Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bulk vulnerability fix - Lockfile fix #3

Open
wants to merge 1 commit into
base: debricked-fix-CVE_2018_3774-3119382885ea373d
Choose a base branch
from

Conversation

debricked[bot]
Copy link

@debricked debricked bot commented May 3, 2022

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2017–18077
CVE–2018–16492
  • Description

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

    The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

    GitHub

    Prototype Pollution in extend

    Versions of extend prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The extend() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.

    Recommendation

    If you're using extend 3.x upgrade to 3.0.2 or later.
    If you're using extend 2.x upgrade to 2.0.2 or later.

    NVD

    A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

  • CVSS details - 9.8

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality High
    Integrity High
    Availability High
  • References

        Prototype Pollution in extend · CVE-2018-16492 · GitHub Advisory Database · GitHub
        NVD - CVE-2018-16492
        HackerOne

CVE–2017–16028
CVE–2017–1000188
CVE–2017–1000189
CVE–2017–1000228
debricked–154240
debricked–149668
CVE–2016–2537
CVE–2018–1107
CVE–2021–23807
CVE–2018–3737
  • Description

    Incorrect Regular Expression

    The software specifies a regular expression in a way that causes data to be improperly matched or compared.

    GitHub

    Regular Expression Denial of Service in sshpk

    Versions of sshpk before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

    Recommendation

    Update to version 1.13.2, 1.14.1 or later.

    NVD

    sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity None
    Availability High
  • References

        THIRD PARTY
        Regular Expression Denial of Service in sshpk · CVE-2018-3737 · GitHub Advisory Database · GitHub
        HackerOne

debricked–179667
CVE–2017–15010
CVE–2018–20834
CVE–2019–13173
CVE–2018–20835
  • Description

    Improper Input Validation

    The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

    GitHub

    Improper Input Validation in tar-fs

    A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

    NVD

    A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

  • CVSS details - 7.5

     

    CVSS3 metrics
    Attack Vector Network
    Attack Complexity Low
    Privileges Required None
    User interaction None
    Scope Unchanged
    Confidentiality None
    Integrity High
    Availability None
  • References

        THIRD PARTY
        Improper Input Validation in tar-fs · CVE-2018-20835 · GitHub Advisory Database · GitHub
        force hardlink targets to be in the tar · mafintosh/tar-fs@0667282 · GitHub
        HackerOne
        Comparing d590fc7...a35ce2f · mafintosh/tar-fs · GitHub

debricked–160898

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked

 

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants