sdk-core-0.5.7.tgz: 19 vulnerabilities (highest severity is: 9.8)

[mend-bolt-for-github]

Vulnerable Library - sdk-core-0.5.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (sdk-core version)	Remediation Possible**
CVE-2023-26136	Critical	9.8	tough-cookie-2.5.0.tgz	Transitive	N/A*	❌
CVE-2023-30542	High	8.8	contracts-4.7.3.tgz	Transitive	N/A*	❌
CVE-2024-37890	High	7.5	ws-3.3.3.tgz	Transitive	N/A*	❌
CVE-2024-21505	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2023-46234	High	7.5	browserify-sign-4.2.1.tgz	Transitive	N/A*	❌
CVE-2023-43646	High	7.5	get-func-name-2.0.0.tgz	Transitive	N/A*	❌
CVE-2022-25901	High	7.5	cookiejar-2.1.3.tgz	Transitive	N/A*	❌
CVE-2022-25883	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-25881	High	7.5	http-cache-semantics-4.1.0.tgz	Transitive	N/A*	❌
CVE-2024-28863	Medium	6.5	tar-4.4.19.tgz	Transitive	N/A*	❌
CVE-2024-27094	Medium	6.5	contracts-4.7.3.tgz	Transitive	N/A*	❌
CVE-2024-29041	Medium	6.1	express-4.18.2.tgz	Transitive	N/A*	❌
CVE-2023-28155	Medium	6.1	request-2.88.2.tgz	Transitive	N/A*	❌
CVE-2023-34459	Medium	5.9	contracts-4.7.3.tgz	Transitive	N/A*	❌
CVE-2023-40014	Medium	5.3	contracts-4.7.3.tgz	Transitive	N/A*	❌
CVE-2023-34234	Medium	5.3	contracts-4.7.3.tgz	Transitive	N/A*	❌
CVE-2023-30541	Medium	5.3	contracts-4.7.3.tgz	Transitive	N/A*	❌
CVE-2022-33987	Medium	5.3	got-9.6.0.tgz	Transitive	N/A*	❌
CVE-2020-7608	Medium	5.3	yargs-parser-2.4.1.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • contract-4.5.23.tgz
      • web3-1.7.4.tgz
        • web3-bzz-1.7.4.tgz
          • swarm-js-0.1.42.tgz
            • eth-lib-0.1.29.tgz
              • servify-0.1.12.tgz
                • request-2.88.2.tgz
                  • ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution: tough-cookie - 4.1.3

Step up your Open Source Security Game with Mend here

CVE-2023-30542

Vulnerable Library - contracts-4.7.3.tgz

Secure Smart Contract library for Solidity

Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • ❌ contracts-4.7.3.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (propose) in GovernorCompatibilityBravo allows the creation of proposals with a signatures array shorter than the calldatas array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The ProposalCreated event correctly represents what will eventually execute, but the proposal parameters as queried through getActions appear to respect the original intended calldata. This issue has been patched in 4.8.3. As a workaround, ensure that all proposals that pass through governance have equal length signatures and calldatas parameters.

Publish Date: 2023-04-16

URL: CVE-2023-30542

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-93hq-5wgc-jc82

Release Date: 2023-04-16

Fix Resolution: @openzeppelin/contracts - 4.8.3;@openzeppelin/contracts-upgradeable - 4.8.3

Step up your Open Source Security Game with Mend here

CVE-2024-37890

Vulnerable Library - ws-3.3.3.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-3.3.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • contract-4.5.23.tgz
      • web3-1.7.4.tgz
        • web3-bzz-1.7.4.tgz
          • swarm-js-0.1.42.tgz
            • eth-lib-0.1.29.tgz
              • ❌ ws-3.3.3.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: 2024-06-17

URL: CVE-2024-37890

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: 2024-06-17

Fix Resolution: ws - 5.2.4,6.2.3,7.5.10,8.17.1

Step up your Open Source Security Game with Mend here

CVE-2024-21505

Vulnerable Libraries - web3-utils-1.7.4.tgz, web3-utils-1.8.0.tgz

web3-utils-1.7.4.tgz

Collection of utility functions used in web3.js.

Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.7.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • contract-4.5.23.tgz
      • ❌ web3-utils-1.7.4.tgz (Vulnerable Library)

web3-utils-1.8.0.tgz

Collection of utility functions used in web3.js.

Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.8.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • web3-helpers-0.5.3.tgz
      • ❌ web3-utils-1.8.0.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

Publish Date: 2024-03-25

URL: CVE-2024-21505

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21505

Release Date: 2024-03-25

Fix Resolution: web3-utils - 4.2.1

Step up your Open Source Security Game with Mend here

CVE-2023-46234

Vulnerable Library - browserify-sign-4.2.1.tgz

adds node crypto signing for browsers

Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • browserify-17.0.0.tgz
    • crypto-browserify-3.12.0.tgz
      • ❌ browserify-sign-4.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.

Publish Date: 2023-10-26

URL: CVE-2023-46234

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x9w5-v3q2-3rhw

Release Date: 2023-10-26

Fix Resolution: browserify-sign - 4.2.2

Step up your Open Source Security Game with Mend here

CVE-2023-43646

Vulnerable Library - get-func-name-2.0.0.tgz

Utility for getting a function's name for node and the browser

Library home page: https://registry.npmjs.org/get-func-name/-/get-func-name-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • web3-helpers-0.5.3.tgz
      • test-helpers-0.5.16.tgz
        • chai-4.3.6.tgz
          • ❌ get-func-name-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input: '\t'.repeat(54773) + '\t/function/i'. This issue has been addressed in commit f934b228b which has been included in releases from 2.0.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-09-27

URL: CVE-2023-43646

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4q6p-r6v2-jvc5

Release Date: 2023-09-27

Fix Resolution: get-func-name - 2.0.1,3.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-25901

Vulnerable Library - cookiejar-2.1.3.tgz

simple persistent cookiejar system

Library home page: https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • contract-4.5.23.tgz
      • web3-1.7.4.tgz
        • web3-core-1.7.4.tgz
          • web3-core-requestmanager-1.7.4.tgz
            • web3-providers-http-1.7.4.tgz
              • xhr2-cookies-1.1.0.tgz
                • ❌ cookiejar-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

Publish Date: 2023-01-18

URL: CVE-2022-25901

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-01-18

Fix Resolution: cookiejar - 2.1.4

Step up your Open Source Security Game with Mend here

CVE-2022-25883

Vulnerable Libraries - semver-7.3.7.tgz, semver-5.7.1.tgz

semver-7.3.7.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-7.3.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • contract-4.5.23.tgz
      • debug-utils-6.0.39.tgz
        • codec-0.14.8.tgz
          • ❌ semver-7.3.7.tgz (Vulnerable Library)

semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • web3-helpers-0.5.3.tgz
      • test-helpers-0.5.16.tgz
        • ❌ semver-5.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2

Step up your Open Source Security Game with Mend here

CVE-2022-25881

Vulnerable Library - http-cache-semantics-4.1.0.tgz

Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies

Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • contract-4.5.23.tgz
      • web3-1.7.4.tgz
        • web3-bzz-1.7.4.tgz
          • got-9.6.0.tgz
            • cacheable-request-6.1.0.tgz
              • ❌ http-cache-semantics-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Publish Date: 2023-01-31

URL: CVE-2022-25881

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rc47-6667-2j5j

Release Date: 2023-01-31

Fix Resolution: http-cache-semantics - 4.1.1;org.webjars.npm:http-cache-semantics:4.1.1

Step up your Open Source Security Game with Mend here

CVE-2024-28863

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • contract-4.5.23.tgz
      • web3-1.7.4.tgz
        • web3-bzz-1.7.4.tgz
          • swarm-js-0.1.42.tgz
            • ❌ tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Publish Date: 2024-03-21

URL: CVE-2024-28863

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f5x3-32g6-xq36

Release Date: 2024-03-21

Fix Resolution: tar - 6.2.1

Step up your Open Source Security Game with Mend here

CVE-2024-27094

Vulnerable Library - contracts-4.7.3.tgz

Secure Smart Contract library for Solidity

Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • ❌ contracts-4.7.3.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

OpenZeppelin Contracts is a library for secure smart contract development. The Base64.encode function encodes a bytes input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.

Publish Date: 2024-02-29

URL: CVE-2024-27094

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-02-29

Fix Resolution: @openzeppelin/contracts - 4.9.6,5.0.2, @openzeppelin/contracts-upgradeable - 4.9.6,5.0.2

Step up your Open Source Security Game with Mend here

CVE-2024-29041

Vulnerable Library - express-4.18.2.tgz

Fast, unopinionated, minimalist web framework

Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • contract-4.5.23.tgz
      • web3-1.7.4.tgz
        • web3-bzz-1.7.4.tgz
          • swarm-js-0.1.42.tgz
            • eth-lib-0.1.29.tgz
              • servify-0.1.12.tgz
                • ❌ express-4.18.2.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect(). The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.

