Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snyk vulnerabilities #617

Open
girishghoda opened this issue May 3, 2023 · 1 comment
Open

Snyk vulnerabilities #617

girishghoda opened this issue May 3, 2023 · 1 comment

Comments

@girishghoda
Copy link

girishghoda commented May 3, 2023
edited
Loading

Title

Snyk vulnerabilities

Description

  • There are multiple Snyk vulnerabilities in dependencies used in Chatbot.Listed below

  • Critical

    • sequelize(SQL Injection): Introduced through: node-red-contrib-chatbot › chat-platform@2.1.4 › sequelize@5.22.5

  • High

    • ansi-regex(Regular Expression Denial of Service (ReDoS)): Introduced through: node-red-contrib-chatbot > chat-platform@2.1.4 › cli-color@1.4.0 › ansi-regex@2.1.1
    • sequelize(Improper Filtering of Special Elements): Introduced through: node-red-contrib-chatbot › chat-platform@2.1.4 › sequelize@5.22.5
    • sequelize(SQL Injection): Introduced through: node-red-contrib-chatbot › chat-platform@2.1.4 › sequelize@5.22.5
    • async(Prototype Pollution) : Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › mongoose@4.13.21 › async@2.6.0
    • mquery(Prototype Pollution): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › mongoose@4.13.21 › mquery@2.3.3
    • qs(Prototype Poisoning): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › express@2.5.11 › qs@0.4.2
    • qs(Denial of Service): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › express@2.5.11 › qs@0.4.2
    • qs (Prototype Override Protection Bypass): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › express@2.5.11 › qs@0.4.2
    • mongoose(Prototype Pollution): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › mongoose@4.13.21
    • bson(Internal Property Tampering): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › mongoose@4.13.21 › bson@1.0.9
    • bson(Internal Property Tampering): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › mongoose@4.13.21 › mongodb@2.2.34 › mongodb-core@2.1.18 › bson@1.0.9
    • mongodb(Denial of Service): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › mongoose@4.13.21 › mongodb@2.2.34

Some other info

express-sessions NPM was last updated 7 years ago and most of the vulnerabilities introduced from this dependency
@levpachmanov
Copy link

Hey @girishghoda,
We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an bson@1.0.9-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app - it's free to use for open-source projects!.

Please feel free to reach us at info@seal.security if you have any requests/questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@girishghoda @levpachmanov