You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Request is an http client. If a request is made using multipart, and the body type is a number, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
mend-for-github-combot
changed the title
zaproxy-0.2.0.tgz: 16 vulnerabilities (highest severity is: 9.8)
zaproxy-0.2.0.tgz: 17 vulnerabilities (highest severity is: 9.8)
Mar 14, 2022
mend-for-github-combot
changed the title
zaproxy-0.2.0.tgz: 18 vulnerabilities (highest severity is: 9.8)
zaproxy-0.2.0.tgz: 17 vulnerabilities (highest severity is: 9.8)
Dec 27, 2022
mend-for-github-combot
changed the title
zaproxy-0.2.0.tgz: 17 vulnerabilities (highest severity is: 9.8)
zaproxy-0.2.0.tgz: 18 vulnerabilities (highest severity is: 9.8)
Mar 16, 2023
mend-for-github-combot
changed the title
zaproxy-0.2.0.tgz: 18 vulnerabilities (highest severity is: 9.8)
zaproxy-0.2.0.tgz: 19 vulnerabilities (highest severity is: 9.8)
Dec 7, 2023
mend-for-github-combot
changed the title
zaproxy-0.2.0.tgz: 19 vulnerabilities (highest severity is: 9.8)
zaproxy-0.2.0.tgz: 18 vulnerabilities (highest severity is: 9.8)
Mar 23, 2024
mend-for-github-combot
changed the title
zaproxy-0.2.0.tgz: 18 vulnerabilities (highest severity is: 9.8)
zaproxy-0.2.0.tgz: 19 vulnerabilities (highest severity is: 9.8)
Mar 31, 2024
mend-for-github-combot
changed the title
zaproxy-0.2.0.tgz: 19 vulnerabilities (highest severity is: 9.8)
zaproxy-0.2.0.tgz: 17 vulnerabilities (highest severity is: 9.8)
Apr 18, 2024
mend-for-github-combot
changed the title
zaproxy-0.2.0.tgz: 17 vulnerabilities (highest severity is: 9.8)
zaproxy-0.2.0.tgz: 19 vulnerabilities (highest severity is: 9.8)
Apr 23, 2024
Vulnerable Library - zaproxy-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/request/package.json
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-26136
Vulnerable Library - tough-cookie-2.3.4.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tough-cookie/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution: tough-cookie - 4.1.3
CVE-2018-1000620
Vulnerable Library - cryptiles-0.2.2.tgz
General purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-0.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/cryptiles/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620
Release Date: 2018-07-09
Fix Resolution (cryptiles): 4.1.2
Direct dependency fix Resolution (zaproxy): 1.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-10744
Vulnerable Library - lodash-2.4.2.tgz
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (zaproxy): 1.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2018-3728
Vulnerable Library - hoek-0.9.1.tgz
General purpose node utilities
Library home page: https://registry.npmjs.org/hoek/-/hoek-0.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/hoek/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-03-30
URL: CVE-2018-3728
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082
Release Date: 2018-03-30
Fix Resolution (hoek): 4.2.0
Direct dependency fix Resolution (zaproxy): 1.0.1
⛑️ Automatic Remediation will be attempted for this issue.
WS-2014-0005
Vulnerable Library - qs-0.6.6.tgz
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time
Publish Date: 2014-07-31
URL: WS-2014-0005
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2014-0005
Release Date: 2014-07-31
Fix Resolution (qs): 1.0.0
Direct dependency fix Resolution (zaproxy): 0.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2017-16138
Vulnerable Library - mime-1.2.11.tgz
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.2.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/mime/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-04-26
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (zaproxy): 0.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2017-1000048
Vulnerable Library - qs-0.6.6.tgz
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-17
URL: CVE-2017-1000048
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048
Release Date: 2017-07-13
Fix Resolution (qs): 6.0.4
Direct dependency fix Resolution (zaproxy): 0.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2016-2515
Vulnerable Library - hawk-1.0.0.tgz
HTTP Hawk Authentication Scheme
Library home page: https://registry.npmjs.org/hawk/-/hawk-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/hawk/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.
Publish Date: 2016-04-13
URL: CVE-2016-2515
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2515
Release Date: 2016-04-13
Fix Resolution (hawk): 3.1.3
Direct dependency fix Resolution (zaproxy): 0.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2014-10064
Vulnerable Library - qs-0.6.6.tgz
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
Publish Date: 2018-05-31
URL: CVE-2014-10064
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-10064
Release Date: 2018-04-26
Fix Resolution (qs): 1.0.0
Direct dependency fix Resolution (zaproxy): 0.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-8203
Vulnerable Library - lodash-2.4.2.tgz
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.9
Direct dependency fix Resolution (zaproxy): 1.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-23337
Vulnerable Library - lodash-2.4.2.tgz
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (zaproxy): 1.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-1010266
Vulnerable Library - lodash-2.4.2.tgz
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Publish Date: 2019-07-17
URL: CVE-2019-1010266
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-07-17
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (zaproxy): 1.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2018-3721
Vulnerable Library - lodash-2.4.2.tgz
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3721
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1067
Release Date: 2018-06-07
Fix Resolution (lodash): 4.17.5
Direct dependency fix Resolution (zaproxy): 1.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-28155
Vulnerable Library - request-2.36.0.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.36.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/request/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
CVE-2017-16026
Vulnerable Library - request-2.36.0.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.36.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/request/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
Request is an http client. If a request is made using
multipart
, and the body type is anumber
, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.Publish Date: 2018-06-04
URL: CVE-2017-16026
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16026
Release Date: 2018-04-26
Fix Resolution (request): 2.68.0
Direct dependency fix Resolution (zaproxy): 0.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2018-16487
Vulnerable Library - lodash-2.4.2.tgz
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/380873
Release Date: 2019-02-01
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (zaproxy): 1.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-28500
Vulnerable Library - lodash-2.4.2.tgz
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (zaproxy): 1.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2014-7191
Vulnerable Library - qs-0.6.6.tgz
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Publish Date: 2014-10-19
URL: CVE-2014-7191
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191
Release Date: 2014-10-19
Fix Resolution (qs): 1.0.0
Direct dependency fix Resolution (zaproxy): 0.3.0
⛑️ Automatic Remediation will be attempted for this issue.
WS-2017-0266
Vulnerable Library - http-signature-0.10.1.tgz
Reference implementation of Joyent's HTTP Signature scheme.
Library home page: https://registry.npmjs.org/http-signature/-/http-signature-0.10.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/http-signature/package.json
Dependency Hierarchy:
Found in HEAD commit: 98c35103c7cca4d27c850a6900767a9b0c81bda5
Found in base branch: develop
Vulnerability Details
http-signature before version 1.0.0 are vulnerable to timing attack, which may lead to information disclosure.
Publish Date: 2015-01-22
URL: WS-2017-0266
CVSS 3 Score Details (3.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2015-01-22
Fix Resolution (http-signature): 1.0.0
Direct dependency fix Resolution (zaproxy): 0.3.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: