Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please update Master to pull newer dependancy versions that do not have known Vulnerabilities #26

Closed
BobHood opened this issue Apr 6, 2018 · 1 comment
Closed

Please update Master to pull newer dependancy versions that do not have known Vulnerabilities #26

BobHood opened this issue Apr 6, 2018 · 1 comment

Comments

@BobHood
Copy link

BobHood commented Apr 6, 2018

Hello,
First, let me preface this with "I am not a Dev" I'm a security Architect in charge of Application Security for my company.

We have been scanning the Opensource frameworks used by my company and found that this library calls in Dependencies that have known vulnerabilities. I've been told that this library is an integral part of this, and cannot be removed/replaced. So we are wondering if the original Dev or another person willing to Fork it for a security version. can update the following Nested Dependencies.

IP.js
Currently, you call version 1.0.1, This dependency has been found to be Vulnerable based on the below description. The upgrade to version 1.1.5 clears the known issue:
Explanation

The IP package is vulnerable to Uninitialized Memory Exposure. The mask() function in the ip.jsfile does not initialize the buffer memory with zeros when a buffer is created using the constructor with the numeric size parameter. A remote attacker can exploit this vulnerability by crafting an IP masking request, which returns uninitialized memory. The contents of uninitialized memory are undefined and potentially contain sensitive information, which leads to Information Disclosure.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Categories
Data
Root Cause
IP : 1.0.1
Advisories
Project: indutny/node-ip@b2b4469255a624619b...

boom.js
Currently, your app calls in Boom.js and there are no known non-vulnerable versions of this app. I'm posting the Vuln information below. If some research could be done to determine if this is a required dependency, or can some other dependency be used:

Explanation
The boom package is vulnerable to Cross-Site Scripting (XSS), as the reformat() method in index.js allows malicious JavaScript in the error response message. A remote attacker can exploit this vulnerability by enticing a user to click on a maliciously crafted URL with a JavaScript payload, resulting in script execution once the victim navigates to the page.
Detection
The application is vulnerable by using this package.
Recommendation
“Advisory: The "Insert Security Application Scanning Vendor name Here" discovered that this vulnerability was fixed in version 0.3.8 and reintroduced in version 2.2.0. It is developers responsibility to escape the message that is returned using boom.”
Categories
Data
Root Cause
boom : 2.10.1
Advisories
Project: hapijs/boom#3
Project: hapijs/hapi#2370

Thanks,
Bob Hood
stritti added a commit that referenced this issue Apr 11, 2018
@stritti
#26 update dev lib dependencies
8c7a147
@stritti
Copy link
Owner

stritti commented Oct 5, 2018

dependencies are updated.

@stritti stritti closed this as completed Oct 5, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stritti @BobHood