Skip to content
This repository has been archived by the owner on Apr 27, 2022. It is now read-only.

protractor-7.0.0.tgz: 3 vulnerabilities (highest severity is: 9.8) #30

Open
mend-bolt-for-github bot opened this issue Apr 19, 2022 · 0 comments
Open

protractor-7.0.0.tgz: 3 vulnerabilities (highest severity is: 9.8) #30

mend-bolt-for-github bot opened this issue Apr 19, 2022 · 0 comments
Labels
security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-bolt-for-github
Copy link
Contributor

mend-bolt-for-github bot commented Apr 19, 2022
edited
Loading

Vulnerable Library - protractor-7.0.0.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /aspnet-core/src/Thor.SSO.HttpApi.Host/node_modules/ini/package.json,/angular/node_modules/ini/package.json

Found in HEAD commit: 2f6811d1524ee5c5357ac1bc44db8755973358c4

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-3918 High 9.8 json-schema-0.2.3.tgz Transitive N/A
CVE-2020-7788 High 7.3 ini-1.3.5.tgz Transitive N/A
CVE-2021-23413 Medium 5.3 jszip-3.5.0.tgz Transitive N/A

Details

CVE-2021-3918

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/json-schema/package.json

Dependency Hierarchy:

  • protractor-7.0.0.tgz (Root Library)
    • webdriver-manager-12.1.7.tgz
      • request-2.88.2.tgz
        • http-signature-1.2.0.tgz
          • jsprim-1.4.1.tgz
            • json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 2f6811d1524ee5c5357ac1bc44db8755973358c4

Found in base branch: develop

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution: json-schema - 0.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7788

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /aspnet-core/src/Thor.SSO.HttpApi.Host/package.json

Path to vulnerable library: /aspnet-core/src/Thor.SSO.HttpApi.Host/node_modules/ini/package.json,/angular/node_modules/ini/package.json

Dependency Hierarchy:

  • protractor-7.0.0.tgz (Root Library)
    • webdriver-manager-12.1.7.tgz
      • ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 2f6811d1524ee5c5357ac1bc44db8755973358c4

Found in base branch: develop

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution: v1.3.6

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23413

Vulnerable Library - jszip-3.5.0.tgz

Create, read and edit .zip files with JavaScript http://stuartk.com/jszip

Library home page: https://registry.npmjs.org/jszip/-/jszip-3.5.0.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/jszip/package.json

Dependency Hierarchy:

  • protractor-7.0.0.tgz (Root Library)
    • selenium-webdriver-3.6.0.tgz
      • jszip-3.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 2f6811d1524ee5c5357ac1bc44db8755973358c4

Found in base branch: develop

Vulnerability Details

This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g proto, toString, etc) results in a returned object with a modified prototype instance.

Publish Date: 2021-07-25

URL: CVE-2021-23413

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413

Release Date: 2021-07-25

Fix Resolution: jszip - 3.7.0

Step up your Open Source Security Game with WhiteSource here
@mend-bolt-for-github mend-bolt-for-github bot added the security vulnerability Security vulnerability detected by WhiteSource label Apr 19, 2022
@mend-bolt-for-github mend-bolt-for-github bot changed the title protractor-7.0.0.tgz: 1 vulnerabilities (highest severity is: 5.3) protractor-7.0.0.tgz: 3 vulnerabilities (highest severity is: 9.8) Apr 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants