browserify-12.0.2.tgz: 8 vulnerabilities (highest severity is: 9.8) #93
Description
Vulnerable Library - browserify-12.0.2.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/acorn/package.json
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (browserify version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2021-23518 |  High |
9.8 | cached-path-relative-1.0.2.tgz | Transitive | 13.0.0 | ✅ |
| CVE-2021-42740 | High |
9.8 | shell-quote-1.6.1.tgz | Transitive | 13.0.0 | ✅ |
| CVE-2020-13822 | High |
7.7 | elliptic-6.4.1.tgz | Transitive | 13.0.0 | ✅ |
| WS-2020-0042 | High |
7.5 | acorn-6.1.1.tgz | Transitive | 13.0.0 | ✅ |
| CVE-2021-23343 | High |
7.5 | path-parse-1.0.6.tgz | Transitive | 13.0.0 | ✅ |
| CVE-2020-28498 |  Medium |
6.8 | elliptic-6.4.1.tgz | Transitive | 13.0.0 | ✅ |
| WS-2019-0427 | Medium |
5.9 | elliptic-6.4.1.tgz | Transitive | 13.0.0 | ✅ |
| WS-2019-0424 | Medium |
5.9 | elliptic-6.4.1.tgz | Transitive | 13.0.0 | ✅ |
Details
CVE-2021-23518
Vulnerable Library - cached-path-relative-1.0.2.tgz
Memoize the results of the path.relative function
Library home page: https://registry.npmjs.org/cached-path-relative/-/cached-path-relative-1.0.2.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/cached-path-relative/package.json
Dependency Hierarchy:
- browserify-12.0.2.tgz (Root Library)
- module-deps-4.1.1.tgz
- ❌ cached-path-relative-1.0.2.tgz (Vulnerable Library)
- module-deps-4.1.1.tgz
Vulnerability Details
The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as proto, the attribute of the object is accessed instead of a path. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
Publish Date: 2022-01-21
URL: CVE-2021-23518
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23518
Release Date: 2022-01-21
Fix Resolution (cached-path-relative): 1.1.0
Direct dependency fix Resolution (browserify): 13.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2021-42740
Vulnerable Library - shell-quote-1.6.1.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/shell-quote/package.json
Dependency Hierarchy:
- browserify-12.0.2.tgz (Root Library)
- ❌ shell-quote-1.6.1.tgz (Vulnerable Library)
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (browserify): 13.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-13822
Vulnerable Library - elliptic-6.4.1.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
- browserify-12.0.2.tgz (Root Library)
- crypto-browserify-3.12.0.tgz
- browserify-sign-4.0.4.tgz
- ❌ elliptic-6.4.1.tgz (Vulnerable Library)
- browserify-sign-4.0.4.tgz
- crypto-browserify-3.12.0.tgz
Vulnerability Details
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (browserify): 13.0.0
⛑️ Automatic Remediation is available for this issue
WS-2020-0042
Vulnerable Library - acorn-6.1.1.tgz
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-6.1.1.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/acorn/package.json
Dependency Hierarchy:
- browserify-12.0.2.tgz (Root Library)
- insert-module-globals-7.2.0.tgz
- acorn-node-1.7.0.tgz
- ❌ acorn-6.1.1.tgz (Vulnerable Library)
- acorn-node-1.7.0.tgz
- insert-module-globals-7.2.0.tgz
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6chw-6frg-f759
Release Date: 2020-03-01
Fix Resolution (acorn): 6.4.1
Direct dependency fix Resolution (browserify): 13.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2021-23343
Vulnerable Library - path-parse-1.0.6.tgz
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/path-parse/package.json
Dependency Hierarchy:
- browserify-12.0.2.tgz (Root Library)
- resolve-1.11.0.tgz
- ❌ path-parse-1.0.6.tgz (Vulnerable Library)
- resolve-1.11.0.tgz
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (browserify): 13.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-28498
Vulnerable Library - elliptic-6.4.1.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
- browserify-12.0.2.tgz (Root Library)
- crypto-browserify-3.12.0.tgz
- browserify-sign-4.0.4.tgz
- ❌ elliptic-6.4.1.tgz (Vulnerable Library)
- browserify-sign-4.0.4.tgz
- crypto-browserify-3.12.0.tgz
Vulnerability Details
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution (elliptic): 6.5.4
Direct dependency fix Resolution (browserify): 13.0.0
⛑️ Automatic Remediation is available for this issue
WS-2019-0427
Vulnerable Library - elliptic-6.4.1.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
- browserify-12.0.2.tgz (Root Library)
- crypto-browserify-3.12.0.tgz
- browserify-sign-4.0.4.tgz
- ❌ elliptic-6.4.1.tgz (Vulnerable Library)
- browserify-sign-4.0.4.tgz
- crypto-browserify-3.12.0.tgz
Vulnerability Details
The function getNAF() in elliptic library has information leakage. This issue is mitigated in version 6.5.2
Publish Date: 2019-11-22
URL: WS-2019-0427
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2019-11-22
Fix Resolution (elliptic): 6.5.2
Direct dependency fix Resolution (browserify): 13.0.0
⛑️ Automatic Remediation is available for this issue
WS-2019-0424
Vulnerable Library - elliptic-6.4.1.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
- browserify-12.0.2.tgz (Root Library)
- crypto-browserify-3.12.0.tgz
- browserify-sign-4.0.4.tgz
- ❌ elliptic-6.4.1.tgz (Vulnerable Library)
- browserify-sign-4.0.4.tgz
- crypto-browserify-3.12.0.tgz
Vulnerability Details
all versions of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0424
Release Date: 2019-11-13
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (browserify): 13.0.0
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.