Publish Date: 2024-03-25

URL: CVE-2024-29041

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rv95-896h-c2vc

Release Date: 2024-03-25

Fix Resolution: express - 4.19.0

Step up your Open Source Security Game with Mend here

CVE-2023-28155

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • contract-4.5.23.tgz
      • web3-1.7.4.tgz
        • web3-bzz-1.7.4.tgz
          • swarm-js-0.1.42.tgz
            • eth-lib-0.1.29.tgz
              • servify-0.1.12.tgz
                • ❌ request-2.88.2.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-34459

Vulnerable Library - contracts-4.7.3.tgz

Secure Smart Contract library for Solidity

Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • ❌ contracts-4.7.3.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the verifyMultiProof, verifyMultiProofCalldata, procesprocessMultiProof, or processMultiProofCalldat functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves.

A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with value 0 at depth 1 (just under the root). This could happen inadvertedly for balanced trees with 3 leaves or less, if the leaves are not hashed. This could happen deliberately if a malicious tree builder includes such a node in the tree.

A contract is not vulnerable if it uses single-leaf proving (verify, verifyCalldata, processProof, or processProofCalldata), or if it uses multiproofs with a known tree that has hashed leaves. Standard merkle trees produced or validated with the @openzeppelin/merkle-tree library are safe.

The problem has been patched in version 4.9.2.

Some workarounds are available. For those using multiproofs: When constructing merkle trees hash the leaves and do not insert empty nodes in your trees. Using the @openzeppelin/merkle-tree package eliminates this issue. Do not accept user-provided merkle roots without reconstructing at least the first level of the tree. Verify the merkle tree structure by reconstructing it from the leaves.

Publish Date: 2023-06-16

URL: CVE-2023-34459

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-34459

Release Date: 2023-06-16

Fix Resolution: @openzeppelin/contracts - 4.9.2, @openzeppelin/contracts-upgradeable - 4.9.2

Step up your Open Source Security Game with Mend here

CVE-2023-40014

Vulnerable Library - contracts-4.7.3.tgz

Secure Smart Contract library for Solidity

Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • ❌ contracts-4.7.3.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using ERC2771Context along with a custom trusted forwarder may see _msgSender return address(0) in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for MinimalForwarder from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. The problem has been patched in v4.9.3.

Publish Date: 2023-08-10

URL: CVE-2023-40014

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g4vp-m682-qqmp

Release Date: 2023-08-10

Fix Resolution: @openzeppelin/contracts - 4.9.3;@openzeppelin/contracts-upgradeable - 4.9.3

Step up your Open Source Security Game with Mend here

CVE-2023-34234

Vulnerable Library - contracts-4.7.3.tgz

Secure Smart Contract library for Solidity

Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • ❌ contracts-4.7.3.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the Governor contract in v4.9.0 only, and the GovernorCompatibilityBravo contract since v4.3.0. This problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. Users are advised to upgrade. Users unable to upgrade may submit the proposal creation transaction to an endpoint with frontrunning protection as a workaround.

Publish Date: 2023-06-07

URL: CVE-2023-34234

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5h3x-9wvq-w4m2

Release Date: 2023-06-07

Fix Resolution: @openzeppelin/contracts-upgradeable - 4.9.1;@openzeppelin/contracts - 4.9.1

Step up your Open Source Security Game with Mend here

CVE-2023-30541

Vulnerable Library - contracts-4.7.3.tgz

Secure Smart Contract library for Solidity

Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • ❌ contracts-4.7.3.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata. The probability of an accidental clash is negligible, but one could be caused deliberately and could cause a reduction in availability. The issue has been fixed in version 4.8.3. As a workaround if a function appears to be inaccessible for this reason, it may be possible to craft the calldata such that ABI decoding does not fail at the proxy and the function is properly proxied through.

Publish Date: 2023-04-17

URL: CVE-2023-30541

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mx2q-35m2-x2rh

Release Date: 2023-04-17

Fix Resolution: @openzeppelin/contracts - 4.8.3, @openzeppelin/contracts-upgradeable - 4.8.3

Step up your Open Source Security Game with Mend here

CVE-2022-33987

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • contract-4.5.23.tgz
      • web3-1.7.4.tgz
        • web3-bzz-1.7.4.tgz
          • ❌ got-9.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Step up your Open Source Security Game with Mend here

CVE-2020-7608

Vulnerable Library - yargs-parser-2.4.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-2.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sdk-core-0.5.7.tgz (Root Library)
  • ethereum-contracts-1.4.2.tgz
    • contract-4.5.23.tgz
      • ensjs-2.1.0.tgz
        • ens-0.4.5.tgz
          • solc-0.4.26.tgz
            • yargs-4.8.1.tgz
              • ❌ yargs-parser-2.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e

Found in base branch: main

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

Step up your Open Source Security Game with Mend here