A "https://github.com/axios/axios/commit/02c3c69ced0f8fd86407c23203835892313d7fde",%0A "https://github.com/axios/axios/commit/fb8eec214ce7744b5ca787f2c3b8339b2f54b00f",%0A "https://github.com/axios/axios/issues/6463",%0A "https://github.com/axios/axios/pull/6829",%0A "https://github.com/axios/axios/releases/tag/v1.8.2",%0A "https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6",%0A "https://nvd.nist.gov/vuln/detail/CVE-2025-27152",%0A "https://www.cve.org/CVERecord?id=CVE-2025-27152"%0A ],%0A "PublishedDate": "2025-03-07T16:15:38.773Z",%0A "LastModifiedDate": "2025-03-07T20:15:38.56Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2025-58754",%0A "PkgID": "[email protected]",%0A "PkgName": "axios",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "be12beb3f884210c"%0A },%0A "InstalledVersion": "0.19.0",%0A "FixedVersion": "1.12.0",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-58754",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "axios: Axios DoS via lack of data size check",%0A "Description": "Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to version 1.11.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Version 1.11.0 contains a patch for the issue.",%0A "Severity": "HIGH",%0A "CweIDs": [%0A "CWE-770"%0A ],%0A "VendorSeverity": {%0A "ghsa": 3,%0A "redhat": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",%0A "V3Score": 7.5%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",%0A "V3Score": 5.3%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2025-58754",%0A "https://github.com/axios/axios",%0A "https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593",%0A "https://github.com/axios/axios/pull/7011",%0A "https://github.com/axios/axios/releases/tag/v1.12.0",%0A "https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj",%0A "https://nvd.nist.gov/vuln/detail/CVE-2025-58754",%0A "https://www.cve.org/CVERecord?id=CVE-2025-58754"%0A ],%0A "PublishedDate": "2025-09-12T02:15:46.873Z",%0A "LastModifiedDate": "2025-09-15T15:22:38.297Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2020-28168",%0A "PkgID": "[email protected]",%0A "PkgName": "axios",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "be12beb3f884210c"%0A },%0A "InstalledVersion": "0.19.0",%0A "FixedVersion": "0.21.1",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28168",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "nodejs-axios: allows an attacker to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address",%0A "Description": "Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.",%0A "Severity": "MEDIUM",%0A "CweIDs": [%0A "CWE-918"%0A ],%0A "VendorSeverity": {%0A "ghsa": 2,%0A "nvd": 2,%0A "redhat": 2,%0A "ubuntu": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",%0A "V3Score": 5.9%0A },%0A "nvd": {%0A "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",%0A "V2Score": 4.3,%0A "V3Score": 5.9%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",%0A "V3Score": 5.9%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2020-28168",%0A "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",%0A "https://github.com/axios/axios/commit/c7329fefc890050edd51e40e469a154d0117fc55",%0A "https://github.com/axios/axios/issues/3369",%0A "https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a%2540%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a@%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f%2540%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e%2540%253Ccommits.druid.apache.org%253E",%0A "https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%253Ccommits.druid.apache.org%253E",%0A "https://nvd.nist.gov/vuln/detail/CVE-2020-28168",%0A "https://snyk.io/vuln/SNYK-JS-AXIOS-1038255",%0A "https://www.cve.org/CVERecord?id=CVE-2020-28168",%0A "https://www.npmjs.com/advisories/1594",%0A "https://www.npmjs.com/package/axios"%0A ],%0A "PublishedDate": "2020-11-06T20:15:13.163Z",%0A "LastModifiedDate": "2024-11-21T05:22:25.573Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2023-45857",%0A "PkgID": "[email protected]",%0A "PkgName": "axios",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "be12beb3f884210c"%0A },%0A "InstalledVersion": "0.19.0",%0A "FixedVersion": "1.6.0, 0.28.0",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-45857",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "axios: exposure of confidential data stored in cookies",%0A "Description": "An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.",%0A "Severity": "MEDIUM",%0A "CweIDs": [%0A "CWE-352"%0A ],%0A "VendorSeverity": {%0A "ghsa": 2,%0A "nvd": 2,%0A "redhat": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",%0A "V3Score": 6.5%0A },%0A "nvd": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",%0A "V3Score": 6.5%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",%0A "V3Score": 6.5%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2023-45857",%0A "https://github.com/axios/axios",%0A "https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967",%0A "https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0",%0A "https://github.com/axios/axios/issues/6006",%0A "https://github.com/axios/axios/issues/6022",%0A "https://github.com/axios/axios/pull/6028",%0A "https://github.com/axios/axios/pull/6091",%0A "https://github.com/axios/axios/releases/tag/v0.28.0",%0A "https://github.com/axios/axios/releases/tag/v1.6.0",%0A "https://nvd.nist.gov/vuln/detail/CVE-2023-45857",%0A "https://security.netapp.com/advisory/ntap-20240621-0006",%0A "https://security.netapp.com/advisory/ntap-20240621-0006/",%0A "https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459",%0A "https://www.cve.org/CVERecord?id=CVE-2023-45857"%0A ],%0A "PublishedDate": "2023-11-08T21:15:08.55Z",%0A "LastModifiedDate": "2024-11-21T08:27:30.04Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2024-45590",%0A "PkgID": "[email