You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Mend Note: Converted from WS-2019-0184, on 2022-11-08.
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Mend Note: Converted from WS-2019-0231, on 2021-08-17.
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
mend-bolt-for-githubbot
changed the title
karma-sauce-launcher-1.2.0.tgz: 11 vulnerabilities (highest severity is: 9.1)
karma-sauce-launcher-1.2.0.tgz: 12 vulnerabilities (highest severity is: 9.1)
Apr 15, 2022
mend-bolt-for-githubbot
changed the title
karma-sauce-launcher-1.2.0.tgz: 12 vulnerabilities (highest severity is: 9.1)
karma-sauce-launcher-1.2.0.tgz: 11 vulnerabilities (highest severity is: 9.1)
Oct 31, 2022
mend-bolt-for-githubbot
changed the title
karma-sauce-launcher-1.2.0.tgz: 11 vulnerabilities (highest severity is: 9.1)
karma-sauce-launcher-1.2.0.tgz: 12 vulnerabilities (highest severity is: 9.1)
Mar 17, 2023
mend-bolt-for-githubbot
changed the title
karma-sauce-launcher-1.2.0.tgz: 12 vulnerabilities (highest severity is: 9.1)
karma-sauce-launcher-1.2.0.tgz: 13 vulnerabilities (highest severity is: 9.1)
Dec 17, 2023
mend-bolt-for-githubbot
changed the title
karma-sauce-launcher-1.2.0.tgz: 13 vulnerabilities (highest severity is: 9.1)
karma-sauce-launcher-1.2.0.tgz: 11 vulnerabilities (highest severity is: 9.1)
Apr 18, 2024
mend-bolt-for-githubbot
changed the title
karma-sauce-launcher-1.2.0.tgz: 11 vulnerabilities (highest severity is: 9.1)
karma-sauce-launcher-1.2.0.tgz: 12 vulnerabilities (highest severity is: 9.1)
Apr 21, 2024
mend-bolt-for-githubbot
changed the title
karma-sauce-launcher-1.2.0.tgz: 12 vulnerabilities (highest severity is: 9.1)
karma-sauce-launcher-1.2.0.tgz: 13 vulnerabilities (highest severity is: 9.1)
Apr 22, 2024
mend-bolt-for-githubbot
changed the title
karma-sauce-launcher-1.2.0.tgz: 13 vulnerabilities (highest severity is: 9.1)
karma-sauce-launcher-1.2.0.tgz: 14 vulnerabilities (highest severity is: 9.1)
Jul 2, 2024
mend-bolt-for-githubbot
changed the title
karma-sauce-launcher-1.2.0.tgz: 14 vulnerabilities (highest severity is: 9.1)
karma-sauce-launcher-1.2.0.tgz: 13 vulnerabilities (highest severity is: 9.1)
Jul 17, 2024
mend-bolt-for-githubbot
changed the title
karma-sauce-launcher-1.2.0.tgz: 13 vulnerabilities (highest severity is: 9.1)
karma-sauce-launcher-1.2.0.tgz: 14 vulnerabilities (highest severity is: 9.1)
Jul 29, 2024
mend-bolt-for-githubbot
changed the title
karma-sauce-launcher-1.2.0.tgz: 14 vulnerabilities (highest severity is: 9.1)
karma-sauce-launcher-1.2.0.tgz: 13 vulnerabilities (highest severity is: 9.1)
Jul 30, 2024
Vulnerable Library - karma-sauce-launcher-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-10744
Vulnerable Library - lodash-4.16.2.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.16.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-25
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-25
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (karma-sauce-launcher): 2.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-43138
Vulnerable Library - async-2.0.1.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (karma-sauce-launcher): 2.0.0
Step up your Open Source Security Game with Mend here
WS-2017-3772
Vulnerable Library - underscore.string-3.3.4.tgz
String manipulation extensions for Underscore.js javascript library.
Library home page: https://registry.npmjs.org/underscore.string/-/underscore.string-3.3.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in underscore.string 2.4.0 through 3.3.5.
Publish Date: 2017-09-08
URL: WS-2017-3772
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2017-09-08
Fix Resolution (underscore.string): 3.3.6
Direct dependency fix Resolution (karma-sauce-launcher): 2.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-24999
Vulnerable Library - qs-6.3.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.3.3
Direct dependency fix Resolution (karma-sauce-launcher): 2.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-8203
Vulnerable Library - lodash-4.16.2.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.16.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.9
Direct dependency fix Resolution (karma-sauce-launcher): 2.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-23337
Vulnerable Library - lodash-4.16.2.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.16.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (karma-sauce-launcher): 2.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-8244
Vulnerable Library - bl-1.2.1.tgz
Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!
Library home page: https://registry.npmjs.org/bl/-/bl-1.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Publish Date: 2020-08-30
URL: CVE-2020-8244
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-pp7h-53gx-mx7r
Release Date: 2020-08-30
Fix Resolution (bl): 1.2.3
Direct dependency fix Resolution (karma-sauce-launcher): 2.0.0
Step up your Open Source Security Game with Mend here
CVE-2019-1010266
Vulnerable Library - lodash-4.16.2.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.16.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Publish Date: 2019-07-17
URL: CVE-2019-1010266
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-07-17
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (karma-sauce-launcher): 2.0.0
Step up your Open Source Security Game with Mend here
CVE-2018-3721
Vulnerable Library - lodash-4.16.2.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.16.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Mend Note: Converted from WS-2019-0184, on 2022-11-08.
Publish Date: 2018-06-07
URL: CVE-2018-3721
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1067
Release Date: 2018-06-07
Fix Resolution (lodash): 4.17.5
Direct dependency fix Resolution (karma-sauce-launcher): 2.0.0
Step up your Open Source Security Game with Mend here
CVE-2023-28155
Vulnerable Library - request-2.79.0.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.79.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2018-16487
Vulnerable Library - lodash-4.16.2.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.16.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/380873
Release Date: 2019-02-01
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (karma-sauce-launcher): 2.0.0
Step up your Open Source Security Game with Mend here
CVE-2018-1002204
Vulnerable Library - adm-zip-0.4.7.tgz
A Javascript implementation of zip for nodejs. Allows user to create or extract zip files both in memory or to/from disk
Library home page: https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Mend Note: Converted from WS-2019-0231, on 2021-08-17.
Publish Date: 2018-07-25
URL: CVE-2018-1002204
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1002204
Release Date: 2018-07-25
Fix Resolution (adm-zip): 0.4.9
Direct dependency fix Resolution (karma-sauce-launcher): 2.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-28500
Vulnerable Library - lodash-4.16.2.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.16.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 77c7146d0444e2486ff3f42256348ec0130727e7
Found in base branch: dev
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (karma-sauce-launcher): 2.0.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: