Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

download-7.1.0.tgz: 3 vulnerabilities (highest severity is: 9.8) #416

Closed
mend-bolt-for-github bot opened this issue Dec 12, 2023 · 2 comments
Closed
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource Stale

Comments

@mend-bolt-for-github
Copy link

Vulnerable Library - download-7.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decompress/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (download version) Remediation Possible**
CVE-2020-12265 Critical 9.8 detected in multiple dependencies Transitive N/A*
WS-2020-0044 High 7.5 decompress-4.2.0.tgz Transitive 8.0.0
CVE-2022-33987 Medium 5.3 got-8.3.2.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-12265

Vulnerable Libraries - decompress-tar-4.1.1.tgz, decompress-4.2.0.tgz

decompress-tar-4.1.1.tgz

decompress tar plugin

Library home page: https://registry.npmjs.org/decompress-tar/-/decompress-tar-4.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decompress-tar/package.json

Dependency Hierarchy:

  • download-7.1.0.tgz (Root Library)
    • decompress-4.2.0.tgz
      • decompress-tar-4.1.1.tgz (Vulnerable Library)

decompress-4.2.0.tgz

Extracting archives made easy

Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decompress/package.json

Dependency Hierarchy:

  • download-7.1.0.tgz (Root Library)
    • decompress-4.2.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.
Mend Note: Decompress versions prior to 4.2.1 are vulnerable to CVE-2020-12265 which could lead to Path Traversal. decompress-tar is a tar plugin for decompress and is also vulnerable to CVE-2020-12265 and there is no fixed version for decompress-tar.

Publish Date: 2020-04-26

URL: CVE-2020-12265

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12265

Release Date: 2020-04-26

Fix Resolution: decompress - 4.2.1

Step up your Open Source Security Game with Mend here

WS-2020-0044

Vulnerable Library - decompress-4.2.0.tgz

Extracting archives made easy

Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decompress/package.json

Dependency Hierarchy:

  • download-7.1.0.tgz (Root Library)
    • decompress-4.2.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

decompress in all its versions is vulnerable to arbitrary file write. the package fails to prevent an extraction of files with relative paths which allows attackers to write to any folder in the system.

Publish Date: 2020-03-08

URL: WS-2020-0044

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-08

Fix Resolution (decompress): 4.2.1

Direct dependency fix Resolution (download): 8.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-33987

Vulnerable Library - got-8.3.2.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-8.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

  • download-7.1.0.tgz (Root Library)
    • got-8.3.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Step up your Open Source Security Game with Mend here

@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Dec 12, 2023
Copy link

This issue has been automatically marked as stale because it has not had recent activity. 📆 It will be closed automatically in one week if no further activity occurs.

@github-actions github-actions bot added the Stale label Dec 26, 2023
Copy link

github-actions bot commented Jan 2, 2024

This issue was closed because it has been stalled for 7 days with no activity.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jan 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource Stale
Projects
None yet
Development

No branches or pull requests

0 participants