protected]",%0A "PkgName": "body-parser",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "f00dd35a68d19527"%0A },%0A "InstalledVersion": "1.18.2",%0A "FixedVersion": "1.20.3",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45590",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "body-parser: Denial of Service Vulnerability in body-parser",%0A "Description": "body-parser is Node.js body parsing middleware. body-parser \u003c1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.",%0A "Severity": "HIGH",%0A "CweIDs": [%0A "CWE-405"%0A ],%0A "VendorSeverity": {%0A "azure": 3,%0A "cbl-mariner": 3,%0A "ghsa": 3,%0A "nvd": 3,%0A "redhat": 3%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",%0A "V3Score": 7.5%0A },%0A "nvd": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",%0A "V3Score": 7.5%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",%0A "V3Score": 7.5%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2024-45590",%0A "https://github.com/expressjs/body-parser",%0A "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce",%0A "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7",%0A "https://nvd.nist.gov/vuln/detail/CVE-2024-45590",%0A "https://www.cve.org/CVERecord?id=CVE-2024-45590"%0A ],%0A "PublishedDate": "2024-09-10T16:15:21.083Z",%0A "LastModifiedDate": "2024-09-20T16:26:44.977Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2024-47764",%0A "PkgID": "[email protected]",%0A "PkgName": "cookie",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "e7d89b5b1f463a45"%0A },%0A "InstalledVersion": "0.3.1",%0A "FixedVersion": "0.7.0",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-47764",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters",%0A "Description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.",%0A "Severity": "LOW",%0A "CweIDs": [%0A "CWE-74"%0A ],%0A "VendorSeverity": {%0A "cbl-mariner": 2,%0A "ghsa": 1,%0A "redhat": 1%0A },%0A "CVSS": {%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",%0A "V3Score": 3.7%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2024-47764",%0A "https://github.com/jshttp/cookie",%0A "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c",%0A "https://github.com/jshttp/cookie/pull/167",%0A "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x",%0A "https://nvd.nist.gov/vuln/detail/CVE-2024-47764",%0A "https://www.cve.org/CVERecord?id=CVE-2024-47764"%0A ],%0A "PublishedDate": "2024-10-04T20:15:07.31Z",%0A "LastModifiedDate": "2024-10-07T17:48:28.117Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2023-46233",%0A "PkgID": "[email protected]",%0A "PkgName": "crypto-js",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "84429e801418791e"%0A },%0A "InstalledVersion": "3.1.9-1",%0A "FixedVersion": "4.2.0",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-46233",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard",%0A "Description": "crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.",%0A "Severity": "CRITICAL",%0A "CweIDs": [%0A "CWE-328",%0A "CWE-916",%0A "CWE-327"%0A ],%0A "VendorSeverity": {%0A "ghsa": 4,%0A "nvd": 4,%0A "redhat": 3,%0A "ubuntu": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",%0A "V3Score": 9.1%0A },%0A "nvd": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",%0A "V3Score": 9.1%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",%0A "V3Score": 9.1%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2023-46233",%0A "https://github.com/brix/crypto-js",%0A "https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a",%0A "https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf",%0A "https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html",%0A "https://nvd.nist.gov/vuln/detail/CVE-2023-46233",%0A "https://ubuntu.com/security/notices/USN-6753-1",%0A "https://www.cve.org/CVERecord?id=CVE-2023-46233"%0A ],%0A "PublishedDate": "2023-10-25T21:15:10.307Z",%0A "LastModifiedDate": "2024-11-21T08:28:07.867Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2020-36732",%0A "PkgID": "[email protected]",%0A "PkgName": "crypto-js",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "84429e801418791e"%0A },%0A "InstalledVersion": "3.1.9-1",%0A "FixedVersion": "3.2.1",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-36732",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "crypto-js uses insecure random numbers",%0A "Description": "The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.",%0A "Severity": "MEDIUM",%0A "CweIDs": [%0A "CWE-330",%0A "CWE-331"%0A ],%0A "VendorSeverity": {%0A "ghsa": 2,%0A "nvd": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",%0A "V3Score": 5.3%0A },%0A "nvd": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",%0A "V3Score": 5.3%0A }%0A },%0A "References": [%0A "https://github.com/brix/crypto-js",%0A "https://github.com/brix/crypto-js/commit/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b",%0A "https://github.com/brix/crypto-js/compare/3.2.0...3.2.1",%0A "https://github.com/brix/crypto-js/issues/254",%0A "https://github.com/brix/crypto-js/issues/256",%0A "https://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b",%0A "https://nvd.nist.gov/vuln/detail/CVE-2020-36732",%0A "https://security.netapp.com/advisory/ntap-20230706-0003",%0A "https://security.netapp.com/advisory/ntap-20230706-0003/",%0A "https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472"%0A ],%0A "PublishedDate": "2023-06-12T02:15:48.347Z",%0A "LastModifiedDate": "2025-01-06T18:15:11.1Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2024-29041",%0A "PkgID": "[email protected]",%0A "PkgName": "express",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "a52985e85792c231"%0A },%0A "InstalledVersion": "4.16.0",%0A "FixedVersion": "4.19.2, 5.0.0-beta.3",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-29041",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "express: cause malformed URLs to be evaluated",%0A "Description": "Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using `encodeurl` on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.",%0A "Severity": "MEDIUM",%0A "CweIDs": [%0A "CWE-601",%0A "CWE-1286"%0A ],%0A "VendorSeverity": {%0A "cbl-mariner": 2,%0A "ghsa": 2,%0A "redhat": 3,%0A "ubuntu": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",%0A "V3Score": 6.1%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",%0A "V3Score": 6.1%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2024-29041",%0A "https://expressjs.com/en/4x/api.html#res.location",%0A "https://github.com/expressjs/express",%0A "https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd",%0A "https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94",%0A "https://github.com/expressjs/express/pull/5539",%0A "https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc",%0A "https://github.com/koajs/koa/issues/1800",%0A "https://nvd.nist.gov/vuln/detail/CVE-2024-29041",%0A "https://ubuntu.com/security/notices/USN-7581-1",%0A "https://www.cve.org/CVERecord?id=CVE-2024-29041"%0A ],%0A "PublishedDate": "2024-03-25T21:15:46.847Z",%0A "LastModifiedDate": "2024-11-21T09:07:26.023Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2024-43796",%0A "PkgID": "[email protected]",%0A "PkgName": "express",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "a52985e85792c231"%0A },%0A "InstalledVersion": "4.16.0",%0A "FixedVersion": "4.20.0, 5.0.0",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-43796",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "express: Improper Input Handling in Express Redirects",%0A "Description": "Express.js minimalist web framework for node. In express \u003c 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.",%0A "Severity": "LOW",%0A "CweIDs": [%0A "CWE-79"%0A ],%0A "VendorSeverity": {%0A "azure": 2,%0A "cbl-mariner": 2,%0A "ghsa": 1,%0A "nvd": 2,%0A "redhat": 2,%0A "ubuntu": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",%0A "V3Score": 5%0A },%0A "nvd": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",%0A "V3Score": 4.7%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",%0A "V3Score": 5%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2024-43796",%0A "https://github.com/expressjs/express",%0A "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553",%0A "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx",%0A "https://nvd.nist.gov/vuln/detail/CVE-2024-43796",%0A "https://ubuntu.com/security/notices/USN-7581-1",%0A "https://www.cve.org/CVERecord?id=CVE-2024-43796"%0A ],%0A "PublishedDate": "2024-09-10T15:15:17.51Z",%0A "LastModifiedDate": "2024-09-20T16:07:47.997Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2022-0155",%0A "PkgID": "[email protected]",%0A "PkgName": "follow-redirects",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "abdd85a5add55464"%0A },%0A "InstalledVersion": "1.5.10",%0A "FixedVersion": "1.14.7",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0155",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor",%0A "Description": "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor",%0A "Severity": "HIGH",%0A "CweIDs": [%0A "CWE-359"%0A ],%0A "VendorSeverity": {%0A "ghsa": 3,%0A "nvd": 2,%0A "redhat": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",%0A "V3Score": 8%0A },%0A "nvd": {%0A "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",%0A "V2Score": 4.3,%0A "V3Score": 6.5%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",%0A "V3Score": 6.5%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2022-0155",%0A "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",%0A "https://github.com/follow-redirects/follow-redirects",%0A "https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22",%0A "https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406",%0A "https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/",%0A "https://nvd.nist.gov/vuln/detail/CVE-2022-0155",%0A "https://www.cve.org/CVERecord?id=CVE-2022-0155"%0A ],%0A "PublishedDate": "2022-01-10T20:15:08.177Z",%0A "LastModifiedDate": "2024-11-21T06:38:01.143Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2022-0536",%0A "PkgID": "[email protected]",%0A "PkgName": "follow-redirects",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "abdd85a5add55464"%0A },%0A "InstalledVersion": "1.5.10",%0A "FixedVersion": "1.14.8",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0536",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "follow-redirects: Exposure of Sensitive Information via Authorization Header leak",%0A "Description": "Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.\n\n",%0A "Severity": "MEDIUM",%0A "CweIDs": [%0A "CWE-212"%0A ],%0A "VendorSeverity": {%0A "ghsa": 2,%0A "nvd": 2,%0A "redhat": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",%0A "V3Score": 5.9%0A },%0A "nvd": {%0A "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",%0A "V2Score": 4.3,%0A "V3Score": 5.9%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",%0A "V3Score": 5.9%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2022-0536",%0A "https://github.com/follow-redirects/follow-redirects",%0A "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445",%0A "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db",%0A "https://nvd.nist.gov/vuln/detail/CVE-2022-0536",%0A "https://www.cve.org/CVERecord?id=CVE-2022-0536"%0A ],%0A "PublishedDate": "2022-02-09T11:15:08.647Z",%0A "LastModifiedDate": "2024-11-21T06:38:51.88Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2023-26159",%0A "PkgID": "[email protected]",%0A "PkgName": "follow-redirects",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "abdd85a5add55464"%0A },%0A "InstalledVersion": "1.5.10",%0A "FixedVersion": "1.15.4",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26159",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()",%0A "Description": "Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.",%0A "Severity": "MEDIUM",%0A "CweIDs": [%0A "CWE-20",%0A "CWE-601"%0A ],%0A "VendorSeverity": {%0A "azure": 2,%0A "cbl-mariner": 2,%0A "ghsa": 2,%0A "nvd": 2,%0A "redhat": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",%0A "V3Score": 6.1%0A },%0A "nvd": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",%0A "V3Score": 6.1%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",%0A "V3Score": 6.1%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2023-26159",%0A "https://github.com/follow-redirects/follow-redirects",%0A "https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d",%0A "https://github.com/follow-redirects/follow-redirects/issues/235",%0A "https://github.com/follow-redirects/follow-redirects/pull/236",%0A "https://lists.fedoraproject.org/archives/list/[email protected]/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM",%0A "https://lists.fedoraproject.org/archives/list/[email protected]/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/",%0A "https://nvd.nist.gov/vuln/detail/CVE-2023-26159",%0A "https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137",%0A "https://www.cve.org/CVERecord?id=CVE-2023-26159"%0A ],%0A "PublishedDate": "2024-01-02T05:15:08.63Z",%0A "LastModifiedDate": "2025-06-17T19:15:24.627Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2024-28849",%0A "PkgID": "[email protected]",%0A "PkgName": "follow-redirects",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "abdd85a5add55464"%0A },%0A "InstalledVersion": "1.5.10",%0A "FixedVersion": "1.15.6",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28849",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "follow-redirects: Possible credential leak",%0A "Description": "follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.",%0A "Severity": "MEDIUM",%0A "CweIDs": [%0A "CWE-200"%0A ],%0A "VendorSeverity": {%0A "cbl-mariner": 2,%0A "ghsa": 2,%0A "redhat": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",%0A "V3Score": 6.5%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",%0A "V3Score": 6.5%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2024-28849",%0A "https://fetch.spec.whatwg.org/#authentication-entries",%0A "https://github.com/follow-redirects/follow-redirects",%0A "https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b",%0A "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp",%0A "https://github.com/psf/requests/issues/1885",%0A "https://hackerone.com/reports/2390009",%0A "https://lists.fedoraproject.org/archives/list/[email protected]/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z",%0A "https://lists.fedoraproject.org/archives/list/[email protected]/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/",%0A "https://nvd.nist.gov/vuln/detail/CVE-2024-28849",%0A "https://www.cve.org/CVERecord?id=CVE-2024-28849"%0A ],%0A "PublishedDate": "2024-03-14T17:15:52.097Z",%0A "LastModifiedDate": "2024-11-21T09:07:02.53Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2025-7783",%0A "PkgID": "[email protected]",%0A "PkgName": "form-data",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "98177eef96915c5e"%0A },%0A "InstalledVersion": "2.3.3",%0A "FixedVersion": "2.5.4, 3.0.4, 4.0.4",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-7783",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "form-data: Unsafe random function in form-data",%0A "Description": "Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.\n\nThis issue affects form-data: \u003c 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.",%0A "Severity": "CRITICAL",%0A "CweIDs": [%0A "CWE-330"%0A ],%0A "VendorSeverity": {%0A "ghsa": 4,%0A "redhat": 2%0A },%0A "CVSS": {%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",%0A "V3Score": 5.4%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2025-7783",%0A "https://github.com/benweissmann/CVE-2025-7783-poc",%0A "https://github.com/form-data/form-data",%0A "https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0",%0A "https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4",%0A "https://nvd.nist.gov/vuln/detail/CVE-2025-7783",%0A "https://www.cve.org/CVERecord?id=CVE-2025-7783"%0A ],%0A "PublishedDate": "2025-07-18T17:15:44.747Z",%0A "LastModifiedDate": "2025-07-22T15:15:39.663Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2022-23539",%0A "PkgID": "[email protected]",%0A "PkgName": "jsonwebtoken",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "a19627e2c2aa5832"%0A },%0A "InstalledVersion": "8.2.1",%0A "FixedVersion": "9.0.0",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23539",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen",%0A "Description": "Versions `\u003c=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.",%0A "Severity": "HIGH",%0A "CweIDs": [%0A "CWE-327"%0A ],%0A "VendorSeverity": {%0A "ghsa": 3,%0A "nvd": 3,%0A "redhat": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",%0A "V3Score": 8.1%0A },%0A "nvd": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",%0A "V3Score": 8.1%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",%0A "V3Score": 8.1%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2022-23539",%0A "https://github.com/auth0/node-jsonwebtoken",%0A "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3",%0A "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33",%0A "https://nvd.nist.gov/vuln/detail/CVE-2022-23539",%0A "https://security.netapp.com/advisory/ntap-20240621-0007",%0A "https://security.netapp.com/advisory/ntap-20240621-0007/",%0A "https://www.cve.org/CVERecord?id=CVE-2022-23539"%0A ],%0A "PublishedDate": "2022-12-23T00:15:12.347Z",%0A "LastModifiedDate": "2024-11-21T06:48:46.303Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2022-23540",%0A "PkgID": "[email protected]",%0A "PkgName": "jsonwebtoken",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "a19627e2c2aa5832"%0A },%0A "InstalledVersion": "8.2.1",%0A "FixedVersion": "9.0.0",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23540",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass",%0A "Description": "In versions `\u003c=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.",%0A "Severity": "MEDIUM",%0A "CweIDs": [%0A "CWE-287",%0A "CWE-347"%0A ],%0A "VendorSeverity": {%0A "ghsa": 2,%0A "nvd": 3,%0A "redhat": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L",%0A "V3Score": 6.4%0A },%0A "nvd": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",%0A "V3Score": 7.6%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L",%0A "V3Score": 6.4%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2022-23540",%0A "https://github.com/auth0/node-jsonwebtoken",%0A "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3",%0A "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6",%0A "https://nvd.nist.gov/vuln/detail/CVE-2022-23540",%0A "https://security.netapp.com/advisory/ntap-20240621-0007",%0A "https://security.netapp.com/advisory/ntap-20240621-0007/",%0A "https://www.cve.org/CVERecord?id=CVE-2022-23540"%0A ],%0A "PublishedDate": "2022-12-22T19:15:08.967Z",%0A "LastModifiedDate": "2025-02-13T17:15:38.32Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2022-23541",%0A "PkgID": "[email protected]",%0A "PkgName": "jsonwebtoken",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "a19627e2c2aa5832"%0A },%0A "InstalledVersion": "8.2.1",%0A "FixedVersion": "9.0.0",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23541",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC",%0A "Description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions `\u003c= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.",%0A "Severity": "MEDIUM",%0A "CweIDs": [%0A "CWE-287",%0A "CWE-1259"%0A ],%0A "VendorSeverity": {%0A "ghsa": 2,%0A "nvd": 2,%0A "redhat": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",%0A "V3Score": 5%0A },%0A "nvd": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",%0A "V3Score": 6.3%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",%0A "V3Score": 5%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2022-23541",%0A "https://github.com/auth0/node-jsonwebtoken",%0A "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3",%0A "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0",%0A "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959",%0A "https://nvd.nist.gov/vuln/detail/CVE-2022-23541",%0A "https://security.netapp.com/advisory/ntap-20240621-0007",%0A "https://security.netapp.com/advisory/ntap-20240621-0007/",%0A "https://www.cve.org/CVERecord?id=CVE-2022-23541"%0A ],%0A "PublishedDate": "2022-12-22T18:15:09.39Z",%0A "LastModifiedDate": "2024-11-21T06:48:46.58Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2021-23337",%0A "PkgID": "[email protected]",%0A "PkgName": "lodash",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "a869e6795a5ff902"%0A },%0A "InstalledVersion": "4.17.19",%0A "FixedVersion": "4.17.21",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23337",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "nodejs-lodash: command injection via template",%0A "Description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.",%0A "Severity": "HIGH",%0A "CweIDs": [%0A "CWE-94"%0A ],%0A "VendorSeverity": {%0A "ghsa": 3,%0A "nvd": 3,%0A "redhat": 2,%0A "ruby-advisory-db": 3,%0A "ubuntu": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",%0A "V3Score": 7.2%0A },%0A "nvd": {%0A "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P",%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",%0A "V2Score": 6.5,%0A "V3Score": 7.2%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",%0A "V3Score": 7.2%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2021-23337",%0A "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",%0A "https://github.com/advisories/GHSA-35jh-r3h4-6jhm",%0A "https://github.com/lodash/lodash",%0A "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js",%0A "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851",%0A "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%2523L14851",%0A "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c",%0A "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml",%0A "https://nvd.nist.gov/vuln/detail/CVE-2021-23337",%0A "https://security.netapp.com/advisory/ntap-20210312-0006",%0A "https://security.netapp.com/advisory/ntap-20210312-0006/",%0A "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932",%0A "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930",%0A "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928",%0A "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931",%0A "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929",%0A "https://snyk.io/vuln/SNYK-JS-LODASH-1040724",%0A "https://www.cve.org/CVERecord?id=CVE-2021-23337",%0A "https://www.oracle.com//security-alerts/cpujul2021.html",%0A "https://www.oracle.com/security-alerts/cpujan2022.html",%0A "https://www.oracle.com/security-alerts/cpujul2022.html",%0A "https://www.oracle.com/security-alerts/cpuoct2021.html"%0A ],%0A "PublishedDate": "2021-02-15T13:15:12.56Z",%0A "LastModifiedDate": "2024-11-21T05:51:31.643Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2020-28500",%0A "PkgID": "[email protected]",%0A "PkgName": "lodash",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "a869e6795a5ff902"%0A },%0A "InstalledVersion": "4.17.19",%0A "FixedVersion": "4.17.21",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28500",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions",%0A "Description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.",%0A "Severity": "MEDIUM",%0A "VendorSeverity": {%0A "ghsa": 2,%0A "nvd": 2,%0A "redhat": 2,%0A "ruby-advisory-db": 2,%0A "ubuntu": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",%0A "V3Score": 5.3%0A },%0A "nvd": {%0A "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",%0A "V2Score": 5,%0A "V3Score": 5.3%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",%0A "V3Score": 5.3%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2020-28500",%0A "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",%0A "https://github.com/advisories/GHSA-29mw-wpgm-hmr9",%0A "https://github.com/lodash/lodash",%0A "https://github.com/lodash/lodash/blob/npm/trimEnd.js",%0A "https://github.com/lodash/lodash/blob/npm/trimEnd.js#L8",%0A "https://github.com/lodash/lodash/blob/npm/trimEnd.js%2523L8",%0A "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a",%0A "https://github.com/lodash/lodash/pull/5065",%0A "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7",%0A "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml",%0A "https://nvd.nist.gov/vuln/detail/CVE-2020-28500",%0A "https://security.netapp.com/advisory/ntap-20210312-0006",%0A "https://security.netapp.com/advisory/ntap-20210312-0006/",%0A "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896",%0A "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894",%0A "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892",%0A "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895",%0A "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893",%0A "https://snyk.io/vuln/SNYK-JS-LODASH-1018905",%0A "https://www.cve.org/CVERecord?id=CVE-2020-28500",%0A "https://www.oracle.com//security-alerts/cpujul2021.html",%0A "https://www.oracle.com/security-alerts/cpujan2022.html",%0A "https://www.oracle.com/security-alerts/cpujul2022.html",%0A "https://www.oracle.com/security-alerts/cpuoct2021.html"%0A ],%0A "PublishedDate": "2021-02-15T11:15:12.397Z",%0A "LastModifiedDate": "2024-11-21T05:22:55.053Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2025-47935",%0A "PkgID": "[email protected]",%0A "PkgName": "multer",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "189dfb66a92de820"%0A },%0A "InstalledVersion": "1.3.0",%0A "FixedVersion": "2.0.0",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-47935",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "Multer vulnerable to Denial of Service via memory leaks from unclosed streams",%0A "Description": "Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.",%0A "Severity": "HIGH",%0A "CweIDs": [%0A "CWE-401"%0A ],%0A "VendorSeverity": {%0A "ghsa": 3%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",%0A "V3Score": 7.5%0A }%0A },%0A "References": [%0A "https://github.com/expressjs/multer",%0A "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665",%0A "https://github.com/expressjs/multer/pull/1120",%0A "https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5",%0A "https://nvd.nist.gov/vuln/detail/CVE-2025-47935"%0A ],%0A "PublishedDate": "2025-05-19T20:15:25.863Z",%0A "LastModifiedDate": "2025-05-21T20:25:16.407Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2024-45296",%0A "PkgID": "[email protected]",%0A "PkgName": "path-to-regexp",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "73d8e6510acc6d6"%0A },%0A "InstalledVersion": "0.1.7",%0A "FixedVersion": "1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45296",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "path-to-regexp: Backtracking regular expressions cause ReDoS",%0A "Description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.",%0A "Severity": "HIGH",%0A "CweIDs": [%0A "CWE-1333"%0A ],%0A "VendorSeverity": {%0A "cbl-mariner": 3,%0A "ghsa": 3,%0A "redhat": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",%0A "V3Score": 7.5%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",%0A "V3Score": 5.3%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2024-45296",%0A "https://github.com/pillarjs/path-to-regexp",%0A "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f",%0A "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6",%0A "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485",%0A "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef",%0A "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894",%0A "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0",%0A "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j",%0A "https://nvd.nist.gov/vuln/detail/CVE-2024-45296",%0A "https://security.netapp.com/advisory/ntap-20250124-0001",%0A "https://security.netapp.com/advisory/ntap-20250124-0001/",%0A "https://www.cve.org/CVERecord?id=CVE-2024-45296"%0A ],%0A "PublishedDate": "2024-09-09T19:15:13.33Z",%0A "LastModifiedDate": "2025-01-24T20:15:32.68Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2024-52798",%0A "PkgID": "[email protected]",%0A "PkgName": "path-to-regexp",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "73d8e6510acc6d6"%0A },%0A "InstalledVersion": "0.1.7",%0A "FixedVersion": "0.1.12",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-52798",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "path-to-regexp: path-to-regexp Unpatched `path-to-regexp` ReDoS in 0.1.x",%0A "Description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.",%0A "Severity": "HIGH",%0A "CweIDs": [%0A "CWE-1333"%0A ],%0A "VendorSeverity": {%0A "cbl-mariner": 2,%0A "ghsa": 3,%0A "redhat": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",%0A "V3Score": 7.5%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",%0A "V3Score": 5.3%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2024-52798",%0A "https://blakeembrey.com/posts/2024-09-web-redos",%0A "https://github.com/pillarjs/path-to-regexp",%0A "https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4",%0A "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w",%0A "https://nvd.nist.gov/vuln/detail/CVE-2024-52798",%0A "https://security.netapp.com/advisory/ntap-20250124-0002",%0A "https://security.netapp.com/advisory/ntap-20250124-0002/",%0A "https://www.cve.org/CVERecord?id=CVE-2024-52798"%0A ],%0A "PublishedDate": "2024-12-05T23:15:06.31Z",%0A "LastModifiedDate": "2025-01-24T20:15:33.107Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2022-24999",%0A "PkgID": "[email protected]",%0A "PkgName": "qs",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "8bef052c70b13c5e"%0A },%0A "InstalledVersion": "6.5.1",%0A "FixedVersion": "6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24999",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "express: "qs" prototype poisoning causes the hang of the node process",%0A "Description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an proto key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b\u0026a[proto]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).",%0A "Severity": "HIGH",%0A "CweIDs": [%0A "CWE-1321"%0A ],%0A "VendorSeverity": {%0A "alma": 2,%0A "ghsa": 3,%0A "nvd": 3,%0A "oracle-oval": 2,%0A "redhat": 2,%0A "ubuntu": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",%0A "V3Score": 7.5%0A },%0A "nvd": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",%0A "V3Score": 7.5%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",%0A "V3Score": 7.5%0A }%0A },%0A "References": [%0A "https://access.redhat.com/errata/RHSA-2023:0050",%0A "https://access.redhat.com/security/cve/CVE-2022-24999",%0A "https://bugzilla.redhat.com/2044591",%0A "https://bugzilla.redhat.com/2066009",%0A "https://bugzilla.redhat.com/2134609",%0A "https://bugzilla.redhat.com/2140911",%0A "https://bugzilla.redhat.com/2150323",%0A "https://errata.almalinux.org/8/ALSA-2023-0050.html",%0A "https://github.com/expressjs/express/releases/tag/4.17.3",%0A "https://github.com/ljharb/qs",%0A "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec",%0A "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68",%0A "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b",%0A "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d",%0A "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1",%0A "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105",%0A "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f",%0A "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee",%0A "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda",%0A "https://github.com/ljharb/qs/pull/428",%0A "https://github.com/n8tz/CVE-2022-24999",%0A "https://linux.oracle.com/cve/CVE-2022-24999.html",%0A "https://linux.oracle.com/errata/ELSA-2023-0050.html",%0A "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html",%0A "https://nvd.nist.gov/vuln/detail/CVE-2022-24999",%0A "https://security.netapp.com/advisory/ntap-20230908-0005",%0A "https://security.netapp.com/advisory/ntap-20230908-0005/",%0A "https://ubuntu.com/security/notices/USN-7693-1",%0A "https://www.cve.org/CVERecord?id=CVE-2022-24999"%0A ],%0A "PublishedDate": "2022-11-26T22:15:10.153Z",%0A "LastModifiedDate": "2025-04-29T14:15:20.41Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2024-43799",%0A "PkgID": "[email protected]",%0A "PkgName": "send",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "c97aa10f6536e7de"%0A },%0A "InstalledVersion": "0.16.0",%0A "FixedVersion": "0.19.0",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-43799",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "send: Code Execution Vulnerability in Send Library",%0A "Description": "Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.",%0A "Severity": "LOW",%0A "CweIDs": [%0A "CWE-79"%0A ],%0A "VendorSeverity": {%0A "cbl-mariner": 2,%0A "ghsa": 1,%0A "nvd": 2,%0A "redhat": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",%0A "V3Score": 5%0A },%0A "nvd": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",%0A "V3Score": 4.7%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",%0A "V3Score": 5%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2024-43799",%0A "https://github.com/pillarjs/send",%0A "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35",%0A "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg",%0A "https://nvd.nist.gov/vuln/detail/CVE-2024-43799",%0A "https://www.cve.org/CVERecord?id=CVE-2024-43799"%0A ],%0A "PublishedDate": "2024-09-10T15:15:17.727Z",%0A "LastModifiedDate": "2024-09-20T16:57:14.687Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2024-43800",%0A "PkgID": "[email protected]",%0A "PkgName": "serve-static",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "3a1b0c21efa04c73"%0A },%0A "InstalledVersion": "1.13.0",%0A "FixedVersion": "1.16.0, 2.1.0",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-43800",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "serve-static: Improper Sanitization in serve-static",%0A "Description": "serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.",%0A "Severity": "LOW",%0A "CweIDs": [%0A "CWE-79"%0A ],%0A "VendorSeverity": {%0A "cbl-mariner": 2,%0A "ghsa": 1,%0A "nvd": 2,%0A "redhat": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",%0A "V3Score": 5%0A },%0A "nvd": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",%0A "V3Score": 4.7%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",%0A "V3Score": 5%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2024-43800",%0A "https://github.com/expressjs/serve-static",%0A "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b",%0A "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa",%0A "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p",%0A "https://nvd.nist.gov/vuln/detail/CVE-2024-43800",%0A "https://www.cve.org/CVERecord?id=CVE-2024-43800"%0A ],%0A "PublishedDate": "2024-09-10T15:15:17.937Z",%0A "LastModifiedDate": "2024-09-20T17:36:30.313Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2024-28863",%0A "PkgID": "[email protected]",%0A "PkgName": "tar",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "b329b76be74deb57"%0A },%0A "InstalledVersion": "4.4.19",%0A "FixedVersion": "6.2.1",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28863",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation",%0A "Description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.",%0A "Severity": "MEDIUM",%0A "CweIDs": [%0A "CWE-400",%0A "CWE-770"%0A ],%0A "VendorSeverity": {%0A "alma": 2,%0A "amazon": 2,%0A "azure": 2,%0A "cbl-mariner": 2,%0A "ghsa": 2,%0A "oracle-oval": 2,%0A "redhat": 2,%0A "ubuntu": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",%0A "V3Score": 6.5%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",%0A "V3Score": 6.5%0A }%0A },%0A "References": [%0A "https://access.redhat.com/errata/RHSA-2024:6147",%0A "https://access.redhat.com/security/cve/CVE-2024-28863",%0A "https://bugzilla.redhat.com/2293200",%0A "https://bugzilla.redhat.com/2296417",%0A "https://errata.almalinux.org/9/ALSA-2024-6147.html",%0A "https://github.com/isaacs/node-tar",%0A "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7",%0A "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)",%0A "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36",%0A "https://linux.oracle.com/cve/CVE-2024-28863.html",%0A "https://linux.oracle.com/errata/ELSA-2024-6148.html",%0A "https://nvd.nist.gov/vuln/detail/CVE-2024-28863",%0A "https://security.netapp.com/advisory/ntap-20240524-0005",%0A "https://security.netapp.com/advisory/ntap-20240524-0005/",%0A "https://www.cve.org/CVERecord?id=CVE-2024-28863"%0A ],%0A "PublishedDate": "2024-03-21T23:15:10.91Z",%0A "LastModifiedDate": "2024-11-21T09:07:04.023Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2023-26136",%0A "PkgID": "[email protected]",%0A "PkgName": "tough-cookie",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "b5a3d4e6eea25339"%0A },%0A "InstalledVersion": "2.4.3",%0A "FixedVersion": "4.1.3",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26136",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "tough-cookie: prototype pollution in cookie memstore",%0A "Description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.",%0A "Severity": "MEDIUM",%0A "CweIDs": [%0A "CWE-1321"%0A ],%0A "VendorSeverity": {%0A "ghsa": 2,%0A "nvd": 4,%0A "redhat": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",%0A "V3Score": 6.5%0A },%0A "nvd": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",%0A "V3Score": 9.8%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",%0A "V3Score": 6.5%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2023-26136",%0A "https://github.com/salesforce/tough-cookie",%0A "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e",%0A "https://github.com/salesforce/tough-cookie/issues/282",%0A "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3",%0A "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html",%0A "https://lists.fedoraproject.org/archives/list/[email protected]/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2",%0A "https://lists.fedoraproject.org/archives/list/[email protected]/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/",%0A "https://lists.fedoraproject.org/archives/list/[email protected]/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ",%0A "https://lists.fedoraproject.org/archives/list/[email protected]/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/",%0A "https://nvd.nist.gov/vuln/detail/CVE-2023-26136",%0A "https://security.netapp.com/advisory/ntap-20240621-0006",%0A "https://security.netapp.com/advisory/ntap-20240621-0006/",%0A "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873",%0A "https://www.cve.org/CVERecord?id=CVE-2023-26136"%0A ],%0A "PublishedDate": "2023-07-01T05:15:16.103Z",%0A "LastModifiedDate": "2024-11-21T07:50:51.107Z"%0A },%0A {%0A "VulnerabilityID": "CVE-2021-21366",%0A "PkgID": "[email protected]",%0A "PkgName": "xmldom",%0A "PkgIdentifier": {%0A "PURL": "pkg:npm/[email protected]",%0A "UID": "1147fa27ca494b4b"%0A },%0A "InstalledVersion": "0.1.27",%0A "FixedVersion": "0.5.0",%0A "Status": "fixed",%0A "SeveritySource": "ghsa",%0A "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-21366",%0A "DataSource": {%0A "ID": "ghsa",%0A "Name": "GitHub Security Advisory npm",%0A "URL": "https://github.com/advisories?query=type%253Areviewed+ecosystem%253Anpm"%0A },%0A "Title": "xmldom: incorrect parsing and serialization leads to unexpected behavior",%0A "Description": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.",%0A "Severity": "MEDIUM",%0A "CweIDs": [%0A "CWE-115",%0A "CWE-436"%0A ],%0A "VendorSeverity": {%0A "ghsa": 2,%0A "nvd": 2,%0A "redhat": 2,%0A "ubuntu": 2%0A },%0A "CVSS": {%0A "ghsa": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",%0A "V3Score": 4.3%0A },%0A "nvd": {%0A "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",%0A "V2Score": 4.3,%0A "V3Score": 4.3%0A },%0A "redhat": {%0A "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",%0A "V3Score": 4.3%0A }%0A },%0A "References": [%0A "https://access.redhat.com/security/cve/CVE-2021-21366",%0A "https://github.com/xmldom/xmldom",%0A "https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135",%0A "https://github.com/xmldom/xmldom/releases/tag/0.5.0",%0A "https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv",%0A "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html",%0A "https://nvd.nist.gov/vuln/detail/CVE-2021-21366",%0A "https://ubuntu.com/security/notices/USN-6102-1",%0A "https://www.cve.org/CVERecord?id=CVE-2021-21366",%0A "https://www.npmjs.com/package/xmldom"%0A ],%0A "PublishedDate": "2021-03-12T17:15:12.643Z",%0A "LastModifiedDate": "2024-11-21T05:48:12.493Z"%0A }%0A ]%0A }%0A ]%0A}

🤖 AI Explanation

null

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet