|
1 | 1 | { |
2 | 2 | "actions": [ |
3 | 3 | { |
4 | | - "action": "review", |
5 | | - "module": "cryo", |
| 4 | + "isMajor": false, |
| 5 | + "action": "install", |
6 | 6 | "resolves": [ |
7 | 7 | { |
8 | | - "id": 1066151, |
9 | | - "path": "cryo", |
| 8 | + "id": 1094102, |
| 9 | + "path": "qs", |
10 | 10 | "dev": false, |
11 | | - "bundled": false, |
12 | | - "optional": false |
| 11 | + "optional": false, |
| 12 | + "bundled": false |
13 | 13 | } |
14 | | - ] |
| 14 | + ], |
| 15 | + "module": "qs", |
| 16 | + "target": "6.11.2" |
15 | 17 | } |
16 | 18 | ], |
17 | 19 | "advisories": { |
18 | | - "1066151": { |
| 20 | + "1094102": { |
19 | 21 | "findings": [ |
20 | 22 | { |
21 | | - "version": "0.0.6", |
| 23 | + "version": "6.10.2", |
22 | 24 | "paths": [ |
23 | | - "cryo" |
| 25 | + "qs" |
24 | 26 | ] |
25 | 27 | } |
26 | 28 | ], |
27 | 29 | "metadata": null, |
28 | | - "vulnerable_versions": "<=0.0.6", |
29 | | - "module_name": "cryo", |
| 30 | + "vulnerable_versions": ">=6.10.0 <6.10.3", |
| 31 | + "module_name": "qs", |
30 | 32 | "severity": "high", |
31 | | - "github_advisory_id": "GHSA-38f5-ghc2-fcmv", |
| 33 | + "github_advisory_id": "GHSA-hrpp-h998-j3pp", |
32 | 34 | "cves": [ |
33 | | - "CVE-2018-3784" |
| 35 | + "CVE-2022-24999" |
34 | 36 | ], |
35 | 37 | "access": "public", |
36 | | - "patched_versions": "<0.0.0", |
| 38 | + "patched_versions": ">=6.10.3", |
37 | 39 | "cvss": { |
38 | | - "score": 0, |
39 | | - "vectorString": null |
| 40 | + "score": 7.5, |
| 41 | + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" |
40 | 42 | }, |
41 | | - "updated": "2020-08-31T18:32:59.000Z", |
42 | | - "recommendation": "None", |
| 43 | + "updated": "2023-09-21T22:11:38.000Z", |
| 44 | + "recommendation": "Upgrade to version 6.10.3 or later", |
43 | 45 | "cwe": [ |
44 | | - "CWE-94" |
| 46 | + "CWE-1321" |
45 | 47 | ], |
46 | 48 | "found_by": null, |
47 | 49 | "deleted": null, |
48 | | - "id": 1066151, |
49 | | - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-3784\n- https://hackerone.com/reports/350418\n- https://github.com/advisories/GHSA-38f5-ghc2-fcmv\n- https://www.npmjs.com/advisories/690", |
50 | | - "created": "2022-03-11T08:00:43.889Z", |
| 50 | + "id": 1094102, |
| 51 | + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-24999\n- https://github.com/ljharb/qs/pull/428\n- https://github.com/n8tz/CVE-2022-24999\n- https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec\n- https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68\n- https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b\n- https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d\n- https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1\n- https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105\n- https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f\n- https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee\n- https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda\n- https://github.com/expressjs/express/releases/tag/4.17.3\n- https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html\n- https://github.com/advisories/GHSA-hrpp-h998-j3pp", |
| 52 | + "created": "2022-11-27T00:30:50.000Z", |
51 | 53 | "reported_by": null, |
52 | | - "title": "Code Injection in cryo", |
| 54 | + "title": "qs vulnerable to Prototype Pollution", |
53 | 55 | "npm_advisory_id": null, |
54 | | - "overview": "All versions of `cryo` are vulnerable to code injection due to an Insecure implementation of deserialization.\n\n\n## Proof of concept\n\n```\nvar Cryo = require('cryo');\nvar frozen = '{\"root\":\"_CRYO_REF_3\",\"references\":[{\"contents\":{},\"value\":\"_CRYO_FUNCTION_function () {console.log(\\\\\"defconrussia\\\\\"); return 1111;}\"},{\"contents\":{},\"value\":\"_CRYO_FUNCTION_function () {console.log(\\\\\"defconrussia\\\\\");return 2222;}\"},{\"contents\":{\"toString\":\"_CRYO_REF_0\",\"valueOf\":\"_CRYO_REF_1\"},\"value\":\"_CRYO_OBJECT_\"},{\"contents\":{\"__proto__\":\"_CRYO_REF_2\"},\"value\":\"_CRYO_OBJECT_\"}]}'\nvar hydrated = Cryo.parse(frozen);\nconsole.log(hydrated);\n```\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative module until a fix is made available.", |
55 | | - "url": "https://github.com/advisories/GHSA-38f5-ghc2-fcmv" |
| 56 | + "overview": "qs before 6.10.3 allows attackers to cause a Node process hang because an `__ proto__` key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as `a[__proto__]=b&a[__proto__]&a[length]=100000000`. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.", |
| 57 | + "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp" |
56 | 58 | } |
57 | 59 | }, |
58 | 60 | "muted": [], |
|
64 | 66 | "high": 1, |
65 | 67 | "critical": 0 |
66 | 68 | }, |
67 | | - "dependencies": 1, |
| 69 | + "dependencies": 9, |
68 | 70 | "devDependencies": 0, |
69 | 71 | "optionalDependencies": 0, |
70 | | - "totalDependencies": 1 |
| 72 | + "totalDependencies": 9 |
71 | 73 | }, |
72 | | - "runId": "0711adfe-fc4e-4a94-80fc-e518c13a63d2" |
| 74 | + "runId": "fe0d72f1-1fb6-4fb2-aa42-246a60c3950a" |
73 | 75 | } |
0 commit comments