zaproxy-0.2.0.tgz: 19 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - zaproxy-0.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/request/package.json

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (zaproxy version)	Remediation Possible**
CVE-2023-26136	Critical	9.8	tough-cookie-2.3.4.tgz	Transitive	N/A*	❌
CVE-2018-1000620	Critical	9.8	cryptiles-0.2.2.tgz	Transitive	1.0.1	✅
CVE-2019-10744	Critical	9.1	lodash-2.4.2.tgz	Transitive	1.0.1	✅
CVE-2018-3728	High	8.8	hoek-0.9.1.tgz	Transitive	1.0.1	✅
WS-2014-0005	High	7.5	qs-0.6.6.tgz	Transitive	0.3.0	✅
CVE-2017-16138	High	7.5	mime-1.2.11.tgz	Transitive	0.3.0	✅
CVE-2017-1000048	High	7.5	qs-0.6.6.tgz	Transitive	0.3.0	✅
CVE-2016-2515	High	7.5	hawk-1.0.0.tgz	Transitive	0.3.0	✅
CVE-2014-10064	High	7.5	qs-0.6.6.tgz	Transitive	0.3.0	✅
CVE-2020-8203	High	7.4	lodash-2.4.2.tgz	Transitive	1.0.1	✅
CVE-2021-23337	High	7.2	lodash-2.4.2.tgz	Transitive	1.0.1	✅
CVE-2019-1010266	Medium	6.5	lodash-2.4.2.tgz	Transitive	1.0.1	✅
CVE-2018-3721	Medium	6.5	lodash-2.4.2.tgz	Transitive	1.0.1	✅
CVE-2023-28155	Medium	6.1	request-2.36.0.tgz	Transitive	N/A*	❌
CVE-2017-16026	Medium	5.9	request-2.36.0.tgz	Transitive	0.3.0	✅
CVE-2018-16487	Medium	5.6	lodash-2.4.2.tgz	Transitive	1.0.1	✅
CVE-2020-28500	Medium	5.3	lodash-2.4.2.tgz	Transitive	1.0.1	✅
CVE-2014-7191	Medium	5.3	qs-0.6.6.tgz	Transitive	0.3.0	✅
WS-2017-0266	Low	3.5	http-signature-0.10.1.tgz	Transitive	0.3.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-26136

Vulnerable Library - tough-cookie-2.3.4.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tough-cookie/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • request-2.36.0.tgz
    • ❌ tough-cookie-2.3.4.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution: tough-cookie - 4.1.3

CVE-2018-1000620

Vulnerable Library - cryptiles-0.2.2.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-0.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/cryptiles/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • request-2.36.0.tgz
    • hawk-1.0.0.tgz
      • ❌ cryptiles-0.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (zaproxy): 1.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-10744

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (zaproxy): 1.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-3728

Vulnerable Library - hoek-0.9.1.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/hoek/-/hoek-0.9.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/hoek/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • request-2.36.0.tgz
    • hawk-1.0.0.tgz
      • ❌ hoek-0.9.1.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2018-03-30

Fix Resolution (hoek): 4.2.0

Direct dependency fix Resolution (zaproxy): 1.0.1

⛑️ Automatic Remediation will be attempted for this issue.

WS-2014-0005

Vulnerable Library - qs-0.6.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/qs/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • request-2.36.0.tgz
    • ❌ qs-0.6.6.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time

Publish Date: 2014-07-31

URL: WS-2014-0005

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2014-0005

Release Date: 2014-07-31

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (zaproxy): 0.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-16138

Vulnerable Library - mime-1.2.11.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.2.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/mime/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • request-2.36.0.tgz
    • ❌ mime-1.2.11.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-04-26

Fix Resolution (mime): 1.4.1

Direct dependency fix Resolution (zaproxy): 0.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-1000048

Vulnerable Library - qs-0.6.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/qs/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • request-2.36.0.tgz
    • ❌ qs-0.6.6.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048

Release Date: 2017-07-13

Fix Resolution (qs): 6.0.4

Direct dependency fix Resolution (zaproxy): 0.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2016-2515

Vulnerable Library - hawk-1.0.0.tgz

HTTP Hawk Authentication Scheme

Library home page: https://registry.npmjs.org/hawk/-/hawk-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/hawk/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • request-2.36.0.tgz
    • ❌ hawk-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.

Publish Date: 2016-04-13

URL: CVE-2016-2515

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2515

Release Date: 2016-04-13

Fix Resolution (hawk): 3.1.3

Direct dependency fix Resolution (zaproxy): 0.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2014-10064

Vulnerable Library - qs-0.6.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/qs/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • request-2.36.0.tgz
    • ❌ qs-0.6.6.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

Publish Date: 2018-05-31

URL: CVE-2014-10064

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-10064

Release Date: 2018-04-26

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (zaproxy): 0.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8203

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.9

Direct dependency fix Resolution (zaproxy): 1.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23337

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (zaproxy): 1.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-1010266

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-07-17

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (zaproxy): 1.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-3721

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1067

Release Date: 2018-06-07

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (zaproxy): 1.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-28155

Vulnerable Library - request-2.36.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.36.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/request/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • ❌ request-2.36.0.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

CVE-2017-16026

Vulnerable Library - request-2.36.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.36.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/request/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • ❌ request-2.36.0.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

Request is an http client. If a request is made using multipart, and the body type is a number, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.

Publish Date: 2018-06-04

URL: CVE-2017-16026

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16026

Release Date: 2018-04-26

Fix Resolution (request): 2.68.0

Direct dependency fix Resolution (zaproxy): 0.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-16487

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/380873

Release Date: 2019-02-01

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (zaproxy): 1.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-28500

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (zaproxy): 1.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2014-7191

Vulnerable Library - qs-0.6.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/qs/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • request-2.36.0.tgz
    • ❌ qs-0.6.6.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.

Publish Date: 2014-10-19

URL: CVE-2014-7191

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191

Release Date: 2014-10-19

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (zaproxy): 0.3.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2017-0266

Vulnerable Library - http-signature-0.10.1.tgz

Reference implementation of Joyent's HTTP Signature scheme.

Library home page: https://registry.npmjs.org/http-signature/-/http-signature-0.10.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/http-signature/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • request-2.36.0.tgz
    • ❌ http-signature-0.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5

Found in base branch: develop

Vulnerability Details

http-signature before version 1.0.0 are vulnerable to timing attack, which may lead to information disclosure.

Publish Date: 2015-01-22

URL: WS-2017-0266

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2015-01-22

Fix Resolution (http-signature): 1.0.0

Direct dependency fix Resolution (zaproxy): 0.3.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.